Learn about Centmin Mod LEMP Stack today
Become a Member

All In One WP Security and autoprotect.sh throws Duplicate location "/" error when restarting nginx

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by neverminder, Jun 4, 2018.

  1. neverminder

    neverminder Member

    44
    3
    8
    Nov 23, 2017
    Ratings:
    +5
    Local Time:
    7:32 PM
    1.13.6
    10.0.33
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit ?
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.13.12
    • PHP Version Installed: 7.2.5 (cli)
    • MariaDB MySQL Version Installed: 10.1.33
    • When was last time updated Centmin Mod code base ? : today
    • Persistent Config:
      cat /etc/centminmod/custom_config.inc
      Code:
      VHOSTCTRL_CLOUDFLAREINC='y'
      [email protected]
      ALERTEMAIL='[email protected]'
      PHP_PGO='y'
    After installing All In One WP Security plugin and autoprotect.sh cron running, my website's autoprotect.conf file contains the following location / lines that duplicates the ones in my vhost conf file:
    Code:
    location / {
      location ~ ^/(.+/)?(.+)\.(js)$ { allow all; expires 30d; }
      location ~ ^/(.+/)?(.+)\.(css)$ { allow all; expires 30d; }
      location ~ ^/(.+/)?(.+)\.(gif|jpe?g|png|webp|eot|svg|ttf|woff|woff)$ { allow all; expires 30d; }
      location ~ ^/(.+/)?(.+)\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)$ { allow 127.0.0.1; deny all; }
    }
    Should I comment out the line in vhost conf file, and if so, would it stay disabled after an update?
     
  2. eva2000

    eva2000 Administrator Staff Member

    34,632
    7,655
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,773
    Local Time:
    2:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    does web root at /home/nginx/domains/domain.com/public contain a .htaccess file ? what's it's contents

    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
     
  3. neverminder

    neverminder Member

    44
    3
    8
    Nov 23, 2017
    Ratings:
    +5
    Local Time:
    7:32 PM
    1.13.6
    10.0.33
    Bypassing the root htaccess is not an option, as it would render useless most of the AIO firewall:
    Code:
    # BEGIN All In One WP Security
    #AIOWPS_BLOCK_WP_FILE_ACCESS_START
    <Files license.txt>
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
    </IfModule>
    </Files>
    <Files wp-config-sample.php>
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
    </IfModule>
    </Files>
    <Files readme.html>
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
    </IfModule>
    </Files>
    #AIOWPS_BLOCK_WP_FILE_ACCESS_END
    #AIOWPS_PINGBACK_HTACCESS_RULES_START
    <Files xmlrpc.php>
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
    </IfModule>
    </Files>
    #AIOWPS_PINGBACK_HTACCESS_RULES_END
    #AIOWPS_DEBUG_LOG_BLOCK_HTACCESS_RULES_START
    <Files debug.log>
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
    </IfModule>
    </Files>
    #AIOWPS_DEBUG_LOG_BLOCK_HTACCESS_RULES_END
    #AIOWPS_DISABLE_INDEX_VIEWS_START
    Options -Indexes
    #AIOWPS_DISABLE_INDEX_VIEWS_END
    #AIOWPS_DISABLE_TRACE_TRACK_START
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    </IfModule>
    #AIOWPS_DISABLE_TRACE_TRACK_END
    #AIOWPS_DENY_BAD_QUERY_STRINGS_START
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} ftp:     [NC,OR]
    RewriteCond %{QUERY_STRING} http:    [NC,OR]
    RewriteCond %{QUERY_STRING} https:   [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} (\;|'|\"|%22).*(request|insert|union|declare|drop) [NC]
    RewriteRule ^(.*)$ - [F,L]
    </IfModule>
    #AIOWPS_DENY_BAD_QUERY_STRINGS_END
    #AIOWPS_ADVANCED_CHAR_STRING_FILTER_START
    <IfModule mod_alias.c>
    RedirectMatch 403 \,
    RedirectMatch 403 \:
    RedirectMatch 403 \;
    RedirectMatch 403 \=
    RedirectMatch 403 \[
    RedirectMatch 403 \]
    RedirectMatch 403 \^
    RedirectMatch 403 \`
    RedirectMatch 403 \{
    RedirectMatch 403 \}
    RedirectMatch 403 \~
    RedirectMatch 403 \"
    RedirectMatch 403 \$
    RedirectMatch 403 \<
    RedirectMatch 403 \>
    RedirectMatch 403 \|
    RedirectMatch 403 \.\.
    RedirectMatch 403 \%0
    RedirectMatch 403 \%A
    RedirectMatch 403 \%B
    RedirectMatch 403 \%C
    RedirectMatch 403 \%D
    RedirectMatch 403 \%E
    RedirectMatch 403 \%F
    RedirectMatch 403 \%22
    RedirectMatch 403 \%27
    RedirectMatch 403 \%28
    RedirectMatch 403 \%29
    RedirectMatch 403 \%3C
    RedirectMatch 403 \%3E
    RedirectMatch 403 \%3F
    RedirectMatch 403 \%5B
    RedirectMatch 403 \%5C
    RedirectMatch 403 \%5D
    RedirectMatch 403 \%7B
    RedirectMatch 403 \%7C
    RedirectMatch 403 \%7D
    # COMMON PATTERNS
    Redirectmatch 403 \_vpi
    RedirectMatch 403 \.inc
    Redirectmatch 403 xAou6
    Redirectmatch 403 db\_name
    Redirectmatch 403 select\(
    Redirectmatch 403 convert\(
    Redirectmatch 403 \/query\/
    RedirectMatch 403 ImpEvData
    Redirectmatch 403 \.XMLHTTP
    Redirectmatch 403 proxydeny
    RedirectMatch 403 function\.
    Redirectmatch 403 remoteFile
    Redirectmatch 403 servername
    Redirectmatch 403 \&rptmode\=
    Redirectmatch 403 sys\_cpanel
    RedirectMatch 403 db\_connect
    RedirectMatch 403 doeditconfig
    RedirectMatch 403 check\_proxy
    Redirectmatch 403 system\_user
    Redirectmatch 403 \/\(null\)\/
    Redirectmatch 403 clientrequest
    Redirectmatch 403 option\_value
    RedirectMatch 403 ref\.outcontrol
    # SPECIFIC EXPLOITS
    RedirectMatch 403 errors\.
    RedirectMatch 403 config\.
    RedirectMatch 403 include\.
    RedirectMatch 403 display\.
    RedirectMatch 403 register\.
    Redirectmatch 403 password\.
    RedirectMatch 403 maincore\.
    RedirectMatch 403 authorize\.
    Redirectmatch 403 macromates\.
    RedirectMatch 403 head\_auth\.
    RedirectMatch 403 submit\_links\.
    RedirectMatch 403 change\_action\.
    Redirectmatch 403 com\_facileforms\/
    RedirectMatch 403 admin\_db\_utilities\.
    RedirectMatch 403 admin\.webring\.docs\.
    Redirectmatch 403 Table\/Latest\/index\.
    </IfModule>
    #AIOWPS_ADVANCED_CHAR_STRING_FILTER_END
    #AIOWPS_SIX_G_BLACKLIST_START
    # 6G FIREWALL/BLACKLIST
    # @ https://perishablepress.com/6g/
    
