Learn about Centmin Mod LEMP Stack today
Become a Member

Wordpress Allow JS file to execute

Discussion in 'Blogs & CMS usage' started by Fernando, Jul 10, 2018.

  1. Fernando

    Fernando Member

    44
    8
    8
    Jul 21, 2017
    Ratings:
    +12
    Local Time:
    5:12 AM
    1.13.3
    10.1.25
    Hi,

    I'm getting the following error in the Browser Error Console when I'm in Wordpress Admin:

    GET /home/nginx/domains/xxxxxxx.com/public/wp-content/plugins/classiera-locations/js/classiera-locations.js?ver=4.9.7 (404)

    I'm not sure how I can allow all the files in /home/nginx/domains/xxxxxxx.com/public/wp-content/plugins/classiera-locations/js/ to be able to execute, they are only javascript files.

    Additionally, if I set add_header X-Content-Type-Options "nosniff" always; then the mime type is set to text/html, is there a way to specify that the mime type is application/javascript for the location /home/nginx/domains/xxxxxxx.com/public/wp-content/plugins/classiera-locations/js/ so I can continue using X-Content-Type-Options "nosniff" always; instead of disable it?

    Thank you,
    Best Regards
     
  2. eva2000

    eva2000 Administrator Staff Member

    36,877
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,434
    Local Time:
    9:12 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    example of where you added add_header in vhost ? text files like css, js, html have their location context contained in global include file in each nginx vhost at /usr/local/nginx/conf/staticfiles.conf, you would want to add add_header to those location context instead

    example in staticfiles.conf include js location context also has your nosniff option placed there just commented out ready for you to uncomment/use
    Code (Text):
        location ~* \.(js)$ {
      #add_header Pragma public;
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      add_header Access-Control-Allow-Origin *;
      add_header Cache-Control "public, must-revalidate, proxy-revalidate, immutable, stale-while-revalidate=86400, stale-if-error=604800";
            access_log off;
            expires 30d;
            break;
            }
    



    404 = not found so file doesn't exist ? does it exist at that location

    maybe caught in autoprotect.sh include file ?

    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
    Check if your nginx vhost at either or both /usr/local/nginx/conf/conf.d/domain.com.conf and/or /usr/local/nginx/conf/conf.d/domain.com.ssl.conf has include file for autoprotect example
    Code (Text):
    include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
    

    see if your directory for the script which has issues is caught in an autoprotect include entry in /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf which has a deny all entry
    Code (Text):
    cat /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
    

    i.e.
    Code (Text):
    # /home/nginx/domains/domain.com/public/subdirectory/js
    location ~* ^/subdirectory/js/ { allow 127.0.0.1; deny all; }
    

    If caught you can whitelist it by autoprotect bypass .autoprotect-bypass file - details below here. So if problem js file is at domain.com/subdirectory/js/file.js then it is likely /subdirectory/js has a .htaccess with deny all in it - make sure that directory is meant to be publicly accessible by contacting author of script and if so, you can whitelist it and re-run autoprotect script to regenerate your /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf include file
    Code (Text):
    cd /home/nginx/domains/domain.com/public/subdirectory/js
    touch .autoprotect-bypass
    /usr/local/src/centminmod/tools/autoprotect.sh
    nprestart
    

    it maybe you need to also whitelist /subdirectory then it would be as follows creating bypass files at /home/nginx/domains/domain.com/public/subdirectory/.autoprotect-bypass and /home/nginx/domains/domain.com/public/subdirectory/js/.autoprotect-bypass
    Code (Text):
    cd /home/nginx/domains/domain.com/public/subdirectory/
    touch .autoprotect-bypass
    cd /home/nginx/domains/domain.com/public/subdirectory/js
    touch .autoprotect-bypass
    /usr/local/src/centminmod/tools/autoprotect.sh
    nprestart
    

    then double check to see if updated /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf include file now doesn't show an entry for /subdirectory/js
     
  3. Fernando

    Fernando Member

    44
    8
    8
    Jul 21, 2017
    Ratings:
    +12
    Local Time:
    5:12 AM
    1.13.3
    10.1.25
    Hi,

    As always thank you for your help :)

    I didn't know I could add the add_header to /usr/local/nginx/conf/staticfiles.conf, that's great to know.

    The biggest problem is the 404, the file does exist and I check /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf and there's no entry for the the pluging.

    /home/nginx/domains/xxxxxxx.com/public/wp-content/plugins/classiera-locations/js/classiera-locations.js?ver=4.9.7 It's a custom plugin that was created by the Theme owner but I still don't know who to exclude the directory /wp-content/plugins/classiera-locations/js or /wp-content/plugins/classiera-locations/ so It doesn't return the 404.

