Discover Centmin Mod today
Register Now

IP.Board IPB v4.1.x Files

Discussion in 'Forum software usage' started by Jimmy, Nov 9, 2015.

  1. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    9:53 AM
    1.9.9
    10.1.10
    Yup, he has to adapt the rules to account for the subdir which I have done and no problems at all except for this one but with the rule I wrote it works just fine.

     
  2. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    3:53 AM
    I guess my biggest question if the correct way to write the rule

    Code:
    ^~ /
    or

    If the first way is the correct way then I want to change the rest of the rules in the vhost file. I want this vhost to work for everyone. :)
     
  3. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    9:53 AM
    1.9.9
    10.1.10
    Code:
    server {
      listen 443 ssl http2;
      server_name domain.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
      ssl_certificate  /usr/local/nginx/conf/ssl/domain.com/domain.com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
      include /usr/local/nginx/conf/ssl-include.conf;
      # Mozilla Recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_prefer_server_ciphers  on;
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/ssl-trusted.crt;
    
      # ngx_pagespeed & ngx_pagespeed handler
      # include /usr/local/nginx/conf/pagespeed.conf;
      # include /usr/local/nginx/conf/pagespeedhandler.conf;
      # include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # Limit Connections Per IP Address
      #limit_conn limit_per_ip 16;
      # ssi on
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      root /home/nginx/domains/domain.com/public;
    
      # prevent access to ./directories and files
      location ~ (?:^|/)\. {
          deny all;
      } 
    
      location / {
    
          # block common exploits, sql injections etc
          include /usr/local/nginx/conf/block.conf;
    
          try_files     $uri $uri/ /index.php;
      }
    
      location ~^(/page/).*(\.php)$ {
          try_files  $uri $uri/ /index.php;
      }
      # Mask fake admin directory
      location ~^/forum/admin/(.*)$ {
          deny all;
      }
      # IP.Board PHP/CGI Protection
    
      location ~^(/forum/uploads/).*(\.php)$ {
          deny  all;
      }
      location ~^(/forum/system/).*(\.php)$ {
          deny  all;
      }
      location ~^(/forum/datastore/).*(\.php)$ {
          deny  all;
      }
      location ~^(/forum/plugins/).*(\.php)$ {
          deny  all;
      }
      location ~^(/forum/applications/cms/).*(\.php)$ {
          deny  all;
      }
    
      location ~^(/forum/applications/core/).*(\.php)$ {
          deny  all;
      }
    
      location ~^(/forum/applications/forums/).*(\.php)$ {
          deny  all;
      }
      location ~^(/forum/applications/nexus/).*(\.php)$ {
          deny  all;
      }
    
      # Allow access to imageproxy
      location ^~ /forum/applications/core/interface/imageproxy/imageproxy.php {
          include /usr/local/nginx/conf/php.conf;
          allow  all;
      }
    
      # Allow access to JS file
      location ^~ /forum/applications/core/interface/js/js.php {
          include /usr/local/nginx/conf/php.conf;
          allow  all;
      }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    This is how my config looks, forum is installed in forum subdir, one extra thing to note is that I have IP.Pages installed at the root. You cannot make one config file for everyone, unfortunately. They will need to adopt a few things.
     
  4. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    3:53 AM
    Yea, I guess everyone is going to have their own setup. I'll modify the OP to reflect your changes / additions.
     
  5. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    3:53 AM
    I'm trying to figure out what cloudflare setting I should put in what file? I'm reading this page Nginx Cloudflare & Incapsula (reverse proxy HttpRealIpModule) - CentminMod.com LEMP Nginx web stack for CentOS

    Do I put this information in both the nginx.conf and the newdomain.com.conf file(s)?
    Code:
    # Cloudflare
    # IPv4
    set_real_ip_from 103.21.244.0/22
    set_real_ip_from 103.22.200.0/22
    set_real_ip_from 103.31.4.0/22
    set_real_ip_from 104.16.0.0/12
    set_real_ip_from 108.162.192.0/18
    set_real_ip_from 141.101.64.0/18
    set_real_ip_from 162.158.0.0/15
    set_real_ip_from 172.64.0.0/13
    set_real_ip_from 173.245.48.0/20
    set_real_ip_from 188.114.96.0/20
    set_real_ip_from 190.93.240.0/20
    set_real_ip_from 197.234.240.0/22
    set_real_ip_from 198.41.128.0/17
    set_real_ip_from 199.27.128.0/21
    # IPv6
    set_real_ip_from 2400:cb00::/32
    set_real_ip_from 2405:8100::/32
    set_real_ip_from 2405:b500::/32
    set_real_ip_from 2606:4700::/32
    set_real_ip_from 2803:f800::/32
    real_ip_header CF-Connecting-IP;
    Where do I put this?
    Code:
    set_real_ip_from yourreverseproxyip;
    real_ip_header X-Forwarded-For;
    Looking at your "For Cloudflare:" examples, one contains the ips and the other contains the 2 lines of code above. I'm confused.

