Join the community today
Register Now

Wordpress Akismet JS and CSS - Forbidden?

Discussion in 'Blogs & CMS usage' started by GamerJota, Jul 19, 2016.

Tags:
  1. GamerJota

    GamerJota Member

    49
    7
    8
    Mar 1, 2016
    Ratings:
    +18
    Local Time:
    1:14 AM
    Hey there guys!


    I'm trying to figure out why the JS and CSS of Akismet is getting blocked, I can't find the rule!
    I'm running a vanilla Centminmod 123.09beta1, I haven't touched the nginx configuration files for this domain.

    Code:
    [error] 29472#29472: *172 access forbidden by rule, client: [CLIENT IP], server: [SERVER], request: "GET /wp-content/plugins/akismet/_inc/akismet.css?ver=3.1.11 HTTP/1.1", host: "[HOST]", referrer: "http://[HOST]/wp-admin/index.php"
    I tried commenting out the wpsecure_[DOMAIN].conf nginx include but still getting the same!
    What rule could be blocking it?

    Cheers!
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,153
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    got any security plugins installed ? how was wordpress installed ?

    output for wp-cli commands below ?
    Code (Text):
    cd /home/nginx/domains/yourdomain.com/public
    /usr/bin/wp plugin status --allow-root
    

    if wp-cli isn't installed, you can install it via
    Code (Text):
    wget -cnv --no-check-certificate https://raw.github.com/wp-cli/builds/gh-pages/phar/wp-cli.phar -O /usr/bin/wp --tries=3
    chmod 0700 /usr/bin/wp
    /usr/bin/wp --info --allow-root
    
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,153
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)
     
  4. GamerJota

    GamerJota Member

    49
    7
    8
    Mar 1, 2016
    Ratings:
    +18
    Local Time:
    1:14 AM
    Hey there eva2000!

    I got "Wordfence Security" installed, tried again by disabling it but still getting access forbidden.

    WordPress was installed through option 22 of centminmod menu (Add Wordpress Nginx vhost + Cache Plugin).

    This is the output for the plugin status:
    Code:
    37 installed plugins:
      A accesspress-social-counter 1.5.9
      A admin-color-schemes        2.2
      A akismet                    3.1.11
      A amp                        0.3.2
      A attachment-pages-redirect  1.0
      A cache-enabler              1.1.0
      A cloudflare                 1.3.24
      A contact-form-7             4.4.2
      A disable-xml-rpc            1.0.1
      A duplicate-post             2.6
      A easy-fancybox              1.5.7
      A insert-headers-and-footers 1.3.3
      A fb-instant-articles        3.0.1
      A jetpack                    4.1.1
      A mikado-core                1.0
      A mikado-instagram-feed      1.0
      A mikado-twitter-feed        1.0
      A page-links-to              2.9.6
      A regenerate-thumbnails      2.2.6
      A revslider                  5.2.6
      A tinymce-advanced           4.3.10.1
      A user-role-editor           4.26.1
      A vaultpress                 1.8.3
      A white-label-cms            1.5.7
      A widget-clone               1.1
      I wordfence                  6.1.10
      A wp-mail-smtp               0.9.5
      A js_composer                4.12
      A wp-bitly                   2.3.2
      A wp-gallery-custom-links    1.11
      A wpml-cms-nav               1.4.19
      A sitepress-multilingual-cms 3.4.1
      A wpml-sticky-links          1.3.19
      A wpml-string-translation    2.3.9
      A wpml-widgets               1.0.4
      A wordpress-seo              3.3.4
      A wpseo-news                 3.3
    
    Legend: A = Active, I = Inactive
    Content of vhost conf files:
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    server {
                listen   80;
                server_name [SERVER NAME];
                return 301 http://[DOMAIN]$request_uri;
           }
    
    server {
     
      server_name [SERVER NAME];
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/[DOMAIN]/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/[DOMAIN]/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/[DOMAIN]/autoprotect-[DOMAIN].conf;
      root /home/nginx/domains/[DOMAIN]/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      location ~ (?:^|/)\. {
       deny all;
      }
    
      include /usr/local/nginx/conf/wpincludes/[DOMAIN]/wpcacheenabler_[DOMAIN].conf;
      #include /usr/local/nginx/conf/wpincludes/[DOMAIN]/wpsupercache_[DOMAIN].conf;
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/wpincludes/[DOMAIN]/rediscache_[DOMAIN].conf; 
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
     
