Want to subscribe to topics you're interested in?
Become a Member

Wordpress Help with rewrite rules?

Discussion in 'Blogs & CMS usage' started by bruno, Sep 12, 2017.

  1. bruno

    bruno Premium Member Premium Member

    54
    3
    8
    Oct 14, 2016
    Ratings:
    +7
    Local Time:
    3:51 AM
    I know this is a very niche question - apologies!

    I have a WordPress install set up on a beautiful centminmod server. I am trying to use the popular Fancy Product Designer plugin but have found an issue. It seems that the centminmod config is stopping a file (/wp-content/plugins/fancy-product-designer/assets/templates/productdesigner.php) from loading (getting a 403 error).

    Does any kind strangerhave any idea how I might allow this php file from running? I've tried chmod 755 and no luck.

    Thanks in advance. Will reward any solutions with a little thank-you donation.
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,634
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,308
    Local Time:
    1:51 PM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod values security and puts additional measures in place so that end users are also mindful of security. So in your case, you might need to whitelist or unblock the WP plugins related to your 403 permission denied messages.

    If you used centmin.sh menu option 22 auto installer Wordpress Nginx Auto Installer, the default wpsecure conf file at /usr/local/nginx/conf/wpsecure_${vhostname}.conf where vhostname is your domain name, blocks php scripts from executing in wp-content for security

    Below links you can see examples of setting up specific wordpress location matches to punch a hole in the wpsecure blocking to whitelist specific php files that need to be able to run.
    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
     
    • Like Like x 1
  3. bruno

    bruno Premium Member Premium Member

    54
    3
    8
    Oct 14, 2016
    Ratings:
    +7
    Local Time:
    3:51 AM
    i wish there could be more people like @eva2000 in the world!! that's exactly the reply i needed, and i'll get into reading that stuff now!

    thanks again for keeping up such a great project. respect from over here in the UK!
     
    • Like Like x 1
  4. bruno

    bruno Premium Member Premium Member

    54
    3
    8
    Oct 14, 2016
    Ratings:
    +7
    Local Time:
    3:51 AM
    ok so i read as much as possible but i think i'm missing something !

    Let's say I wanted to exclude this file path from autoprotect.sh : /wp-content/plugins/fancy-product-designer

    What would be the steps?

    Code:
    nano  .autoprotect-bypass
    in that directory?

    what would go inside that file?

    then i re-run tools/autoprotect.sh and it should work ?

    thanks again in advance mate!
     
  5. eva2000

    eva2000 Administrator Staff Member

    30,634
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,308
    Local Time:
    1:51 PM
    Nginx 1.13.x
    MariaDB 5.5
    Code (Text):
    cd /fullpathto/wp-content/plugins/fancy-product-designer
    touch .autoprotect-bypass
    /usr/local/src/centminmod/tools/autoprotect.sh
    
     
  6. bruno

    bruno Premium Member Premium Member

    54
    3
    8
    Oct 14, 2016
    Ratings:
    +7
    Local Time:
    3:51 AM
    Thanks! I tried that and still no change :(

    Here's the link for reference: Small Flag

    Chrome's inspector still shows 403 error for the file in question.

    Any idea how to fix? I'd be happy to hire you to resolve it.
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,634
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,308
    Local Time:
    1:51 PM
    Nginx 1.13.x
    MariaDB 5.5
    contents for your
    /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf where domain.com is your domain name ?
    Code (Text):
    cat /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
    
     
  8. bruno

    bruno Premium Member Premium Member

    54
    3
    8
    Oct 14, 2016
    Ratings:
    +7
    Local Time:
    3:51 AM
    Here it is:
    Code:
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/plugins/woocommerce-product-designer/includes/tcpdf/tools
    location ~* ^/wp-content/plugins/woocommerce-product-designer/includes/tcpdf/tools/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/plugins/wordfence/lib
    location ~* ^/wp-content/plugins/wordfence/lib/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/plugins/wordfence/tmp
    location ~* ^/wp-content/plugins/wordfence/tmp/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/plugins/woocommerce-jetpack/includes/lib/tcpdf_min/tools
    location ~* ^/wp-content/plugins/woocommerce-jetpack/includes/lib/tcpdf_min/tools/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/plugins/fancy-product-designer/admin/inc/tcpdf/tools
    location ~* ^/wp-content/plugins/fancy-product-designer/admin/inc/tcpdf/tools/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/uploads/sucuri
    location ~* ^/wp-content/uploads/sucuri/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/uploads/woocommerce_uploads
    location ~* ^/wp-content/uploads/woocommerce_uploads/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/uploads/wc-logs
    location ~* ^/wp-content/uploads/wc-logs/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/uploads/ezfc-uploads
    location ~* ^/wp-content/uploads/ezfc-uploads/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/uploads/ezfc-pdf
    location ~* ^/wp-content/uploads/ezfc-pdf/ { allow 127.0.0.1; deny all; }
    # Nginx - Is it better to add an exeption for 127.0.0.1 for autoprotect rules?
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/wflogs
    