    UPDATE

    I think I read the use of the two line one above wrong - I'm not using a load balancer so I just need to know if I need to add the Cloudflare to both the nginx.conf and the domainname.com.conf files?

    UPDATE 2

    After reading it a second time, it looks like I'm supposed to put the ips in both files.

    Thanks!
     
    Last edited: Dec 4, 2015
  6. eva2000

    eva2000 Administrator Staff Member

    53,278
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    5:53 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    really only domain's nginx vhost file's server {} context but unless you have ALL other sites on server hosted and protected by cloudflare then nginx.conf is easier

    revised text
    Also updated article at centminmod.com/nginx_configure_cloudflare.html with latest ipv4 and ipv6 address and a note to emphasize checking the maintained ip list to make adjustments
     
  7. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    3:53 AM
    So, if every site is using Cloudflare I could just put it in the nginx.conf and omit it from the domain specific vhost files?
     
  8. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    3:53 PM
    Mainline
    10.2
    If you want to preserve visitors IP, I recommend you do it on PHP side/CMS option/config.php.
    And remove all those overhead from Nginx :).
     
  9. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    3:53 AM
    Sounds like a plan, now I just have to figure out how to do that. Is that something to add to the php conf files or a CMS/software specific file?
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,278
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    5:53 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    nginx has less overhead than via php ;)
    yes technically that should do it, you can verify by checking your nginx site's respective access_logs to see what ip is logged as well as if your web apps have user ip logging verify there

    also you can use include files in nginx so only need one file to include and change across all nginx vhosts

    Code:
    include /usr/local/nginx/conf/csfips.conf;
    then add the settings to /usr/local/nginx/conf/csfips.conf
     
  11. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    3:53 AM
  12. eva2000

    eva2000 Administrator Staff Member

    53,278
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    5:53 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  13. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    9:53 AM
    1.9.9
    10.1.10
    Just a heads up. Be careful when using
    Code:
        location ~^(/applications/blog/).*(\.php)$ {
            deny     all;
        }
    
        location ~^(/applications/calendar/).*(\.php)$ {
            deny     all;
        }
    
        location ~^(/applications/chat/).*(\.php)$ {
            deny     all;
        }
    
        location ~^(/applications/cms/).*(\.php)$ {
            deny     all;
        }
    
        location ~^(/applications/core/).*(\.php)$ {
            deny     all;
        }
    
        location ~^(/applications/downloads/).*(\.php)$ {
            deny     all;
        }
    
        location ~^(/applications/forums/).*(\.php)$ {
            deny     all;
        }
    
        location ~^(/applications/gallery/).*(\.php)$ {
            deny     all;
        }
    
        location ~^(/applications/nexus/).*(\.php)$ {
            deny     all;
        }
    
    Seems like more files than only imageproxy and the JS files needs to be accessible directly.
    E.g. for nexus, the billing API's need to be accessible.
    It seems like only files that are in the interface folder(s) need to be direct accessible so something like access to
    Code:
    location ~^(/applications/*/interface/).*(\.php)$ {
      allow all;
    }
    
    should work fine, I have not tested it however.
     
  14. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    3:53 AM
    You think I should remove those? If I do, you see any security issues?
     
  15. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    9:53 AM
    1.9.9
    10.1.10
    Either remove them or try adding the location I mentioned above.
    Security issue, I don't think so as IPS already checks in the files if it is being accessed directly and does not execute the script if it is not permitted.
     
  16. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    3:53 AM
    Sounds good. I'll remove the ones you have listed above and include the location block you included.
     
  17. eva2000

    eva2000 Administrator Staff Member

    53,278
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    5:53 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    i believe he doesn't say remove the ones listed but add the extra allow location to those (position above those listed)
     
  18. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    9:53 AM
    1.9.9
    10.1.10
    Yep either add the location I mentioned OR remove the ones listed.
     
  19. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    3:53 AM
    Which way do you think is better?
     
  20. eva2000

    eva2000 Administrator Staff Member

    53,278
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    5:53 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    i'd add the location and keep existing location context restrictions to lock things down