    # 6G:[QUERY STRINGS]
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
    RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR]
    RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
    RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
    RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
    RewriteCond %{QUERY_STRING} (\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
    RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
    RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
    RewriteCond %{QUERY_STRING} ('|\")(.*)(drop|insert|md5|select|union) [NC]
    RewriteRule .* - [F]
    </IfModule>
    
    # 6G:[REQUEST METHOD]
    <IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|put|trace|track) [NC]
    RewriteRule .* - [F]
    </IfModule>
    
    # 6G:[REFERRERS]
    <IfModule mod_rewrite.c>
    RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000,}) [NC,OR]
    RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
    RewriteRule .* - [F]
    </IfModule>
    
    # 6G:[REQUEST STRINGS]
    <IfModule mod_alias.c>
    RedirectMatch 403 (?i)([a-z0-9]{2000,})
    RedirectMatch 403 (?i)(https?|ftp|php):/
    RedirectMatch 403 (?i)(base64_encode)(.*)(\()
    RedirectMatch 403 (?i)(=\'|=\%27|/\'/?)\.
    RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&amp;?)/?$
    RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\"\\")
    RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\|\s|\{|\}|\[|\]|\|)
    RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
    RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
    RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
    RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
    </IfModule>
    
    # 6G:[USER AGENTS]
    <IfModule mod_setenvif.c>
    SetEnvIfNoCase User-Agent ([a-z0-9]{2000,}) bad_bot
    SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
    
    # Apache < 2.3
    <IfModule !mod_authz_core.c>
    Order Allow,Deny
    Allow from all
    Deny from env=bad_bot
    </IfModule>
    
    # Apache >= 2.3
    <IfModule mod_authz_core.c>
    <RequireAll>
    Require all Granted
    Require not env bad_bot
    </RequireAll>
    </IfModule>
    </IfModule>
    #AIOWPS_SIX_G_BLACKLIST_END
    #AIOWPS_ENABLE_BRUTE_FORCE_PREVENTION_START
    RewriteEngine On
    RewriteCond %{REQUEST_URI} (wp-admin|wp-login)
    RewriteCond %{REQUEST_URI} !(wp-admin/admin-ajax.php)
    RewriteRule .* http://127.0.0.1 [L]
    #AIOWPS_ENABLE_BRUTE_FORCE_PREVENTION_END
    #AIOWPS_BLOCK_SPAMBOTS_START
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post\.php(.*)$
    RewriteCond %{HTTP_REFERER} !^http(s)?://domain\.com [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule .* http://127.0.0.1 [L]
    </IfModule>
    #AIOWPS_BLOCK_SPAMBOTS_END
    #AIOWPS_PREVENT_IMAGE_HOTLINKS_START
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
    RewriteCond %{HTTP_REFERER} !^http(s)?://domain\.com [NC]
    RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]
    </IfModule>
    #AIOWPS_PREVENT_IMAGE_HOTLINKS_END
    # END All In One WP Security
     
