Join the community today
Become a Member

IP.Board IPB 4.1.x and latest centmin mod beta

Discussion in 'Forum software usage' started by tjk, Jun 10, 2016.

  1. tjk

    tjk Member

    74
    16
    8
    Jun 27, 2015
    Ratings:
    +25
    Local Time:
    1:05 AM
    Kicked my butt on this one for awhile, still haven't figured it all out yet.

    Latest IPB 4.1.12.2 install, everything is going fine. In the ACP of IPB, there is an option to secure the uploads directory, and it writes out the following Apache .htaccess file to the ./public/uploads directory.

    Code (Text):
    #<ipb-protection>
    <Files ~ "^.*\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)$">
        Order allow,deny
        Deny from all
    </Files>
    

    At some point, centmin mod runs the autoprotect cron job and converts this into an nginx block:

    Code (Text):
    # /home/nginx/domains/domain.io/public/uploads
    location ~* ^/uploads/ { deny all; }
    

    Which breaks IPB css/styles, which the following errors:

    Code (Text):
    2016/06/10 03:14:38 [error] 10604#10604: *8 access forbidden by rule, client: 1.2.5.1, server: www.domain.io, request: "GET /uploads/set_resources_1/721d19a47b75773db8abe1ed740775e3_logo.png HTTP/2.0", host: "www.domain.io", referrer: "https://www.domain.io/admin/?adsess=vcemeouq6r17oqbiq7sk1e9uf1&app=core&module=overview&controller=security"
    

    Any ideas?
     
  2. eva2000

    eva2000 Administrator Staff Member

    29,053
    6,594
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,790
    Local Time:
    3:05 PM
    Nginx 1.13.x
    MariaDB 5.5
    Is /uploads/set_resources_1 is a fixed known directory? If so just create a location context for it above the auto protect include file to punch a hole in the deny all
     
    • Creative Creative x 1
  3. Jimmy

    Jimmy Premium Member Premium Member

    1,026
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    1:05 AM
    1.13.x
    MariaDB 10.1.x
    Why are you securing the uploads directory via the ACP? IPS built that for Apache which is going to drop in an htaccess file which Nginx doesn't use.

    If you look at the gist the uploads directory is already protected via a location block.
     
    Last edited: Jun 10, 2016
  4. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    7:05 AM
    1.9.9
    10.1.10
    Nope, there are alot of folders dynamically created in the uploads folder.
    But as @Jimmy already said, using this option is completely useless as it is only for setups that support .htaccess files.
     
    • Informative Informative x 1
  5. Jimmy

    Jimmy Premium Member Premium Member

    1,026
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    1:05 AM
    1.13.x
    MariaDB 10.1.x
    Last edited: Jun 10, 2016
    • Informative Informative x 1
  6. tjk

    tjk Member

    74
    16
    8
    Jun 27, 2015
    Ratings:
    +25
    Local Time:
    1:05 AM
    Of course, we all know .htaccess is for Apache, that wasn't my point. My point was that if someone clicks on that and they are using nginix, it will break the configuration. IPB show's that warning in the ACP about the uploads directory being unprotected, and yes, I know, because it uses apache and .htaccess and doesn't know about nginx.

    I have uploads protected in the domain.conf file:
    Code (Text):
    location ~^(/uploads/).*(\.php)$ {
    deny all;
    }
    

    It took me awhile to find that centmin mod converts apache .htaccess files to nginx blocks automatically.

    I am using the conf file that I put together from your work @Jimmy and @Ahmad , see below, and thank you guys for doing this and sharing!
    Code (Text):
    # if unsure use return 302 before using return 301, will change to 301 before launch
    server {
           listen   80;
           server_name www.domain.io domain.io;
           return 302 https://$server_name$request_uri;
     }
    
    server {
      listen 443 ssl http2;
      server_name www.domain.io domain.io;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.io/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.io/ssl-bundle.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.io/domain.io.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains. 
      # You'd want to include subdomains if you're using SSL wildcard certificates
      # include subdomain
      #add_header Public-Key-Pins 'pin-sha256="cLskal7OcoU5ysxBSYzRdd5kAT7G/Vy0BxUViWDUp10="; pin-sha256="mENL+F6zn+gZsBzkbHX1Su+uz/UjVOMilMBgBDWobMU="; max-age=86400; includeSubDomains';
      # exclude subdomains
      #add_header Public-Key-Pins 'pin-sha256="cLskal7OcoU5ysxBSYzRdd5kAT7G/Vy0BxUViWDUp10="; pin-sha256="mENL+F6zn+gZsBzkbHX1Su+uz/UjVOMilMBgBDWobMU="; max-age=86400';
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.io/ssl-trust.crt;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;  
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.io/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/domain.io/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.io/autoprotect-datacentertalk.io.conf;
      root /home/nginx/domains/domain.io/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      #prevent access to ./directories and files
      location ~ (?:^|/)\. {
      deny all;
      }  
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
      # block common exploits, sql injections etc
      include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # friendly urls for ipb 4.1
      try_files    $uri $uri/ /index.php;
    
      }
    
      # add stuff for ipb 4.x
      location ~^(/page/).*(\.php)$ {
      try_files $uri $uri/ /index.php;
      }
    
      location ~^(/applications/(blog|calendar|chat|cms|core|downloads|forums|gallery|nexus)/interface/).*(\.php)$ {
      include /usr/local/nginx/conf/php.conf;
      allow all;
      }
    
      location ~^(/applications/(blog|calendar|chat|cms|core|downloads|forums|gallery|nexus)/).*(\.php)$ {
      deny all;
      }
    
