IP.Board IPB v4.1.x Files

I'm trying to get everything working for IPB 4.1.x here is what I have so far for the mydomain.conf
Since I forgot to install the HTTPS stuff when I set everything up on my local, I had to block out that code in the file for now. My forum (and all forums that I run) are full HTTPS.

The URL Rewrites work using the code below.

If anyone wants to add anything, please speak up, I'd really love to get IPB 4.1.x working and useable with NGINX and CENTMIN.

---

I took the code from a bunch of different sources, so credit goes to those authors.

Cross Posted on IPB forum
https://community.invisionpower.com/topic/422775-ips4-on-centmin-mod-vhost-creation/

UPDATES / ADDITIONS / CURRENT VERSION
Invision Power Board v4 Nginx configuration file for use with Centminmod. · GitHub

 

I am having an issue with

Code:

limit_conn limit_per_ip 16;

When I have that un-commented NGINX won't start. Of course, I'm so tired right now, it could be something stupid! LOL!

I have two books I read three years ago about NGINX. After reading those and now actually using NGINX - it's fun and quite a pleasure. Added, my test site is blazzzzing silly fast. Everything loaded in about 500ms. My 3.4.8 site on an Apache dedicated server is 2000ms. Nice bump in the right direction.

 

I'll take a look at that and try to do more testing tomorrow. I need sleep!

 

Updated vhost file for Centmin Mod. I just tested this on an upgraded site 3.4.8 to 4.1.3.2. Everything appears to be working. If anyone has any modifications they feel I should make, please let me know.

The version below is an ALL SSL version. If someone needs a non-SSL version, let me know and I can modify the one below.

Code:

# IPB4 Working NGINX site conf file
# This file is for a FORCED SSL site.  Non-SSL requests will be directed to SSL.

# Information gathered from
# Centminmod.com / Information pulled from multiple guides.  Thx eva2000!
# Makoto on IPB Forum via https://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/ version 3.4.8 guide.

# Redirect to HTTPS from port 80
# Redirect from www to non-www with forced SSL
server {
    listen  80;
    server_name 10.0.0.121;
    return 301 https://10.0.0.121$request_uri;
   
    # Access and Error Logs
    access_log /home/nginx/domains/10.0.0.121/log/access_via80.log combined buffer=256k flush=60m;
    error_log /home/nginx/domains/10.0.0.121/log/error_via80.log;
}

server {
    listen 443 ssl http2;
    server_name  10.0.0.121;
    root /home/nginx/domains/10.0.0.121/public;
   
    ssl_dhparam /usr/local/nginx/conf/ssl/10.0.0.121/dhparam.pem;
    ssl_certificate      /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.crt;
    ssl_certificate_key  /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.key;
    include /usr/local/nginx/conf/ssl_include.conf;
   
    # Mozilla Recommended
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
    ssl_prefer_server_ciphers   on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    add_header  X-Content-Type-Options "nosniff";
    add_header X-Frame-Options DENY;
    ssl_buffer_size 1400;
    ssl_session_tickets on;

    # ngx_pagespeed & ngx_pagespeed handler
    # include /usr/local/nginx/conf/pagespeed.conf;
    # include /usr/local/nginx/conf/pagespeedhandler.conf;
    # include /usr/local/nginx/conf/pagespeedstatslog.conf;

    # Limit Connections Per IP Address
    # limit_conn limit_per_ip 16;
   
    # ssi  on;

    # Access and Error Logs
    access_log /home/nginx/domains/10.0.0.121/log/access_via443.log combined buffer=256k flush=60m;
    error_log /home/nginx/domains/10.0.0.121/log/error_via443.log;

    # Prevent access to ./directories and files
    location ~ (?:^|/)\. {
        deny all;
    }

    location / {

        # block common exploits, sql injections etc
        include /usr/local/nginx/conf/block.conf;

        # Enables directory listings when index file not found
        # autoindex  on;

        # Shows file listing times as local time
        autoindex_localtime on;

        try_files    $uri $uri/ /index.php;

    }
   
    location ~^(/page/).*(\.php)$ {
        try_files  $uri $uri/ /index.php;
    }
   
    # Mask fake admin directory
    location ~^/admin/(.*)$ {
        deny all;
    }
   
    # Secure real admin directory
    location ~^(/spanky/).*(\.php) {
        include /usr/local/nginx/conf/php.conf;
        allow           10.0.0.245;
        deny            all;
        #auth_basic     "Restricted Area";
        #auth_basic_user_file /usr/local/nginx/conf/htpasswd;      
    }
   
    # IP.Board PHP/CGI Protection
   
    location ~^(/uploads/).*(\.php)$ {
        deny     all;
    }
   
    location ~^(/system/).*(\.php)$ {
        deny     all;
    }
   
    location ~^(/datastore/).*(\.php)$ {
        deny     all;
    }
   
    location ~^(/plugins/).*(\.php)$ {
        deny     all;
    }
   
    location ~^(/applications/blog/).*(\.php)$ {
        deny     all;
    }
   
    location ~^(/applications/calendar/).*(\.php)$ {
        deny     all;
    }
   
    location ~^(/applications/chat/).*(\.php)$ {
        deny     all;
    }
   
    location ~^(/applications/cms/).*(\.php)$ {
        deny     all;
    } 
   
    # Allow access to JS file
    location ~^/(applications/core/interface/js/js.php) {
        include /usr/local/nginx/conf/php.conf;
        allow     all;
    }

    location ~^(/applications/core/).*(\.php)$ {
        deny     all;
    }
   
    location ~^(/applications/downloads/).*(\.php)$ {
        deny     all;
    }
   
    location ~^(/applications/forums/).*(\.php)$ {
        deny     all;
    }
   
    location ~^(/applications/gallery/).*(\.php)$ {
        deny     all;
    }
   
    location ~^(/applications/nexus/).*(\.php)$ {
        deny     all;
    }  

    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    include /usr/local/nginx/conf/vts_server.conf;
}

 

Thanks! Made the update.

 

Good to know. I was going to set that up and use it. Now I'm not going too. Thanks!

 

@eva2000 would it be a bad thing NOT to use this? Should I have limit_conn limit_per_ip set to something.

 

Would it be good to use this if the site was subjected to a lot of DDoS attacks?

 

How could I prohibit it in the admin directory but allow it to function everywhere else? Can I use conditions in the conf file?

 

Sorry if my wording was bad. I don't want to limit the connections in the Admin (spanky). That's the directory where there would need to be no limit.
Everywhere on site = limit
Admin Directory = No limit

 

Thanks for the info @eva2000 you've been very helpful!