Want to subscribe to topics you're interested in?
Become a Member

IP.Board IPB v4.1.x Files

Discussion in 'Forum software usage' started by Jimmy, Nov 9, 2015.

  1. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    9:45 AM
    1.9.9
    10.1.10
    Same but as I said you'd need to test it as I haven't yet.

     
  2. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    3:45 AM
    I won't be able to test everything will all the apps until I upgrade my forum, which I haven't yet. My local testing site only has forum, pages, and blog. If I switch the license to a new domain... well let's just say it's a mess right now. My other license has all the apps which I'm going to be switching too once I change the domain of my forum.

    Question: Now that I'm adding all these extra specific location blocks, is there an order which I need to put everything in... does it matter?
    Code:
        
    # IP.Board PHP/CGI Protection
       
        location ~^(/uploads/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/system/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/datastore/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/plugins/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/blog/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/calendar/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/chat/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/cms/).*(\.php)$ {
            deny     all;
        } 
       
        # Allow access to interface for Nexus
        location ~^(/applications/*/interface/).*(\.php)$ {
            allow all;
        }
       
        # Allow access to imageproxy
        location ^~ /applications/core/interface/imageproxy/imageproxy.php {
            include /usr/local/nginx/conf/php.conf;
            allow  all;
        }
    
        # Allow access to JS file
        location ^~ /applications/core/interface/js/js.php {
            include /usr/local/nginx/conf/php.conf;
            allow  all;
        }
    
        location ~^(/applications/core/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/downloads/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/forums/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/gallery/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/nexus/).*(\.php)$ {
            deny     all;
        }   
    
     
  3. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    9:45 AM
    1.9.9
    10.1.10
    This is not for nexus but for ALL applications.
    About order: How nginx processes a request
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,278
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    5:45 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    i'd place these 3 above all the rest of deny location context listings
    Code:
        # Allow access to interface for Nexus
        location ~^(/applications/*/interface/).*(\.php)$ {
            allow all;
        }
      
        # Allow access to imageproxy
        location ^~ /applications/core/interface/imageproxy/imageproxy.php {
            include /usr/local/nginx/conf/php.conf;
            allow  all;
        }
    
        # Allow access to JS file
        location ^~ /applications/core/interface/js/js.php {
            include /usr/local/nginx/conf/php.conf;
            allow  all;
        }
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,278
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    5:45 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yup
     
  6. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    3:45 AM
    Thanks! I'll update the conf and add it to the OP. @Ahmad if you find any more issues or additions, let me know and I'll modify the file / OP.
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,278
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    5:45 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, for ease of tracking you can also setup a gist file at Create a new Gist · GitHub with the config and just link 1st post in this thread to gist file so each update goes to gist with revision history :)
     
    Last edited: Dec 28, 2015
  8. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    8:45 AM
    1.25.3
    10.6.x
     
  9. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    8:45 AM
    1.25.3
    10.6.x
    Be nice if @Jimmy puts the NginX cons on Git hub for tracking and updates
     
  10. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    3:45 AM
    I'll be putting on github at some point. I haven't upgraded my forum yet or starting using Centminmod on my production server. Should be around the end of this month. In the meantime, everything is in this thread. :)
     
  11. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    8:45 AM
    1.25.3
    10.6.x
    Thanks - github will be cool

    I have slightly modified your conf file for my use to try - as i use the ssl code from here

    Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd

    Full instructions here

    Strong SSL Security on nginx - Raymii.org

    I use it on Apache servers (just the above) and one single nginx server (not mine) and it works very well for an A+ ssl server labs test result

    Anyway here is your conf but modified (as i want to try this on a test server) and ill also try your code as will with your ssl block

    Code:
    
    # IPB4 Working NGINX site conf file
    # This file is for a FORCED SSL site.  Non-SSL requests will be directed to SSL.
    
    # Information gathered from
    # Centminmod.com / Information pulled from multiple guides.  Thx eva2000!
    # Makoto on IPB Forum via https://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/ version 3.4.8 guide.
    # Ahmad on the Centminmod forum.
    # Base building forum thread:  https://community.centminmod.com/threads/ipb-v4-1-x-files.4922/
    