      # Allow access to imageproxy  
      location ^~ /applications/core/interface/imageproxy/imageproxy.php {
      include /usr/local/nginx/conf/php.conf;
      allow  all;
      }
    
      location ~^(/uploads/).*(\.php)$ {
      deny all;
      }
    
      location ~^(/system/).*(\.php)$ {
      deny all;
      }
    
      location ~^(/datastore/).*(\.php)$ {
      deny all;
      }
    
      location ~^(/plugins/).*(\.php)$ {
      deny all;
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
     
  7. eva2000

    eva2000 Administrator Staff Member

    29,053
    6,594
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,790
    Local Time:
    3:05 PM
    Nginx 1.13.x
    MariaDB 5.5
  8. tjk

    tjk Member

    74
    16
    8
    Jun 27, 2015
    Ratings:
    +25
    Local Time:
    1:05 AM
  9. eva2000

    eva2000 Administrator Staff Member

    29,053
    6,594
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,790
    Local Time:
    3:05 PM
    Nginx 1.13.x
    MariaDB 5.5
    ah yes you can do that too :)

    /tools/autoprotect.sh is there to protect you automatically if you had .htaccess and no specific deny all rule in place. But you do have a specific rule to deny only php files :)
     
    • Like Like x 1
  10. eva2000

    eva2000 Administrator Staff Member

    29,053
    6,594
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,790
    Local Time:
    3:05 PM
    Nginx 1.13.x
    MariaDB 5.5
    actually might be good to add /uploads/.autoprotect-bypass file anyway as you will undoubtedly upgrade your forums which means re-uploading the new files and may re-upload the /uploads/.htaccess which tools/autoprotect.sh will again pick up if you don't bypass it
     
  11. Jimmy

    Jimmy Premium Member Premium Member

    1,026
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    1:05 AM
    1.13.x
    MariaDB 10.1.x
    Actually, it won't do anything if you're running Nginx, just if you're running Centmin Mod.

    @eva2000 IMO having the autoprotect turned off with the option of turning it on I think would be better. Maybe a selection of the org install with the option of having autoprotect would allow newbies to have it on. In the end, it's your software, but I will have to make sure to turn it off so it's not doing something it shouldn't do... like the example above.
     
    • Like Like x 1
  12. tjk

    tjk Member

    74
    16
    8
    Jun 27, 2015
    Ratings:
    +25
    Local Time:
    1:05 AM
    @Jimmy did you take a look at my config? Let me know if there are any changes you recommend, I think you said you were going to try and update your gist this weekend, be curious if there's anything I can improve or that is missing.

    Thanks guys!
     
  13. Jimmy

    Jimmy Premium Member Premium Member

    1,026
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    1:05 AM
    1.13.x
    MariaDB 10.1.x
    I'm setting up my development site this weekend, so I'll be revising the template on gist when I do the update. I actually haven't moved my main forum to 4 yet as there have been many bugs with the script. If you're on github just "watch" the gist and if there are any updates, you'll get an email saying something changed. :)
     
  14. tjk

    tjk Member

    74
    16
    8
    Jun 27, 2015
    Ratings:
    +25
    Local Time:
    1:05 AM
    Thanks @Jimmy , btw what forums do you run, care to share?
     
  15. Jimmy

    Jimmy Premium Member Premium Member

    1,026
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    1:05 AM
    1.13.x
    MariaDB 10.1.x
    I don't generally talk about the forums I run.
     
  16. tjk

    tjk Member

    74
    16
    8
    Jun 27, 2015
    Ratings:
    +25
    Local Time:
    1:05 AM
    Sort of like Fight Club, I get it! :)
     
    • Like Like x 1
  17. eva2000

    eva2000 Administrator Staff Member

    29,053
    6,594
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,790
    Local Time:
    3:05 PM
    Nginx 1.13.x
    MariaDB 5.5
    that would defeat purpose of autoprotect.sh as it's meant to protect when folks haven't setup their own specific location match contexts. i.e. if folks using IP.Board didn't setup their own
    Code (Text):
    location ~^(/uploads/).*(\.php)$ {
    deny all;
    }
    
     
  18. Jimmy

    Jimmy Premium Member Premium Member

    1,026
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    1:05 AM
    1.13.x
    MariaDB 10.1.x
    I understand the purpose for autoprotect. But something like this feature which is great for people who didn't setup the correct protections, is horrible for the advanced user who might have missed removing an htaccess file on an upgrade folder and next thing you know the autoprotect kicks in and messes something up on a production site.

    One of the reasons I suggested to allow people to turn it on when they're installing to protect themselves - other users who already know what they're going to install and have a conf file already setup and keep it off. From what I understand the way it's setup now, I have to put an .autoprotect-bypass file in every folder just in-case? Sounds like more trouble for the advanced users at the cost of covering people who don't know what they're doing.

    Maybe have another branch with autoprotect as an option for new users or users who want additional protection? 123beta09-autoprotect?
     
  19. eva2000

    eva2000 Administrator Staff Member

    29,053
    6,594
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,790
    Local Time:
    3:05 PM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah i understand what you're saying.. for now because 123.09beta01 is beta, it will be left enabled so folks can test and provide feedback. When stable comes, will re-evaluate things or maybe come up with a smarter method i.e. inspecting the vhost nginx for your specific rules too to bypass autoprotect.sh
     
  20. Jimmy

    Jimmy Premium Member Premium Member

    1,026
    231
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +555
    Local Time:
    1:05 AM
    1.13.x
    MariaDB 10.1.x
    Yea, I guess the beta is for testing - good point.

    If there could be an option in the custom_config file for autoprotect='n' in the intern that would be awesome. :D
     
    • Like Like x 2