    I tried to .autoprotect-bypass however, It didn't work and it's probably because it's not even included in /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf.

    Is there any other place where I can bypass /wp-content/plugins/classiera-locations/js ?

    Should I need to add something manually to /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf to allow both JS files from /wp-content/plugins/classiera-locations/js/?

    Thank you,
    Best Regards
     
  4. eva2000

    eva2000 Administrator Staff Member

    36,877
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,434
    Local Time:
    9:12 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    try ruling out autoprotect completely by commenting out the include file /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
    Code (Text):
    #include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
    

    and restarting nginx
    Code (Text):
    ngxrestart
    

    if still 404, then not related to autoprotect.sh
     
  5. Fernando

    Fernando Member

    44
    8
    8
    Jul 21, 2017
    Ratings:
    +12
    Local Time:
    5:12 AM
    1.13.3
    10.1.25
    Hi,

    Thank you, sorry to not add the code tags, I'm in the linode console because I can't access the server from any other place at this moment.

    I added:
    #include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;

    Then:
    ngxrestart

    But still is failing. So I agree autoprotect is not the issue. However, there's something really strange, looking domain.com/log/error.log I see:

    open() "/home/nginx/domains/domain.com/public/home/nginx/domains/domain.com/public/wp-content/...." No such file or directory

    That open command is wrong it's adding twice /home/nginx/domains/domain.com/public, I have no idea where that's coming from, I don't have any rewrite or something

    Thank you again for your help!
    Best Regards
     
  6. Fernando

    Fernando Member

    44
    8
    8
    Jul 21, 2017
    Ratings:
    +12
    Local Time:
    5:12 AM
    1.13.3
    10.1.25
    This is the entire domain.com.ssl.conf, in case that is needed.
    Thank you!

    Code:
    cat domain.com.ssl.conf
    
    #x# HTTPS-DEFAULT
     server {
       listen 80;
       listen [::]:80;
       server_name domain.com www.domain.com;
       return 302 https://www.domain.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
    }
    
    server {
        listen 443;
        server_name domain.com;
        return 302 https://www.domain.com$request_uri;
        #ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
        include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
        include /usr/local/nginx/conf/ssl_include.conf;
    }
    
    
    server {
      listen 443 ssl http2;
      server_name www.domain.com;
      include /usr/local/nginx/conf/ssl/domain.com/domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt;
      #ssl_verify_client on;
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      add_header Referrer-Policy "strict-origin-when-cross-origin";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      #include /usr/local/nginx/conf/wpincludes/domain.com/wpcacheenabler_domain.com.conf;
      #include /usr/local/nginx/conf/wpincludes/domain.com/wpsupercache_domain.com.conf;
      # https://community.centminmod.com/posts/18828/
      include /usr/local/nginx/conf/wpincludes/domain.com/rediscache_domain.com.conf;
    
            # Bad Bot Blocker
            include /usr/local/nginx/conf/ultimate-badbot-blocker/bots.d/ddos.conf;
            include /usr/local/nginx/conf/ultimate-badbot-blocker/bots.d/blockbots.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      #try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;
    
      # Wordpress Permalinks
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      # Nginx level redis Wordpress
      # https://community.centminmod.com/posts/18828/
      try_files $uri $uri/ /index.php?$args;
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        auth_basic_user_file /home/nginx/domains/domain.com/htpasswd_wplogin;
        #include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        #include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-scripts\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        #include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /wp-admin/(load-styles\.php) {
        limit_req zone=xwprpc burst=5 nodelay;
        #limit_conn xwpconlimit 30;
        #include /usr/local/nginx/conf/php-wpsc.conf;
    
        # https://community.centminmod.com/posts/18828/
        include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location /wp-content/uploads/2017 {
      autoindex off;
      location ~* ^/wp-content/uploads/2017/.+\.(png|jpe?g)$ {
        expires 30d;
        add_header Vary "Accept-Encoding";
        add_header Cache-Control "public, no-transform";
        try_files $uri$webp_extension $uri =404;
      }
    }
    
    location /wp-content/uploads/2018 {
      autoindex off;
      location ~* ^/wp-content/uploads/2018/.+\.(png|jpe?g)$ {
        expires 30d;
        add_header Vary "Accept-Encoding";
        add_header Cache-Control "public, no-transform";
        try_files $uri$webp_extension $uri =404;
      }
    }
    