    # Redirect to HTTPS from port 80
    # Redirect from www to non-www with forced SSL
    server {
        listen  80;
        server_name 10.0.0.121;
        return 301 https://10.0.0.121$request_uri;
       
        # Access and Error Logs
        access_log /home/nginx/domains/10.0.0.121/log/access_via80.log combined buffer=256k flush=60m;
        error_log /home/nginx/domains/10.0.0.121/log/error_via80.log;
    }
    
    server {
        listen 443 ssl http2;
        server_name  10.0.0.121;
        root /home/nginx/domains/10.0.0.121/public;
       
        ssl_dhparam /usr/local/nginx/conf/ssl/10.0.0.121/dhparam.pem;
        ssl_certificate      /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.crt;
        ssl_certificate_key  /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.key;
        include /usr/local/nginx/conf/ssl_include.conf;
       
        # Mozilla Recommended
        ssl_buffer_size 1400;
    
        # Added from https://cipherli.st Tutorial here https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
        # Thanks and Credit to Remy van Elst
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off; # Requires nginx >= 1.5.9
        ssl_stapling on; # Requires nginx >= 1.3.7
        ssl_stapling_verify on; # Requires nginx => 1.3.7
        resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
        resolver_timeout 5s;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
    
        # ngx_pagespeed & ngx_pagespeed handler
        # include /usr/local/nginx/conf/pagespeed.conf;
        # include /usr/local/nginx/conf/pagespeedhandler.conf;
        # include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
        # Limit Connections Per IP Address
        # Modified from default to allow Admin directory to have more connections
        # Modified in nginx.conf
        # limit_conn_zone $limitconn_map zone=limit_per_ip:16m;
       
        # ssi  on;
    
        # Access and Error Logs
        access_log /home/nginx/domains/10.0.0.121/log/access_via443.log combined buffer=256k flush=60m;
        error_log /home/nginx/domains/10.0.0.121/log/error_via443.log;
    
        # Prevent access to ./directories and files
        location ~ (?:^|/)\. {
            deny all;
        }
    
        location / {
    
            # block common exploits, sql injections etc
            include /usr/local/nginx/conf/block.conf;
    
            # Enables directory listings when index file not found
            # autoindex  on;
    
            # Shows file listing times as local time
            autoindex_localtime on;
    
            try_files    $uri $uri/ /index.php;
    
        }
       
        location ~^(/page/).*(\.php)$ {
            try_files  $uri $uri/ /index.php;
        }
       
        # Mask fake admin directory
        location ~^/admin/(.*)$ {
            deny all;
        }
       
        # Secure real admin directory
        location ~^(/spanky/).*(\.php) {
            include /usr/local/nginx/conf/php.conf;
            allow           10.0.0.245;
            deny            all;
            #auth_basic     "Restricted Area";
            #auth_basic_user_file /usr/local/nginx/conf/htpasswd;      
        }
       
        # IP.Board PHP/CGI Protection
       
        # Allow access
        location ~^(/applications/*/interface/).*(\.php)$ {
            allow all;
        }
       
        # Allow access to imageproxy
        location ^~ /applications/core/interface/imageproxy/imageproxy.php {
            include /usr/local/nginx/conf/php.conf;
            allow  all;
        }
    
        # Allow access to JS file
        location ^~ /applications/core/interface/js/js.php {
            include /usr/local/nginx/conf/php.conf;
            allow  all;
        }
       
        location ~^(/uploads/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/system/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/datastore/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/plugins/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/blog/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/calendar/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/chat/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/cms/).*(\.php)$ {
            deny     all;
        }  
    
        location ~^(/applications/core/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/downloads/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/forums/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/gallery/).*(\.php)$ {
            deny     all;
        }
       
        location ~^(/applications/nexus/).*(\.php)$ {
            deny     all;
        }  
    
        include /usr/local/nginx/conf/staticfiles.conf;
        include /usr/local/nginx/conf/php.conf;
        include /usr/local/nginx/conf/drop.conf;
        #include /usr/local/nginx/conf/errorpage.conf;
        include /usr/local/nginx/conf/vts_server.conf;
    }
    
