/ Register

Join the community today
Register Now

IP.Board IPB v4.1.x Files

Discussion in 'Forum software usage' started by Jimmy, Nov 9, 2015.

Tags:
Previous Thread Next Thread
Loading...
Page 5 of 11
  1. Jan 12, 2016 #81
    cloud9

    cloud9 Premium Member Premium Member

    435
    118
    43
    Oct 6, 2015
    England
    Ratings:
    +218
    Local Time:
    11:40 AM
    1.25.3
    10.6.x
    Thankyou, done quite a lot of reading now, more to do me thinks.

    I think Centminmod is rather good, fantastic !
     
  2. Jan 12, 2016 #82
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    6:40 AM
    @cloud9 yea, I took about a week or two and read everything 3 times. @eva2000 did a great job... I'm a big fan!
     
  3. Jan 12, 2016 #83
    eva2000

    eva2000 Administrator Staff Member

    55,223
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,831
    Local Time:
    8:40 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    @cloud9 @Jimmy it's awesome to see users grow and get accustomed to using Centmin Mod LEMP stack for their needs :D
     
  4. Feb 15, 2016 #84
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    6:40 AM
  5. Feb 17, 2016 #85
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    6:40 AM
  6. Feb 17, 2016 #86
    Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    12:40 PM
    1.9.9
    10.1.10
    You are probably better of by removing this line and adding:
    Code:
    location ~^(/applications/*/interface/).*(\.php)$ {
  allow all;
}
    instead as outlined in: https://community.centminmod.com/posts/22535/

    Basically all files that need to be accessed directly are in the apps interface folder.
     
  7. Feb 17, 2016 #87
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    6:40 AM
    Last edited: Feb 17, 2016
  8. Feb 17, 2016 #88
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    6:40 AM
    @Ahmad do you think it would be better to have

    Code:
    location ~^(/applications/*/).*(\.php)$ {
     deny     all;
}
    instead of each folder in the applications folder?
     
  9. Feb 18, 2016 #89
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    6:40 AM
    Just got a chance to try it out. Using this code gives me an error. IPB isn't able to see the css.php file because all the css is gone from my site. Added the individual lines back, displays the site correctly.
     
  10. Feb 18, 2016 #90
    Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    12:40 PM
    1.9.9
    10.1.10
    Seems like it matches the deny as it's more specific?
    Anyways, instead of writing an location block for each app you can group them like this:
    Code:
    location ~^(/forum/applications/(blog|calendar|chat|cms|core|downloads|forums|gallery|nexus)/interface/).*(\.php)$ {
  allow all;
  include /usr/local/nginx/conf/php.conf;
}

location ~^(/forum/applications/(blog|calendar|chat|cms|core|downloads|forums|gallery|nexus)/).*(\.php)$ {
  deny all;
}
     
  11. Feb 19, 2016 #91
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    6:40 AM
  12. Feb 19, 2016 #92
    Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    12:40 PM
    1.9.9
    10.1.10
    The only directories that need to be disallowed are ./datestore, ./uploads and plugins.
    I don't know of any file that needs to be directly accessed in the ./system folder aswell but there might be.
    Most files have this little code in the beginning
    Code:
    /* To prevent PHP errors (extending class does not exist) revealing path */
if ( !defined( '\IPS\SUITE_UNIQUE_KEY' ) )
{
    header( ( isset( $_SERVER['SERVER_PROTOCOL'] ) ? $_SERVER['SERVER_PROTOCOL'] : 'HTTP/1.0' ) . ' 403 Forbidden' );
    exit;
}
    To prevent php errors from displaying full path so it is not really necessary to lock down the applications folder but you can do it.
    However if someone, somehow manages to upload a php to an applications folder then you'd probably want this file to not be executable directly.
    The more it's locked down, the more security you have ;)
     
  13. Feb 19, 2016 #93
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    6:40 AM
    I hear you there, more security is always better.

    With all the application mods out there, IMO it's only a matter of time that the security of the IPS is compromised by a bad developer.

    Still trying to figure out the code to allow the core/interface folder. The one you posted earlier isn't working. Any ideas?
     
  14. Feb 19, 2016 #94
    Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    12:40 PM
    1.9.9
    10.1.10
  15. Feb 19, 2016 #95
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    6:40 AM
    The only issue I see is if there is a developer application, those rules won't cover those applications.
     
  16. Feb 19, 2016 #96
    Ahmad

    Ahmad Active Member

    209
    80
    28
    Apr 13, 2015
    Ratings:
    +150
    Local Time:
    12:40 PM
    1.9.9
    10.1.10
    Yup, you'd need to add them manually.
    For some reasons the wildcard way doesn't work. I've alot of work to do so no time to figure this out atm. :(
     
  17. Feb 19, 2016 #97
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    6:40 AM
    Yea, it's weird why the wildcard won't work. :mad:

    I'm still running 3.4.9 and currently working on my template for v4. I'll play around with it and see if I can get something to work. If you get it working at some point, let me know. :)
     
  18. Jun 5, 2016 #98
    tjk

    tjk Member

    76
    16
    8
    Jun 27, 2015
    Ratings:
    +27
    Local Time:
    6:40 AM
    @Jimmy good stuff, thanks for doing this!

    You still keeping this updated? Gist hasn't been touched since mid February, so just curious.
     
  19. Jun 16, 2016 #99
    cloud9

    cloud9 Premium Member Premium Member

    435
    118
    43
    Oct 6, 2015
    England
    Ratings:
    +218
    Local Time:
    11:40 AM
    1.25.3
    10.6.x
    @Jimmy Running this on the latest centminmod beta stack with IPB 4.1.13.3 - All good and works sweet, upgraded curl, added SSL cert and Running HSTS now.

    All working really well.
     
  20. Jun 16, 2016 #100
    Jimmy

    Jimmy Well-Known Member

    1,788
    390
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +990
    Local Time:
    6:40 AM
    Great to hear! Though, if you're running PHP7 you might have some issues until they fix the bug here: https://invisionpower.com/4bugtrack/active-reports/php-705-and-ips-4-r11711/

    Here is the issue starting with this post: https://invisionpower.com/forums/topic/424093-php-7-support/?do=findComment&comment=2641037

    If you run 5.6.22 there isn't an issue. I've delayed upgrading my live site from 3.4.9 until they have this particular bug fixed.
     
Previous Thread Next Thread
Loading...
Page 5 of 11

.