Get the most out of your Centmin Mod LEMP stack
Become a Member

Nginx Error 403 nginx with sngine script

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by PeppaPigKilla, Mar 4, 2017.

  1. PeppaPigKilla

    PeppaPigKilla Member

    43
    12
    8
    Dec 21, 2016
    Ratings:
    +13
    Local Time:
    1:34 AM
    1.11.7
    10.0.28-MariaDB
    • CentOS Version:CentOS7
    • Centmin Mod Version Installed: Latest Beta
    • Nginx Version Installed:1.11.10
    • PHP Version Installed: 7.1.1
    • MariaDB MySQL Version Installed: 10.1.1
    • When was last time updated Centmin Mod code base ? : Only installed yesterday
    • Persistent Config:No

    Hello

    I have installed centmin on my vps yesterday, all went smooth. I have upgraded php to 7.1.1

    Everything is fine with the installation as far as i know. I am using cloudfare as a DNS

    At my domain registrar i have the name servers pointing to the cloud fare ones i was supplied. I have paused the cloudfare cdn as per the last time i did this ( think thats right)

    I have added the vhost i want to use and have uploaded some files to install a script, set the permissions as the instructions for said script.

    Problem is when i go to the website it gives me a 403 forbidden error.
    I havent made any changes to any conf files etc.

    Any ideas whats holding me back ?
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    11:34 AM
    Nginx 1.13.x
    MariaDB 5.5
    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
     
  3. PeppaPigKilla

    PeppaPigKilla Member

    43
    12
    8
    Dec 21, 2016
    Ratings:
    +13
    Local Time:
    1:34 AM
    1.11.7
    10.0.28-MariaDB
    Thanks for the reply. I have read the above post and i have no idea what any of it means. I can see its explained, but i have no idea what its telling me to do.

    Is it asking me to run autoprotect ? I did , did nothing to resolve my issue, so assuming i wasnt supposed to. This seems an extremely lengthy process to do something that doesnt need doing on apache, or maybe thats the point, i dont know, i know nothing.
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    11:34 AM
    Nginx 1.13.x
    MariaDB 5.5
    what's contents of your auto generated autoprotect include file at
    /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf where domain.com is yourdomain ?

    you can use cat command out output contents in SSH and copy and paste to forum post in CODE tags
    Code (Text):
    cat /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
    
     
    • Informative Informative x 1
  5. PeppaPigKilla

    PeppaPigKilla Member

    43
    12
    8
    Dec 21, 2016
    Ratings:
    +13
    Local Time:
    1:34 AM
    1.11.7
    10.0.28-MariaDB
    This is the contents of autoportect for the domain

    Code:
    # https://community.centminmod.com/posts/35394/
    # /home/nginx/domains/altf4.life/public/content/uploads
    
    location /content/uploads/ {
      location ~ ^/content/uploads/(.+/)?(.+)\.(js)$ { allow all; expires 30d; }
      location ~ ^/content/uploads/(.+/)?(.+)\.(css)$ { allow all; expires 30d; }
      location ~ ^/content/uploads/(.+/)?(.+)\.(gif|jpe?g|png|webp|eot|svg|ttf|woff|woff)$ { allow all; expires 30d; }
      location ~ ^/content/uploads/(.+/)?(.+)\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)$ { allow 127.0.0.1; deny all; }
    }
    
    # /home/nginx/domains/altf4.life/public
    location ~* ^/ { allow 127.0.0.1; deny all; }
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    11:34 AM
    Nginx 1.13.x
    MariaDB 5.5
    There's the problem you have a .htaccess file in /home/nginx/domains/altf4.life/public which contains deny all directive. What's the contents of /home/nginx/domains/altf4.life/public/.htaccess ?

    tools/autoprotect.sh detected this /home/nginx/domains/altf4.life/public/.htaccess and auto generated a rule in
    /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf to protect your directory but it's at web root /home/nginx/domains/altf4.life/public hence your 403 permission denied
    Code (Text):
    # /home/nginx/domains/altf4.life/public
    location ~* ^/ { allow 127.0.0.1; deny all; }
    

    depending on contents of /home/nginx/domains/altf4.life/public/.htaccess you may have already setup Nginx equivalent rewrite/deny rules in your Nginx vhost, so can exclude tools/autoprotect.sh from auto generating the rule via a .autoprotect-bypass file placed in /home/nginx/domains/altf4.life/public/ at /home/nginx/domains/altf4.life/public/.autoprotect-bypass. Details below here

    Then manually run tools/autoprotect.sh again to regenerate your include file /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf which will now skip auto generating that rule.

    tools/autoprotect.sh may feel troublesome but it's there to protect your security of your web apps as some web app authors rely on .htaccess to protect private directories but Nginx doesn't support .htaccess so will open wide to public those private directories.
     