    location /wp-content/uploads/2019 {
      autoindex off;
      location ~* ^/wp-content/uploads/2019/.+\.(png|jpe?g)$ {
        expires 30d;
        add_header Vary "Accept-Encoding";
        add_header Cache-Control "public, no-transform";
        try_files $uri$webp_extension $uri =404;
      }
    }
    
    location /wp-content/uploads/2020 {
      autoindex off;
      location ~* ^/wp-content/uploads/2020/.+\.(png|jpe?g)$ {
        expires 30d;
        add_header Vary "Accept-Encoding";
        add_header Cache-Control "public, no-transform";
        try_files $uri$webp_extension $uri =404;
      }
    }
    
    
      include /usr/local/nginx/conf/wpincludes/domain.com/wpsecure_domain.com.conf;
      #include /usr/local/nginx/conf/php-wpsc.conf;
    
      # https://community.centminmod.com/posts/18828/
      include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
     
  7. eva2000

    eva2000 Administrator Staff Member

    36,877
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,434
    Local Time:
    9:12 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    i see ultimate badbot block in place installed from instructions at Security - Nginx Ultimate Bad Block Blocker ?

    try commenting it out and restart nginx to see if it works
    Code (Text):
           # Bad Bot Blocker
           #include /usr/local/nginx/conf/ultimate-badbot-blocker/bots.d/ddos.conf;
           #include /usr/local/nginx/conf/ultimate-badbot-blocker/bots.d/blockbots.conf;
    
     
  8. Fernando

    Fernando Member

    44
    8
    8
    Jul 21, 2017
    Ratings:
    +12
    Local Time:
    5:12 AM
    1.13.3
    10.1.25
    Hi,

    Thank you for your help :)

    i see ultimate badbot block in place installed from instructions at Security - Nginx Ultimate Bad Block Blocker ?
    - Yes

    I excluded both lines however, it's still failing :(
    I re-compiled nginx with NGINX_DEBUG='y' but I don't see any clear problem that might be happening. I will be providing the logs later today if you have any idea :)

    Unfortunately, I can't past them right now as I'm again in the Linode console and can't get them at this moment.
    I will continue doing more research, if you have any other suggestion please let me know I will really appreciate all your time and help that you have provided to me.

    Thank you,
    Best Regards
     
  9. eva2000

    eva2000 Administrator Staff Member

    36,877
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,434
    Local Time:
    9:12 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    simple check of file permissions ?
    Code (Text):
    ls -lah /home/nginx/domains/xxxxxxx.com/public/wp-content/plugins/classiera-locations/
    ls -lah /home/nginx/domains/xxxxxxx.com/public/wp-content/plugins/classiera-locations/js/
    
     
  10. Fernando

    Fernando Member

    44
    8
    8
    Jul 21, 2017
    Ratings:
    +12
    Local Time:
    5:12 AM
    1.13.3
    10.1.25
    Hi,

    Thank you, please see below:

    upload_2018-7-11_9-33-4.png

    I also added as a test in wpsecure_loquevendes.com.conf

    Code:
    location ~ ^/wp-content/plugins/classiera-locations/ {
       allow all;
       include /usr/local/nginx/conf/php.conf;
    }
     

    Attached Files:

  11. Fernando

    Fernando Member

    44
    8
    8
    Jul 21, 2017
    Ratings:
    +12
    Local Time:
    5:12 AM
    1.13.3
    10.1.25
    Hi,

    Here is the debug of nginx, as you can see in http filename the root directory is duplicated :(

    upload_2018-7-11_9-37-56.png
     
  12. eva2000

    eva2000 Administrator Staff Member

    36,877
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,434
    Local Time:
    9:12 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    classiera locations wp plugin misconfiguration ?
     
    • Winner Winner x 1
  13. Fernando

    Fernando Member

    44
    8
    8
    Jul 21, 2017
    Ratings:
    +12
    Local Time:
    5:12 AM
    1.13.3
    10.1.25
  14. Fernando

    Fernando Member

    44
    8
    8
    Jul 21, 2017
    Ratings:
    +12
    Local Time:
    5:12 AM
    1.13.3
    10.1.25
    I got it to work, I modified the plugin code wp_enqueue_script so now it points to the correct location.

    I have contacted the author to determine what will be the permament fix in a newer release.

    Thank you for all your help on this issue I really appreciate it!
    Regards
     
    • Informative Informative x 1
  15. eva2000

    eva2000 Administrator Staff Member

    36,877
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,434
    Local Time:
    9:12 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Glad to hear :)
     
..