    I haven't tried it yet as only just got the vps provisioned and centminmod installed and then will have a play

    I too think NginX is the way forward for a VPS running IPB4.x and am looking forward to learning about Nginx

    Also love the ease of centminmod - Thanks Eva2000
     
  12. Jimmy

    Jimmy Well-Known Member

    1,778
    388
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +987
    Local Time:
    3:45 AM
    The SSL, from my conf, is the base configuration from Centminmod. @eva2000 should probably look over those additions and see if those changes are advisable. If they are, maybe add it to the stock SSL setup.

    Good luck getting everything thing up and running! :)
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,278
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    5:45 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    that comes from enabling HSTS
    Code:
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    which you have be careful doing

    as that forces all subsequent visitor connections to use HTTPS for main domain and all subdomains and browser caches this for defined max-age time, so if you want to switch back to non-HTTPS or have some sites on HTTPS and some on non-HTTPS you'd have to wait max-age time for visitors to be able to see your site again on non-HTTPS. You can clear browser caches for HSTS but you'd have to tell those visitors to do so, and how do you do that if they can't visit your site ? :)

    Only enable HSTS if 100% sure you want to stick with HTTPS. That is why default Nginx SSL config for Centmin Mod disables/comments out HSTS and lets end users decide if they want to enable it.
     
  14. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    8:45 AM
    1.25.3
    10.6.x
    Thanks Eva

    So the code i put in the nginx.conf above - is that the best place for it ?

    Where is HSTS, in the ssl conf ?

    Yes the site I'm planning on running nginx with ipb4 will be purely https and no other sites, purely ips4
     
  15. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    8:45 AM
    1.25.3
    10.6.x
    Just found it in

    /usr/local/nginx/conf/conf.d/yourdomain.com.ssl.conf

    Looks like ill remove some of the above i added to nginx.conf and uncomment it out of

    yourdomain.com.ssl.conf
     
  16. eva2000

    eva2000 Administrator Staff Member

    53,278
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    5:45 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  17. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    8:45 AM
    1.25.3
    10.6.x
    Thanks Eva - Just had a read - this is looking really neat

    Some of the entries i had from the site linked above are not in the ssl domain config or the nginx config - is there anywhere else to look for these (to enable them perhaps) - before i add them and then later find they are elsewhere ?!
     
  18. eva2000

    eva2000 Administrator Staff Member

    53,278
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    5:45 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    not entirely sure what you mean, for the entries you want to add, just append and add them to domain.com.ssl.conf vhost config file after it's created
     
  19. cloud9

    cloud9 Premium Member Premium Member

    431
    117
    43
    Oct 6, 2015
    England
    Ratings:
    +217
    Local Time:
    8:45 AM
    1.25.3
    10.6.x
    I couldn't find this anywhere

    Code:
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    Thanks and will do
     
  20. eva2000

    eva2000 Administrator Staff Member

    53,278
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    5:45 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    it's in include tile for domain.com.ssl.conf files
    Code:
      include /usr/local/nginx/conf/ssl_include.conf;
    so it's included in all nginx vhosts ssl auto generated

    you can use vhost generator at Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS check ssl box to see an example too

    Code:
    server {
      listen 443 ssl http2;
      server_name domain.com www.domain.com;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/domain.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/domain.com/domain.com.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/domain.com/domain.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      #spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      #resolver 8.8.8.8 8.8.4.4 valid=10m;
      #resolver_timeout 10s;
      #ssl_stapling on;
      #ssl_stapling_verify on;
      #ssl_trusted_certificate /usr/local/nginx/conf/ssl/domain.com/domain.com-trusted.crt;