  7. PeppaPigKilla

    PeppaPigKilla Member

    43
    12
    8
    Dec 21, 2016
    Ratings:
    +13
    Local Time:
    1:34 AM
    1.11.7
    10.0.28-MariaDB
    Code:
    Options +FollowSymLinks -MultiViews +Indexes
    <FilesMatch "\.(htaccess|htpasswd|ini|log|sh|inc|bak|tpl)$">
    Order Allow,Deny
    Deny from all
    </FilesMatch>
    
    <IfModule mod_headers.c>
    # WEEK
    <FilesMatch "\.(jpg|jpeg|png|gif|swf|css|js)$">
        Header set Cache-Control "max-age=604800, public"
    </FilesMatch>
    </IfModule>
    
    RewriteEngine on
    RewriteOptions MaxRedirects=1
    RewriteCond %{REQUEST_FILENAME} -f [NC,OR]
    RewriteCond %{REQUEST_FILENAME} -d [NC]
    RewriteRule .* - [L]
    
    # Installer
    RewriteRule ^install/?$ install.php [L]
    
    # Static Pages
    RewriteRule ^static/([^/]+)/?$ static.php?url=$1 [L]
    
    # Sign(in|up|out)
    RewriteRule ^signin/?$ signin.php [L]
    RewriteRule ^signup/?$ signup.php [L]
    RewriteRule ^signout/?$ signout.php [L]
    RewriteRule ^reset/?$ reset.php [L]
    RewriteRule ^activation/([^/]+)/([^/]+)/?$ activation.php?id=$1&token=$2 [L]
    
    # Social Logins
    RewriteRule ^connect/([^/]+)/?$ connect.php?provider=$1 [L]
    RewriteRule ^revoke/([^/]+)/?$ revoke.php?provider=$1 [L]
    
    # Search
    RewriteRule ^search/?$ search.php [L]
    RewriteRule ^search/hashtag/([^/]+)/?$ search.php?query=$1&hashtag=1 [L]
    RewriteRule ^search/([^/]+)/?$ search.php?query=$1&hashtag=0 [L]
    
    # Started
    RewriteRule ^started/?$ started.php [L]
    RewriteRule ^started/finished?$ started.php?finished=true [L]
    
    # Friends Requests
    RewriteRule ^friends/requests/?$ friend_requests.php [L]
    RewriteRule ^friends/requests/([^/]+)/?$ friend_requests.php?view=$1 [L]
    
    # Messages
    RewriteRule ^messages/?$ messages.php [L]
    RewriteRule ^messages/new?$ messages.php?view=new [L]
    RewriteRule ^messages/([^/]+)/?$ messages.php?cid=$1 [L]
    
    # Notifications
    RewriteRule ^notifications/?$ notifications.php [L]
    
    # Settings
    RewriteRule ^settings/?$ settings.php [L]
    RewriteRule ^settings/([^/]+)/?$ settings.php?view=$1 [L]
    
    # Posts & Photos
    RewriteRule ^posts/([^/]+)/?$ post.php?post_id=$1 [L]
    RewriteRule ^photos/([^/]+)/?$ photo.php?photo_id=$1 [L]
    
    # Pages & Groups
    RewriteRule ^create/page/?$ index.php?view=create_page [L]
    RewriteRule ^create/group/?$ index.php?view=create_group [L]
    
    RewriteRule ^pages/?$ index.php?view=pages [L]
    RewriteRule ^pages/([^/]+)/?$ page.php?username=$1 [L]
    RewriteRule ^pages/([^/]+)/([^/]+)/?$ page.php?username=$1&view=$2 [L]
    RewriteRule ^pages/([^/]+)/([^/]+)/([^/]+)/?$ page.php?username=$1&view=$2&id=$3 [L]
    
    RewriteRule ^groups/?$ index.php?view=groups [L]
    RewriteRule ^groups/([^/]+)/?$ group.php?username=$1 [L]
    RewriteRule ^groups/([^/]+)/([^/]+)/?$ group.php?username=$1&view=$2 [L]
    RewriteRule ^groups/([^/]+)/([^/]+)/([^/]+)/?$ group.php?username=$1&view=$2&id=$3 [L]
    
    # Games
    RewriteRule ^games/?$ index.php?view=games [L]
    RewriteRule ^games/([^/]+)/?$ game.php?id=$1 [L]
    
    # Saved
    RewriteRule ^saved/?$ index.php?view=saved [L]
    
    # Directory
    RewriteRule ^directory/?$ directory.php [L]
    RewriteRule ^directory/([^/]+)/?$ directory.php?view=$1 [L]
    RewriteRule ^directory/([^/]+)/([^/]+)/?$ directory.php?view=$1&page=$2 [L]
    
    # Admin
    RewriteRule ^admin/?$ admin.php [L]
    RewriteRule ^admin/([^/]+)/?$ admin.php?view=$1 [L]
    RewriteRule ^admin/([^/]+)/([^/]+)/?$ admin.php?view=$1&sub_view=$2 [L]
    RewriteRule ^admin/([^/]+)/([^/]+)/([^/]+)/?$ admin.php?view=$1&sub_view=$2&id=$3 [L]
    
    # Profile
    RewriteRule ^([^/]+)/?$ profile.php?username=$1 [L]
    RewriteRule ^([^/]+)/([^/]+)/?$ profile.php?username=$1&view=$2 [L]
    RewriteRule ^([^/]+)/([^/]+)/([^/]+)/?$ profile.php?username=$1&view=$2&id=$3 [L]