  4. eva2000

    eva2000 Administrator Staff Member

    34,632
    7,655
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,773
    Local Time:
    2:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Nginx doesn't support .htaccess so that .htaccess file on Nginx is useless and hence why autoprotect.sh exists to try to auto convert .htaccess rules to nginx versions though in this case that is why you get duplicate web root locations as autoprotect.sh converted your web root / location incorrectly.

    Easiest thing to do is delete .htaccess file as Nginx doesn't support it and ignores it totally.
     
  5. neverminder

    neverminder Member

    44
    3
    8
    Nov 23, 2017
    Ratings:
    +5
    Local Time:
    7:32 PM
    1.13.6
    10.0.33
    I didn't make myself clear, sorry. Everything that autoprotect.sh rendered in it's conf file for that domain is useful (in my opinion), so bypassing the htaccess would ignore those lines, and they wouldn't appear in the autoprotect.conf file, am I right? I want that protection in place, not ignored. But I also need to avoid the "duplicate location" conflict.
     
  6. eva2000

    eva2000 Administrator Staff Member

    34,632
    7,655
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,773
    Local Time:
    2:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yup if you setup bypass file + re-run tools/autoprotect.sh manually once, then those conflicting rules won't show up in autoprotect config file for domain
     
  7. neverminder

    neverminder Member

    44
    3
    8
    Nov 23, 2017
    Ratings:
    +5
    Local Time:
    7:32 PM
    1.13.6
    10.0.33
    But I NEED them to show up! That's the whole point of the firewall. The question is how to eliminate (or combine) the duplicate lines.
     
  8. eva2000

    eva2000 Administrator Staff Member

    34,632
    7,655
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,773
    Local Time:
    2:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    They won't have any effect, Nginx doesn't support apache modrewrite or apache .htaccess files - so wordpress and thus nginx will ignore anything in .htaccess files. On Nginx servers, deleting the .htaccess is the same as having .htaccess on the server = no use at all and ignored by Nginx and any web app/scripts.
     
  9. neverminder

    neverminder Member

    44
    3
    8
    Nov 23, 2017
    Ratings:
    +5
    Local Time:
    7:32 PM
    1.13.6
    10.0.33
    autoprotect.sh "translates" the htaccess into nginx "language", right? So, I need that "translation"! If I tell it to ignore the htaccess in root directory, how can I have those lines in autoprotect.conf? It's simple, really: I need those lines in autoprotect_domain.conf, but I have to combine the two "location /" instances (from the autoprotect and vhost conf files).
     
  10. eva2000

    eva2000 Administrator Staff Member

    34,632
    7,655
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,773
    Local Time:
    2:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    autoprotect.sh only translate one specific .htaccess rule, the deny all rule which means block every visitor from accessing the directory or file and give 403 permission denied. It's for security to give Centmin Mod Nginx users a heads up.

    The autoprotect.sh issues or 403 permission denied folks get are basically autoprotect.sh saying 'hey you just uploaded some scripts or files/directories and some contain .htaccess file with deny all text inside it. Which means the script's author intended to block and prevent public access for that file/directory and assumed the script user is using Apache web server which supports .htaccess. But you're using Centmin Mod Nginx which ignores .htaccess so WARNING, your script needs a 2nd look at proper nginx rules in your nginx vhost to account for what the script's author intended for the .htaccess - as right now you're possibly allow access to files/directories etc which the script's author never intended for public consumption'.

    So autoprotect.sh won't work for translating your specific .htaccess - you need to contact script's author and ask if they have rules that are equivalent for nginx web servers.

    FYI, though some of those .htaccess rules are already in centmin.sh menu option 22 installer for wordpress via wpsecure include file. And some can be replicated by implementing bad bot rate/limit blocking via Security - Blocking bad or aggressive bots or Security - Nginx Ultimate Bad Block Blocker
     
    • Like Like x 1
  11. neverminder

    neverminder Member

    44
    3
    8
    Nov 23, 2017
    Ratings:
    +5
    Local Time:
    7:32 PM
    1.13.6
    10.0.33
    OK, I got it now, thank you! So, basically, I have to deactivate AIO WP Security until proper nginx support is provided from their part.
     
    • Agree Agree x 1
  12. eva2000

    eva2000 Administrator Staff Member

    34,632
    7,655
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,773
    Local Time:
    2:32 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
..