    location /wp-content/wflogs/ {
      location ~ ^/wp-content/wflogs/(.+/)?(.+)\.(js)$ { allow all; expires 30d; }
      location ~ ^/wp-content/wflogs/(.+/)?(.+)\.(css)$ { allow all; expires 30d; }
      location ~ ^/wp-content/wflogs/(.+/)?(.+)\.(gif|jpe?g|png|webp|eot|svg|ttf|woff|woff)$ { allow all; expires 30d; }
      location ~ ^/wp-content/wflogs/(.+/)?(.+)\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)$ { allow 127.0.0.1; deny all; }
    }
    
     
    Last edited: Sep 13, 2017
  9. eva2000

    eva2000 Administrator Staff Member

    30,634
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,308
    Local Time:
    1:51 PM
    Nginx 1.13.x
    MariaDB 5.5
  10. bruno

    bruno Premium Member Premium Member

    54
    3
    8
    Oct 14, 2016
    Ratings:
    +7
    Local Time:
    3:51 AM
    My bad! Think I've fixed that now. Does it shed any light on it?
     
  11. eva2000

    eva2000 Administrator Staff Member

    30,634
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,308
    Local Time:
    1:51 PM
    Nginx 1.13.x
    MariaDB 5.5
    looks good for that specific plugin you had issues with, what's listed in autoprotect include file for location context matches are directories which have .htaccess which you might need to whitelist too using your best judgement of course

    as per Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all, autoprotect.sh serves to give folks heads up of potential .htaccess directories you may not what made public and need a nginx rule for and/or whitelisting
     
  12. eva2000

    eva2000 Administrator Staff Member

    30,634
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,308
    Local Time:
    1:51 PM
    Nginx 1.13.x
    MariaDB 5.5
    oh you mean fixed the CODE tags, thought you mean the 403 issue.. it's still showing
    Code (Text):
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/plugins/fancy-product-designer/admin/inc/tcpdf/tools
    location ~* ^/wp-content/plugins/fancy-product-designer/admin/inc/tcpdf/tools/ { allow 127.0.0.1; deny all; }
    

    so maybe setup .autoprotect-bypass file
    Code (Text):
    touch /home/nginx/domains/flagsilk.faste.st/public/wp-content/plugins/fancy-product-designer/admin/inc/tcpdf/tools/.autoprotect-bypass
    

    then re-run tools/autoprotect.sh

    what's contents of /wp-content/plugins/fancy-product-designer/admin/inc/tcpdf/tools/.htaccess ?
    Code (Text):
    cat /home/nginx/domains/flagsilk.faste.st/public/wp-content/plugins/fancy-product-designer/admin/inc/tcpdf/tools/.htaccess
    
     
  13. bruno

    bruno Premium Member Premium Member

    54
    3
    8
    Oct 14, 2016
    Ratings:
    +7
    Local Time:
    3:51 AM
    Ah, still no luck unfortunately. Would it be useful for me to repost the /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf

    ?

    Thanks again!
     
  14. eva2000

    eva2000 Administrator Staff Member

    30,634
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,308
    Local Time:
    1:51 PM
    Nginx 1.13.x
    MariaDB 5.5
    yeah post updated contents after tools/autoprotect.sh run

    you can also quickly rule out autoprotect as the issue by editing your nginx vhost and commenting out the include file for /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
    Code (Text):
    #include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
    

    restart nginx and php-fpm
    Code (Text):
    nprestart
    
     
  15. bruno

    bruno Premium Member Premium Member

    54
    3
    8
    Oct 14, 2016
    Ratings:
    +7
    Local Time:
    3:51 AM
    Here it is!

    Code:
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/plugins/woocommerce-product-designer/includes/tcpdf/tools
    location ~* ^/wp-content/plugins/woocommerce-product-designer/includes/tcpdf/tools/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/plugins/woocommerce-jetpack/includes/lib/tcpdf_min/tools
    location ~* ^/wp-content/plugins/woocommerce-jetpack/includes/lib/tcpdf_min/tools/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/plugins/fancy-product-designer/admin/inc/tcpdf/tools
    location ~* ^/wp-content/plugins/fancy-product-designer/admin/inc/tcpdf/tools/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/uploads/sucuri
    location ~* ^/wp-content/uploads/sucuri/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/uploads/woocommerce_uploads
    location ~* ^/wp-content/uploads/woocommerce_uploads/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/uploads/wc-logs
    location ~* ^/wp-content/uploads/wc-logs/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/uploads/ezfc-uploads
    location ~* ^/wp-content/uploads/ezfc-uploads/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/flagsilk.faste.st/public/wp-content/uploads/ezfc-pdf
    location ~* ^/wp-content/uploads/ezfc-pdf/ { allow 127.0.0.1; deny all; }
    
    I then out the autoprotect line as you suggested. Still no luck! Does that mean it's not to do with autoprotect.sh?