    This is the contents
     
  8. PeppaPigKilla

    PeppaPigKilla Member

    43
    12
    8
    Dec 21, 2016
    Ratings:
    +13
    Local Time:
    1:34 AM
    1.11.7
    10.0.28-MariaDB
    This was the output of ...
    Code:
    grep location /usr/local/nginx/conf/autoprotect/altf4.life/autoprotect-altf4.life.conf

    Code:
    # grep location /usr/local/nginx/conf/autoprotect/altf4.life/autoprotect-altf4.life.conf
    location /content/uploads/ {
      location ~ ^/content/uploads/(.+/)?(.+)\.(js)$ { allow all; expires 30d; }
      location ~ ^/content/uploads/(.+/)?(.+)\.(css)$ { allow all; expires 30d; }
      location ~ ^/content/uploads/(.+/)?(.+)\.(gif|jpe?g|png|webp|eot|svg|ttf|woff|woff)$ { allow all; expires 30d; }
      location ~ ^/content/uploads/(.+/)?(.+)\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)$ { allow 127.0.0.1; deny all; }
    location ~* ^/ { allow 127.0.0.1; deny all; }
    You have new mail in /var/spool/mail/root
    
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    11:34 AM
    Nginx 1.13.x
    MariaDB 5.5
    yup that is part of .htaccess file that tools/autoprotect.sh detected and as such since those file extensions are usually denied on nginx as well you can exclude tools/autoprotect.sh from auto generating the rule via a creating an empty .autoprotect-bypass file placed in /home/nginx/domains/altf4.life/public/ at /home/nginx/domains/altf4.life/public/.autoprotect-bypass

    Then manually run tools/autoprotect.sh again to regenerate your include file /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf which will now skip auto generating that rule.
     
    • Winner Winner x 1
  10. PeppaPigKilla

    PeppaPigKilla Member

    43
    12
    8
    Dec 21, 2016
    Ratings:
    +13
    Local Time:
    1:34 AM
    1.11.7
    10.0.28-MariaDB
    worked, thank you
     
  11. PeppaPigKilla

    PeppaPigKilla Member

    43
    12
    8
    Dec 21, 2016
    Ratings:
    +13
    Local Time:
    1:34 AM
    1.11.7
    10.0.28-MariaDB
    Would any of this stop the script accessing the database at all ? or creating files ?
     
    Last edited: Mar 5, 2017
  12. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    11:34 AM
    Nginx 1.13.x
    MariaDB 5.5
    What script is this? Depends you can confirm by commenting out your include file /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf in your Nginx vhost and restart nginx and php to totally disable autoprotect.sh temporarily
     
  13. PeppaPigKilla

    PeppaPigKilla Member

    43
    12
    8
    Dec 21, 2016
    Ratings:
    +13
    Local Time:
    1:34 AM
    1.11.7
    10.0.28-MariaDB
    the script it sngine, its a social software script.

    Upon entering details on the installation process after inputting the correct details it says it cannot write to file
     
  14. PeppaPigKilla

    PeppaPigKilla Member

    43
    12
    8
    Dec 21, 2016
    Ratings:
    +13
    Local Time:
    1:34 AM
    1.11.7
    10.0.28-MariaDB
    been told by the creator i have to use mysql and no mariadb. Shame
     
  15. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    11:34 AM
    Nginx 1.13.x
    MariaDB 5.5
    why what was his exact reply and explanation as to why ? MariaDB is almost drop in replacement to MySQL so should be fine

    is this sngine docs Sngine - Documentation ? docs mention making certain directories writable so have you done that too ?

    though Sngine requirements does mention mod_rewrite which is only an Apache supported item so Nginx needs converting htacces/mod_rewrite rules to Nginx rules so if Sngine doesn't support Nginx rules or tests with Nginx, then I can see that being a problem.
     
    Last edited: Mar 5, 2017
  16. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    11:34 AM
    Nginx 1.13.x
    MariaDB 5.5
    maybe this sngine Discussion on Plugin Combo For Sngine | CodeCanyon ?

    MariaDB: LIKE Condition

    ???
     
  17. PeppaPigKilla

    PeppaPigKilla Member

    43
    12
    8
    Dec 21, 2016
    Ratings:
    +13
    Local Time:
    1:34 AM
    1.11.7
    10.0.28-MariaDB
    this was the response after i said i made the config manually.

    The combo plugin im not sure about as thats not something i have.
     
    Last edited: Mar 6, 2017
  18. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    11:34 AM
    Nginx 1.13.x
    MariaDB 5.5
    that's the key, do sngine provide any nginx rules at all or do they have support forum with users using nginx and sharing their nginx rules ? if not it will be hard to use sngine with nginx

    if they say need MySQL and no MariaDB then it must be something in their code that isn't compatible, so unfortunately that would rule out using sngine on Centmin Mod or any Nginx servers.
     
  19. RoldanLT

    RoldanLT Well-Known Member

    3,978
    965
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,329
    Local Time:
    9:34 AM
    1.11
    10.2
    It was nice and great looking Script.
    I'm tempted to try it but then no Nginx and MariaDB support is main blocker.