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args; 
    
      # Nginx level redis Wordpress
      # https://community.centminmod.com/posts/18828/
      #try_files $uri $uri/ /index.php?$args;
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        #auth_basic "Private";
        #auth_basic_user_file /home/nginx/domains/[DOMAIN]/htpasswd_wplogin;   
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://community.centminmod.com/posts/18828/
        #include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
      #include /usr/local/nginx/conf/wpincludes/[DOMAIN]/wpsecure_[DOMAIN].conf;
      include /usr/local/nginx/conf/php-wpsc.conf;
      # https://community.centminmod.com/posts/18828/
      #include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    SSL one is identical except for the SSL configuration.

    Finally I just noticed it also happens with the Akismet "form" JS:
    Code:
    2016/07/18 17:47:05 [error] 29473#29473: *1950 access forbidden by rule, client: [CLIENT IP], server: [SERVER], request: "GET /wp-content/plugins/akismet/_inc/form.js?ver=3.1.11 HTTP/1.1", host: "[HOST]", referrer: "http://[DOMAIN]/[CENSORED]/"
    Thank you for looking into it :)
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,153
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Contents of /usr/local/nginx/conf/autoprotect/[DOMAIN]/autoprotect-[DOMAIN].conf ?
     
  6. GamerJota

    GamerJota Member

    49
    7
    8
    Mar 1, 2016
    Ratings:
    +18
    Local Time:
    1:14 AM
    Oh, well... What the..?

    Code:
    # /home/nginx/domains/[DOMAIN]/public/wp-content/plugins/akismet
    location ~* ^/wp-content/plugins/akismet/ { deny all; }
    # /home/nginx/domains/[DOMAIN]/public/wp-content/wflogs
    location ~* ^/wp-content/wflogs/ { deny all; }
    
    Is this auto-generated? How can I prevent it?
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,153
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    tools/autoprotect.sh is auto configured to preemptively try to protect and secure any centmin mod setup nginx site's web app for .htaccess deny from all files that get auto converted to nginx deny all rewrites see Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community

    and how to disable autoprotect.sh for specific directories via .autoprotect-bypass file dropped into directories at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community

    without autoprotect.sh script on nginx servers you are wide open security wise as the author of the web app in this case akismet intended the directory to be deny from all non-publicly accessible. Nginx doesn't support .htaccess files so those directories would be insecure as defined and intended by the developer (akismet) :)

    no other nginx stack like centmin mod 123.09beta01 tries to secure you regardless of what web app files you upload to your site for auto .htaccess deny from all conversion to nginx deny all rewrites :)
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,153
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  9. GamerJota

    GamerJota Member

    49
    7
    8
    Mar 1, 2016
    Ratings:
    +18
    Local Time:
    1:14 AM
    Thank you man! There we go!
    Also... I just checked out the .htaccess of Akismet:

    Code:
    # Only allow direct access to specific Web-available files.
    
    # Apache 2.2
    <IfModule !mod_authz_core.c>
        Order Deny,Allow
        Deny from all
    </IfModule>
    
    # Apache 2.4
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    
    # Akismet CSS and JS
    <FilesMatch "^(form|akismet)\.(css|js)$">
        <IfModule !mod_authz_core.c>
            Allow from all
        </IfModule>
      
        <IfModule mod_authz_core.c>
            Require all granted
        </IfModule>
    </FilesMatch>
    
    # Akismet images
    <FilesMatch "^(.+)\.(png|gif)$">
        <IfModule !mod_authz_core.c>
            Allow from all
        </IfModule>
      
        <IfModule mod_authz_core.c>
            Require all granted
        </IfModule>
    </FilesMatch>
    I believe auto-protect is not converting this one completely correct.
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,153
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    only basic conversion, tools/autoprotect.sh just looks for .htaccess with 'Deny from all' to convert nothing else right now

    guess i could try to check .htaccess for existence of 'Allow from all' in the file too and auto skip it from conversion
     
  11. GamerJota

    GamerJota Member

    49
    7
    8
    Mar 1, 2016
    Ratings:
    +18
    Local Time:
    1:14 AM
    I see! Just a simple manual "fix" for now then. Keep up the good job man, thank you :)
     
  12. eva2000

    eva2000 Administrator Staff Member

    53,153
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    2:14 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+