Xenforo I got 403 error in some files when switching website from cpanel to centminmod.

ducle.2020 · Sep 4, 2020

Hello,
I moved my website from cpanel to centminmod and got the 403 error with the files stored at / styles /*
eg: mydomain.com/styles/default/xenforo/xenforo-logo2x.png
I did chmod, chown -R, added .autoprotect-bypas, ... however things remained unchanged. Please help me fix it, thank you.

Code:

ls -lAh /home/nginx/domains/mydomain.com/public/
total 259M
-rw-r-----  1 nginx nginx 2.0K Jun  1 16:09 401.html
-rw-r-----  1 nginx nginx 1.6K Aug 21  2015 403.html
-rw-r-----  1 nginx nginx 1.6K Aug 21  2015 404.html
-rw-r-----  1 nginx nginx 2.1K Aug 21  2015 500.html
-rw-r-----  1 nginx nginx 2.1K Aug 21  2015 502.html
-rw-r-----  1 nginx nginx 2.2K Aug 21  2015 503.html
-rw-r-----  1 nginx nginx 7.6K Jun  1 16:09 503.jpg
-rw-r-----  1 nginx nginx 2.1K Aug 21  2015 504.html
-rw-r-----  1 nginx nginx 2.2K Aug 21  2015 50x.html
-rw-r--r--  1 nginx nginx  302 Apr 23 17:24 admin.php
drwxr-sr-x  2 nginx nginx 4.0K Nov 17  2019 cgi-bin
-rw-r--r--  1 nginx nginx  324 Apr 23 17:24 cmd.php
-rw-r--r--  1 nginx nginx 1.9K Apr 23 17:24 connected_account.php
-rw-rw-r--  1 nginx nginx  472 Oct 29  2019 connected_discord.php
-rw-r--r--  1 nginx nginx  813 Apr 23 17:24 css.php
drwxrwsrwx 11 nginx nginx 4.0K Apr 20 06:44 data
-rw----r--  1 nginx nginx 1.2K Nov  2  2016 deferred.php
-rw-r--r--  1 nginx nginx 259M Aug 26 16:04 error_log
-rw----r--  1 nginx nginx  535 Nov  2  2016 fb_channel.php
drwxr-sr-x  9 nginx nginx 4.0K Jun  2 16:17 images
-rw-r--r--  1 nginx nginx 1.4K Aug 21  2015 index.html
-rw-r--r--  1 nginx nginx  377 Aug 21 08:35 index.php
drwxr-sr-x  4 nginx nginx 4.0K Apr 23 19:42 install
drwxrwsrwx 10 nginx nginx 4.0K Sep  3 14:58 internal_data
-rw-r--r--  1 nginx nginx 1.4K Apr 23 17:24 job.php
drwxr-sr-x 26 nginx nginx 4.0K Apr 20 06:45 js
drwxr-sr-x 27 nginx nginx 4.0K Sep  3 14:57 library
-rw-r--r--  1 nginx nginx 1.1K Sep 24  2018 lwHostsCheck.php
-rw-r-----  1 nginx nginx 2.2K Aug 21  2015 maintenance.html
-rw-r--r--  1 nginx nginx  863 Apr 23 17:24 oembed.php
-rw-r--r--  1 nginx nginx 1.7K Apr 23 17:24 payment_callback.php
-rw-r--r--  1 nginx nginx  983 Apr 23 17:24 proxy.php
-rw----r--  1 nginx nginx 1.1K Nov  2  2016 rgba.php
-rw----r--  1 nginx nginx  787 Aug 27 03:16 robots.txt
-rw-r--r--  1 nginx nginx  376 Apr 23 17:24 sitemap.php
drwxr-sr-x  6 nginx nginx 4.0K Sep  3 14:59 src
drwxr-sr-x 12 nginx nginx 4.0K Sep  3 15:08 styles
-rw-rw-r--  1 nginx nginx  412 Apr 23 20:31 uix_manifest.php
-rw-r--r--  1 nginx nginx 1.6K Apr 23 17:24 unfurl.php

Code:

getfacl -L --absolute-names /home/nginx/domains/mydomains.com/public/styles/
# file: /home/nginx/domains/mydomain.com/public/styles/
# owner: nginx
# group: nginx
# flags: -s-
user::rwx
group::r-x
other::r-x

eva2000 · Sep 4, 2020

in SSH session what does curl header check report output wise ?
Code (Text):
curl -Ik https://mydomain.com/styles/default/xenforo/xenforo-logo2x.png
For posting code or output from commands to keep the formatting, you might want to use CODE tags for code How to use forum BBCODE code tags

ducle.2020 said: ↑

added .autoprotect-bypas
Click to expand...

where did you add the file ?

If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community Your uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know

Nginx web servers do not support Apache web server .htaccess files. So any web application which relies on .htaccess to protect directories will be fully open to the public on Nginx web servers unless your Nginx vhost config file has specific location directory matches to deny and/or password protect them.

tools/autoprotect.sh runs via cronjob and basically checks entire Centmin Mod LEMP stack server's Nginx vhost site's public web accessible directories for .htaccess files that exist. Then grabbing their directory path to .htaccess file and auto generating an Nginx equivalent location match and deny all setup.
Click to expand...

So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.

Is it better to add an exeption for 127.0.0.1 for autoprotect rules? | Centmin Mod Community

IP.Board - Query on autoprotect + IPB forums | Centmin Mod Community

Wordpress - Akismet JS and CSS - Forbidden? | Centmin Mod Community

Nginx - Error 403 nginx with sngine script

Check if your nginx vhost at either or both /usr/local/nginx/conf/conf.d/domain.com.conf and/or /usr/local/nginx/conf/conf.d/domain.com.ssl.conf has include file for autoprotect example
Code (Text):
include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
see if your directory for the script which has issues is caught in an autoprotect include entry in /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf which has a deny all entry
Code (Text):
cat /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
i.e.
Code (Text):
# /home/nginx/domains/domain.com/public/subdirectory/js
location ~* ^/subdirectory/js/ { allow 127.0.0.1; deny all; }
If caught you can whitelist it by autoprotect bypass .autoprotect-bypass file - details below here. So if problem js file is at domain.com/subdirectory/js/file.js then it is likely /subdirectory/js has a .htaccess with deny all in it - make sure that directory is meant to be publicly accessible by contacting author of script and if so, you can whitelist it and re-run autoprotect script to regenerate your /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf include file
Code (Text):
cd /home/nginx/domains/domain.com/public/subdirectory/js
touch .autoprotect-bypass
/usr/local/src/centminmod/tools/autoprotect.sh
nprestart
it maybe you need to also whitelist /subdirectory then it would be as follows creating bypass files at /home/nginx/domains/domain.com/public/subdirectory/.autoprotect-bypass and /home/nginx/domains/domain.com/public/subdirectory/js/.autoprotect-bypass
Code (Text):
cd /home/nginx/domains/domain.com/public/subdirectory/
touch .autoprotect-bypass
cd /home/nginx/domains/domain.com/public/subdirectory/js
touch .autoprotect-bypass
/usr/local/src/centminmod/tools/autoprotect.sh
nprestart
then double check to see if updated /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf include file now doesn't show an entry for /subdirectory/js

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

Xenforo I got 403 error in some files when switching website from cpanel to centminmod.

ducle.2020 New Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

Xenforo I got 403 error in some files when switching website from cpanel to centminmod.

ducle.2020 New Member

eva2000 Administrator Staff Member

.