    Thanks again!
     
  16. bruno

    bruno Premium Member Premium Member

    54
    3
    8
    Oct 14, 2016
    Ratings:
    +7
    Local Time:
    3:51 AM
    just some more info which might be useful from error.log:

    Code:
    2017/09/12 20:59:52 [error] 13351#13351: *47 access forbidden by rule, client: 162.158.155.15, server: flagsilk.faste.st, request: "GET
    /wp-content/plugins/fancy-product-designer/assets/templates/productdesigner.php HTTP/1.1", host: "flagsilk.faste.st", referrer:
    "https://flagsilk.faste.st/product/small-flag/" 2017/09/12 21:03:08 [error] 13590#13590: *3 access forbidden by rule, client: 162.158.155.15,
    server: flagsilk.faste.st, request: "GET /wp-content/plugins/fancy-product-designer/assets/templates/productdesigner.php HTTP/1.1", host:
    "flagsilk.faste.st", referrer: "https://flagsilk.faste.st/product/small-flag/" 2017/09/12 21:05:10 [error] 13780#13780: *3 access forbidden by
    rule, client: 162.158.155.15, server: flagsilk.faste.st, request: "GET
    /wp-content/plugins/fancy-product-designer/assets/templates/productdesigner.php HTTP/1.1", host: "flagsilk.faste.st", referrer:
    "https://flagsilk.faste.st/product/small-flag/" 2017/09/12 21:26:20 [error] 13782#13782: *25 access forbidden by rule, client: 162.158.155.15,
    server: flagsilk.faste.st, request: "GET /wp-content/plugins/fancy-product-designer/assets/templates/productdesigner.php HTTP/1.1", host:
    "flagsilk.faste.st", referrer: "https://flagsilk.faste.st/product/small-flag/" 2017/09/12 21:33:44 [error] 13780#13780: *45 access forbidden
    by rule, client: 162.158.155.15, server: flagsilk.faste.st, request: "GET
    /wp-content/plugins/fancy-product-designer/assets/templates/productdesigner.php HTTP/1.1", host: "flagsilk.faste.st", referrer:
    "https://flagsilk.faste.st/product/small-flag/"
    
     
  17. eva2000

    eva2000 Administrator Staff Member

    30,634
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,308
    Local Time:
    1:51 PM
    Nginx 1.13.x
    MariaDB 5.5
  18. bruno

    bruno Premium Member Premium Member

    54
    3
    8
    Oct 14, 2016
    Ratings:
    +7
    Local Time:
    3:51 AM
    yep, tried that earlier by adding # in the
    Code:
    flagsilk.faste.st.conf
    and
    Code:
    flagsilk.faste.st.ssl.conf
    files. sadly didn't make a difference. still getting 403 on the inspector for the productdesigner.php

    plugin's faq mentions this rewrite rule for .htaccess
    Code:
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    but I'm not sure how that would work on an nginx server.

    (source: Getting Started : Fancy Product Designer)
     
  19. eva2000

    eva2000 Administrator Staff Member

    30,634
    6,862
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,308
    Local Time:
    1:51 PM
    Nginx 1.13.x
    MariaDB 5.5
    then it's no autoprotect, it could be the default wpsecure conf file at /usr/local/nginx/conf/wpsecure_${vhostname}.conf where vhostname is your domain name, blocks php scripts from executing in wp-content for security

    Below links you can see examples of setting up specific wordpress location matches to punch a hole in the wpsecure blocking to whitelist specific php files that need to be able to run.
     
  20. bruno

    bruno Premium Member Premium Member

    54
    3
    8
    Oct 14, 2016
    Ratings:
    +7
    Local Time:
    3:51 AM
    woohoooo ! found the fix!
    i had to go to
    Code:
    /usr/local/nginx/conf/conf.d/flagsilk.faste.st.conf
    and
    Code:
    /usr/local/nginx/conf/conf.d/flagsilk.faste.st.ssl.conf
    You may want to update the posts from the links you sent me in the last post, as they mention:
    Code:
    /usr/local/nginx/conf/
    (maybe that's the old file path from before the beta?)

    I added this code:

    Code:
    # Whitelist Exception for https://wordpress.org/plugins/whatever-plugin/
    location ~ ^/wp-content/plugins/whatever-plugin/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    Now working perfectly.

    Thanks again man!!
     
    • Agree Agree x 1