Want more timely Centmin Mod News Updates?
Become a Member

IP.Board IPB v4.1.x Files

Discussion in 'Forum software usage' started by Jimmy, Nov 9, 2015.

  1. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    3:28 PM
    1.13.x
    MariaDB 10.1.x
    I'm trying to get everything working for IPB 4.1.x here is what I have so far for the mydomain.conf
    Since I forgot to install the HTTPS stuff when I set everything up on my local, I had to block out that code in the file for now. My forum (and all forums that I run) are full HTTPS.

    The URL Rewrites work using the code below.

    If anyone wants to add anything, please speak up, I'd really love to get IPB 4.1.x working and useable with NGINX and CENTMIN. :)

    I took the code from a bunch of different sources, so credit goes to those authors.

    Cross Posted on IPB forum
    https://community.invisionpower.com/topic/422775-ips4-on-centmin-mod-vhost-creation/

    UPDATES / ADDITIONS / CURRENT VERSION
    Invision Power Board v4 Nginx configuration file for use with Centminmod. ยท GitHub
     
    Last edited: Feb 15, 2016
    • Informative Informative x 1
    • Useful Useful x 1
  2. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    3:28 PM
    1.13.x
    MariaDB 10.1.x
    I am having an issue with

    Code:
    limit_conn limit_per_ip 16;
    When I have that un-commented NGINX won't start. Of course, I'm so tired right now, it could be something stupid! LOL!

    I have two books I read three years ago about NGINX. After reading those and now actually using NGINX - it's fun and quite a pleasure. Added, my test site is blazzzzing silly fast. Everything loaded in about 500ms. My 3.4.8 site on an Apache dedicated server is 2000ms. Nice bump in the right direction.
     
  3. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,137
    Local Time:
    5:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    in /usr/local/nginx/conf/nginx.conf (called via nano shortcut = nginxconf) at bottom find

    Code:
    # use limit_conn_zone for Nginx >v1.1.8 and higher
    # limit_conn_zone $binary_remote_addr zone=limit_per_ip:16m;
    uncomment 2nd line
    Code:
    # use limit_conn_zone for Nginx >v1.1.8 and higher
    limit_conn_zone $binary_remote_addr zone=limit_per_ip:16m;
    restart nginx

    :cool::D(y)
     
    • Like Like x 1
  4. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,137
    Local Time:
    5:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    • Like Like x 1
  5. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    3:28 PM
    1.13.x
    MariaDB 10.1.x
    I'll take a look at that and try to do more testing tomorrow. I need sleep! :sleep:
     
    • Like Like x 1
  6. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    3:28 PM
    1.13.x
    MariaDB 10.1.x
    Updated vhost file for Centmin Mod. I just tested this on an upgraded site 3.4.8 to 4.1.3.2. Everything appears to be working. If anyone has any modifications they feel I should make, please let me know.

    The version below is an ALL SSL version. If someone needs a non-SSL version, let me know and I can modify the one below.

    Code:
    # IPB4 Working NGINX site conf file
    # This file is for a FORCED SSL site.  Non-SSL requests will be directed to SSL.
    
    # Information gathered from
    # Centminmod.com / Information pulled from multiple guides.  Thx eva2000!
    # Makoto on IPB Forum via https://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/ version 3.4.8 guide.
    
    # Redirect to HTTPS from port 80
    # Redirect from www to non-www with forced SSL
    server {
        listen  80;
        server_name 10.0.0.121;
        return 301 https://10.0.0.121$request_uri;
       
        # Access and Error Logs
        access_log /home/nginx/domains/10.0.0.121/log/access_via80.log combined buffer=256k flush=60m;
        error_log /home/nginx/domains/10.0.0.121/log/error_via80.log;
    }
    
    server {
        listen 443 ssl http2;
        server_name  10.0.0.121;
        root /home/nginx/domains/10.0.0.121/public;
       
        ssl_dhparam /usr/local/nginx/conf/ssl/10.0.0.121/dhparam.pem;
        ssl_certificate      /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.crt;
        ssl_certificate_key  /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.key;
        include /usr/local/nginx/conf/ssl_include.conf;
       
        # Mozilla Recommended
        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
        ssl_prefer_server_ciphers   on;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
        add_header  X-Content-Type-Options "nosniff";
        add_header X-Frame-Options DENY;
        ssl_buffer_size 1400;
        ssl_session_tickets on;
    
        # ngx_pagespeed & ngx_pagespeed handler
        # include /usr/local/nginx/conf/pagespeed.conf;
        # include /usr/local/nginx/conf/pagespeedhandler.conf;
        # include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
        # Limit Connections Per IP Address
        # limit_conn limit_per_ip 16;
       
        # ssi  on;
    
        # Access and Error Logs
        access_log /home/nginx/domains/10.0.0.121/log/access_via443.log combined buffer=256k flush=60m;
        error_log /home/nginx/domains/10.0.0.121/log/error_via443.log;
    
        # Prevent access to ./directories and files
        location ~ (?:^|/)\. {
            deny all;
        }
    
        location / {
    
            # block common exploits, sql injections etc
            include /usr/local/nginx/conf/block.conf;
    
            # Enables directory listings when index file not found
            # autoindex  on;
    
            # Shows file listing times as local time
            autoindex_localtime on;
    
            try_files    $uri $uri/ /index.php;
    
        }
       
        location ~^(/page/).*(\.php)$ {
            try_files  $uri $uri/ /index.php;
        }
       
