Welcome to Centmin Mod Community
Become a Member

IP.Board IPB v4.1.x Files

Discussion in 'Forum software usage' started by Jimmy, Nov 9, 2015.

  1. cloud9

    cloud9 Premium Member Premium Member

    147
    55
    28
    Oct 6, 2015
    England
    Ratings:
    +78
    Local Time:
    3:09 PM
    1.19.x
    10.4.x
    Thankyou, done quite a lot of reading now, more to do me thinks.

    I think Centminmod is rather good, fantastic !

     
  2. Jimmy

    Jimmy Well-Known Member

    1,725
    367
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +937
    Local Time:
    10:09 AM
    1.17.x
    MariaDB 10.3.x
    @cloud9 yea, I took about a week or two and read everything 3 times. @eva2000 did a great job... I'm a big fan!
     
  3. eva2000

    eva2000 Administrator Staff Member

    47,474
    10,760
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,718
    Local Time:
    1:09 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    @cloud9 @Jimmy it's awesome to see users grow and get accustomed to using Centmin Mod LEMP stack for their needs :D
     
  4. Jimmy

    Jimmy Well-Known Member

    1,725
    367
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +937
    Local Time:
    10:09 AM
    1.17.x
    MariaDB 10.3.x
  5. Jimmy

    Jimmy Well-Known Member

    1,725
    367
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +937
    Local Time:
    10:09 AM
    1.17.x
    MariaDB 10.3.x
  6. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    4:09 PM
    1.9.9
    10.1.10
    You are probably better of by removing this line and adding:
    Code:
    location ~^(/applications/*/interface/).*(\.php)$ {
      allow all;
    }
    instead as outlined in: https://community.centminmod.com/posts/22535/

    Basically all files that need to be accessed directly are in the apps interface folder.
     
  7. Jimmy

    Jimmy Well-Known Member

    1,725
    367
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +937
    Local Time:
    10:09 AM
    1.17.x
    MariaDB 10.3.x
    Last edited: Feb 17, 2016
  8. Jimmy

    Jimmy Well-Known Member

    1,725
    367
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +937
    Local Time:
    10:09 AM
    1.17.x
    MariaDB 10.3.x
    @Ahmad do you think it would be better to have

    Code:
    location ~^(/applications/*/).*(\.php)$ {
         deny     all;
    }   
    instead of each folder in the applications folder?
     
  9. Jimmy

    Jimmy Well-Known Member

    1,725
    367
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +937
    Local Time:
    10:09 AM
    1.17.x
    MariaDB 10.3.x
    Just got a chance to try it out. Using this code gives me an error. IPB isn't able to see the css.php file because all the css is gone from my site. Added the individual lines back, displays the site correctly.
     
  10. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    4:09 PM
    1.9.9
    10.1.10
    Seems like it matches the deny as it's more specific?
    Anyways, instead of writing an location block for each app you can group them like this:
    Code:
    location ~^(/forum/applications/(blog|calendar|chat|cms|core|downloads|forums|gallery|nexus)/interface/).*(\.php)$ {
      allow all;
      include /usr/local/nginx/conf/php.conf;
    }
    
    location ~^(/forum/applications/(blog|calendar|chat|cms|core|downloads|forums|gallery|nexus)/).*(\.php)$ {
      deny all;
    }
     
  11. Jimmy

    Jimmy Well-Known Member

    1,725
    367
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +937
    Local Time:
    10:09 AM
    1.17.x
    MariaDB 10.3.x
  12. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    4:09 PM
    1.9.9
    10.1.10
    The only directories that need to be disallowed are ./datestore, ./uploads and plugins.
    I don't know of any file that needs to be directly accessed in the ./system folder aswell but there might be.
    Most files have this little code in the beginning
    Code:
    /* To prevent PHP errors (extending class does not exist) revealing path */
    if ( !defined( '\IPS\SUITE_UNIQUE_KEY' ) )
    {
        header( ( isset( $_SERVER['SERVER_PROTOCOL'] ) ? $_SERVER['SERVER_PROTOCOL'] : 'HTTP/1.0' ) . ' 403 Forbidden' );
        exit;
    }
    To prevent php errors from displaying full path so it is not really necessary to lock down the applications folder but you can do it.
    However if someone, somehow manages to upload a php to an applications folder then you'd probably want this file to not be executable directly.
    The more it's locked down, the more security you have ;)
     
  13. Jimmy

    Jimmy Well-Known Member

    1,725
    367
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +937
    Local Time:
    10:09 AM
    1.17.x
    MariaDB 10.3.x
    I hear you there, more security is always better.

    With all the application mods out there, IMO it's only a matter of time that the security of the IPS is compromised by a bad developer.

    Still trying to figure out the code to allow the core/interface folder. The one you posted earlier isn't working. Any ideas?
     
  14. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    4:09 PM
    1.9.9
    10.1.10
  15. Jimmy

    Jimmy Well-Known Member

    1,725
    367
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +937
    Local Time:
    10:09 AM
    1.17.x
    MariaDB 10.3.x
    The only issue I see is if there is a developer application, those rules won't cover those applications.
     
  16. Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    4:09 PM
    1.9.9
    10.1.10
    Yup, you'd need to add them manually.
    For some reasons the wildcard way doesn't work. I've alot of work to do so no time to figure this out atm. :(
     
  17. Jimmy

    Jimmy Well-Known Member

    1,725
    367
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +937
    Local Time:
    10:09 AM
    1.17.x
    MariaDB 10.3.x
    Yea, it's weird why the wildcard won't work. :mad:

    I'm still running 3.4.9 and currently working on my template for v4. I'll play around with it and see if I can get something to work. If you get it working at some point, let me know. :)
     
  18. tjk

    tjk Member

    76
    16
    8
    Jun 27, 2015
    Ratings:
    +27
    Local Time:
    10:09 AM
    @Jimmy good stuff, thanks for doing this!

    You still keeping this updated? Gist hasn't been touched since mid February, so just curious.
     
  19. cloud9

    cloud9 Premium Member Premium Member

    147
    55
    28
    Oct 6, 2015
    England
    Ratings:
    +78
    Local Time:
    3:09 PM
    1.19.x
    10.4.x
    @Jimmy Running this on the latest centminmod beta stack with IPB 4.1.13.3 - All good and works sweet, upgraded curl, added SSL cert and Running HSTS now.

    All working really well.
     
  20. Jimmy

    Jimmy Well-Known Member

    1,725
    367
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +937
    Local Time:
    10:09 AM
    1.17.x
    MariaDB 10.3.x
    Great to hear! Though, if you're running PHP7 you might have some issues until they fix the bug here: https://invisionpower.com/4bugtrack/active-reports/php-705-and-ips-4-r11711/

    Here is the issue starting with this post: https://invisionpower.com/forums/topic/424093-php-7-support/?do=findComment&comment=2641037

    If you run 5.6.22 there isn't an issue. I've delayed upgrading my live site from 3.4.9 until they have this particular bug fixed.