IP.Board IPB 4.1.x and latest centmin mod beta

Kicked my butt on this one for awhile, still haven't figured it all out yet.

Latest IPB 4.1.12.2 install, everything is going fine. In the ACP of IPB, there is an option to secure the uploads directory, and it writes out the following Apache .htaccess file to the ./public/uploads directory.

---

Code (Text):

#<ipb-protection>
<Files ~ "^.*\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)$">
    Order allow,deny
    Deny from all
</Files>

At some point, centmin mod runs the autoprotect cron job and converts this into an nginx block:

Code (Text):

# /home/nginx/domains/domain.io/public/uploads
location ~* ^/uploads/ { deny all; }

Which breaks IPB css/styles, which the following errors:

Code (Text):

2016/06/10 03:14:38 [error] 10604#10604: *8 access forbidden by rule, client: 1.2.5.1, server: www.domain.io, request: "GET /uploads/set_resources_1/721d19a47b75773db8abe1ed740775e3_logo.png HTTP/2.0", host: "www.domain.io", referrer: "https://www.domain.io/admin/?adsess=vcemeouq6r17oqbiq7sk1e9uf1&app=core&module=overview&controller=security"

Any ideas?

 

Of course, we all know .htaccess is for Apache, that wasn't my point. My point was that if someone clicks on that and they are using nginix, it will break the configuration. IPB show's that warning in the ACP about the uploads directory being unprotected, and yes, I know, because it uses apache and .htaccess and doesn't know about nginx.

I have uploads protected in the domain.conf file:

Code (Text):

location ~^(/uploads/).*(\.php)$ {
deny all;
}

It took me awhile to find that centmin mod converts apache .htaccess files to nginx blocks automatically.

I am using the conf file that I put together from your work @Jimmy and @Ahmad , see below, and thank you guys for doing this and sharing!

Code (Text):

# if unsure use return 302 before using return 301, will change to 301 before launch
server {
       listen   80;
       server_name www.domain.io domain.io;
       return 302 https://$server_name$request_uri;
 }

server {
  listen 443 ssl http2;
  server_name www.domain.io domain.io;

  ssl_dhparam /usr/local/nginx/conf/ssl/domain.io/dhparam.pem;
  ssl_certificate      /usr/local/nginx/conf/ssl/domain.io/ssl-bundle.crt;
  ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.io/domain.io.key;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # mozilla recommended
  ssl_ciphers EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;
  # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains. 
  # You'd want to include subdomains if you're using SSL wildcard certificates
  # include subdomain
  #add_header Public-Key-Pins 'pin-sha256="cLskal7OcoU5ysxBSYzRdd5kAT7G/Vy0BxUViWDUp10="; pin-sha256="mENL+F6zn+gZsBzkbHX1Su+uz/UjVOMilMBgBDWobMU="; max-age=86400; includeSubDomains';
  # exclude subdomains
  #add_header Public-Key-Pins 'pin-sha256="cLskal7OcoU5ysxBSYzRdd5kAT7G/Vy0BxUViWDUp10="; pin-sha256="mENL+F6zn+gZsBzkbHX1Su+uz/UjVOMilMBgBDWobMU="; max-age=86400';
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  #spdy_headers_comp 5;
  ssl_buffer_size 1400;
  ssl_session_tickets on;
  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.io/ssl-trust.crt;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;  

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/domain.io/log/access.log combined buffer=256k flush=60m;
  error_log /home/nginx/domains/domain.io/log/error.log;

  include /usr/local/nginx/conf/autoprotect/domain.io/autoprotect-datacentertalk.io.conf;
  root /home/nginx/domains/domain.io/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  #prevent access to ./directories and files
  location ~ (?:^|/)\. {
  deny all;
  }  

  location / {
  include /usr/local/nginx/conf/503include-only.conf;

  # block common exploits, sql injections etc
  include /usr/local/nginx/conf/block.conf;

  # Enables directory listings when index file not found
  #autoindex  on;

  # Shows file listing times as local time
  #autoindex_localtime on;

  # friendly urls for ipb 4.1
  try_files    $uri $uri/ /index.php;

  }

  # add stuff for ipb 4.x
  location ~^(/page/).*(\.php)$ {
  try_files $uri $uri/ /index.php;
  }

  location ~^(/applications/(blog|calendar|chat|cms|core|downloads|forums|gallery|nexus)/interface/).*(\.php)$ {
  include /usr/local/nginx/conf/php.conf;
  allow all;
  }

  location ~^(/applications/(blog|calendar|chat|cms|core|downloads|forums|gallery|nexus)/).*(\.php)$ {
  deny all;
  }

  # Allow access to imageproxy  
  location ^~ /applications/core/interface/imageproxy/imageproxy.php {
  include /usr/local/nginx/conf/php.conf;
  allow  all;
  }

  location ~^(/uploads/).*(\.php)$ {
  deny all;
  }

  location ~^(/system/).*(\.php)$ {
  deny all;
  }

  location ~^(/datastore/).*(\.php)$ {
  deny all;
  }

  location ~^(/plugins/).*(\.php)$ {
  deny all;
  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

 

I just removed the .htaccess file, easier.

 

@Jimmy did you take a look at my config? Let me know if there are any changes you recommend, I think you said you were going to try and update your gist this weekend, be curious if there's anything I can improve or that is missing.

Thanks guys!

 

Thanks @Jimmy , btw what forums do you run, care to share?

 

Sort of like Fight Club, I get it!