        # Mask fake admin directory
        location ~^/admin/(.*)$ {
            deny all;
        }
       
        # Secure real admin directory
        location ~^(/spanky/).*(\.php) {
            include /usr/local/nginx/conf/php.conf;
            allow           10.0.0.245;
            deny            all;
            #auth_basic     "Restricted Area";
            #auth_basic_user_file /usr/local/nginx/conf/htpasswd;      
        }
       
        # IP.Board PHP/CGI Protection
       
        location ~^(/uploads/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/system/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/datastore/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/plugins/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/blog/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/calendar/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/chat/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/cms/).*(\.php)$ {
            deny     all;
        } 
       
        # Allow access to JS file
        location ~^/(applications/core/interface/js/js.php) {
            include /usr/local/nginx/conf/php.conf;
            allow     all;
        }
    
        location ~^(/applications/core/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/downloads/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/forums/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/gallery/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/nexus/).*(\.php)$ {
            deny     all;
        }  
    
        include /usr/local/nginx/conf/staticfiles.conf;
        include /usr/local/nginx/conf/php.conf;
        include /usr/local/nginx/conf/drop.conf;
        #include /usr/local/nginx/conf/errorpage.conf;
        include /usr/local/nginx/conf/vts_server.conf;
    }
    
     
    Last edited: Nov 17, 2015
    • Informative Informative x 1
  7. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,137
    Local Time:
    5:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    looking good with exception of
    Code:
        location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml|htm|txt|swf|cur)$ {
            access_log off;
            expires    1w;
        }
    the include file at /usr/local/nginx/conf/staticfiles.conf has it covered for 30 days
     
    • Like Like x 1
  8. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    3:28 PM
    1.13.x
    MariaDB 10.1.x
    Thanks! Made the update.
     
    • Like Like x 1
  9. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    9:28 PM
    1.9.9
    10.1.10
    One thing worth noting when using IPS 4.x and
    is that it will block you when installing plugins/apps/themes, upgrading or manually running background tasks (basically everything that shows that blue ajax load bar).
    That is due to how it works behind the scenes, it fires off multiple HTTP requests to makes things faster and if they are more than 16 (or whatever is defined in the config file) you will get blocked.
     
    • Agree Agree x 1
    • Informative Informative x 1
  10. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    3:28 PM
    1.13.x
    MariaDB 10.1.x
    Good to know. I was going to set that up and use it. Now I'm not going too. Thanks!
     
  11. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,137
    Local Time:
    5:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    thanks @Ahmad for the info.. you could probably have a separate and higher limit for specific directory or files if you want

    Code:
        location ~^/directory/(.*)$ {
            limit_conn limit_per_ip 80;
        }
    
    or something
     
  12. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    3:28 PM
    1.13.x
    MariaDB 10.1.x
    @eva2000 would it be a bad thing NOT to use this? Should I have limit_conn limit_per_ip set to something.
     
  13. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,137
    Local Time:
    5:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    oh it's optional and useful if you need to keep a handle on resource usage but can be left out
     
    • Informative Informative x 1
  14. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    3:28 PM
    1.13.x
    MariaDB 10.1.x
    Would it be good to use this if the site was subjected to a lot of DDoS attacks?
     
  15. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,137
    Local Time:
    5:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah for layer 7 app level attacks
     
    • Informative Informative x 1
  16. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    3:28 PM
    1.13.x
    MariaDB 10.1.x
    How could I prohibit it in the admin directory but allow it to function everywhere else? Can I use conditions in the conf file?
     
  17. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,137
    Local Time:
    5:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    if admin at
    Code:
        # Secure real admin directory
        location ~^(/spanky/).*(\.php) {
            limit_conn limit_per_ip 80;
            include /usr/local/nginx/conf/php.conf;
            allow           10.0.0.245;
            deny            all;
            #auth_basic     "Restricted Area";
            #auth_basic_user_file /usr/local/nginx/conf/htpasswd;    
        }
    but if functions are located elsewhere not sure - you probably need to define specific location context matches with the limit_conn parameter and if php file with php.conf include file

    maybe @Ahmad would know
     
  18. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    3:28 PM
    1.13.x
    MariaDB 10.1.x
    Sorry if my wording was bad. I don't want to limit the connections in the Admin (spanky). That's the directory where there would need to be no limit.
    Everywhere on site = limit
    Admin Directory = No limit
     
  19. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,137
    Local Time:
    5:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    why not just set admin directory to a very high limit like 100 connections

    you could use nginx mapping see Module ngx_http_map_module

    Add under http { in nginx.conf so default limit_conn_zone $limitconn_map variable is mapped to $uri so all urls default to $binary_remote_addr for connection limiting but dir1, dir2, dir3, dir4 are excluded so what uri matches those it's empty
    Code:
    map $uri $limitconn_map {
        default $binary_remote_addr;
        ~^/(dir1|dir2|dir3)/ '';
        ~^/dir4/ '';
    }
    
    change nginx.conf entry

    from
    Code:
    limit_conn_zone $binary_remote_addr zone=limit_per_ip:16m;
    
    to
    Code:
    limit_conn_zone $limitconn_map zone=limit_per_ip:16m;
    
    Rest is up to you as Centmin Mod is provided as is :)

    oh and mapping is global server wide so if you have more than one nginx vhost referering the same limit_conn_zone zone name = limit_per_ip the location directory matches apply to all nginx vhosts and all their web apps.
     
    Last edited: Nov 18, 2015
    • Informative Informative x 2
  20. Jimmy

    Jimmy Premium Member Premium Member

    1,114
    247
    63
    Oct 24, 2015
    East Coast USA
    Ratings:
    +596
    Local Time:
    3:28 PM
    1.13.x
    MariaDB 10.1.x
    Thanks for the info @eva2000 you've been very helpful! :)
     
    • Like Like x 1