Welcome to Centmin Mod Community
Become a Member

Nginx Is it better to add an exeption for 127.0.0.1 for autoprotect rules?

Discussion in 'Install & Upgrades or Pre-Install Questions' started by pamamolf, Aug 28, 2016.

  1. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:14 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Hi

    I am just wondering if it is better Centminmod to add automatically at :

    Code:
    /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
    a rule for everything that is blocking to allow 127.0.0.1 ?


    I think that will solve many problems with plugins/addos .....

    Thanks
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    probably but is it needed ? you ran into any examples where this is required ?
     
  3. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:14 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    After having some issues with many addons i give up and i am just disabling it always....

    I know that i should try to fix them but there was so many that was not able to access some folders so i just think that this rule may help a lot !
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    for what wordpress ?
     
  5. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:14 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    IPB forum...
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    just remember nginx doesn't support .htaccess so if author of addon intended for a directory to have .htaccess with deny from all, that directory is meant to be private and not publicly accessible - so it is a security issue unless you have specific nginx equivalent deny rules added yourself.

    autoprotect.sh is meant to plug those potential security holes in 123.09beta01
     
  7. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:14 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Ok so it will be great if autoprotect allow 127.0.0.1 access on every block as default !!!! :)
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    just updated centmin mod 123.09beta001 for allow 127.0.0.1

    so update via centmin.sh menu option 23 submenu option 2 and then re-run manually tools/autoprotect.sh
    Code (Text):
    /usr/local/src/centminmod/tools/autoprotect.sh
     
  9. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    also if you can post output for the generated autoprotect include file /usr/local/nginx/conf/autoprotect/yourdomain.com/autoprotect-yourdomain.com.conf would help to see what IPB directories are being picked up for 'deny from all' .htaccess files

    just like @Colin report for IPB which was resolved IP.Board - Query on autoprotect + IPB forums | Centmin Mod Community
     
    Last edited: Aug 28, 2016
  10. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:14 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Sure now i will enable it again and post back if i have any issues :)
     
  11. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:14 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Found one issue :)

    Code:
    # /home/nginx/domains/domain.com/public/uploads
    location ~* ^/uploads/ { allow 127.0.0.1; deny all; }
    /home/nginx/domains/domain.com/public/uploads/.htaccess content:

    Code:
    #<ipb-protection>
    <Files ~ "^.*\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)">
        Order allow,deny
        Deny from all
    </Files>
    #</ipb-protection>
    Site looks like having broken css when i enable the include for autoprotect and it has only this rule inside.

    When i disable it all working great :)
     
  12. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    did you re-run updated tools/autoprotect.sh ?

    your problem should of been taken care of by previous fix from @Colin's thread at IP.Board - Query on autoprotect + IPB forums | Centmin Mod Community
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    looks like your IPB .htaccess differs from @Colin's at IP.Board - Query on autoprotect + IPB forums | Centmin Mod Community as the updated fixed tools/autoprotect.sh is also looking for Header set line to trigger the custom rule
    Code (Text):
    #<ipb-protection>
    <Files ~ "^.*\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)">
        Order allow,deny
        Deny from all
    </Files>
    <Files ~ "^.*\.(ipb)$">
    Header set Content-Disposition attachment
    </Files>
    #</ipb-protection>
     
  14. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:14 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    I just update Centminmod and run:

    Code:
    /usr/local/src/centminmod/tools/autoprotect.sh
    so yes i re run it....

    I can see that it looks like the same and that you have a fix for it but it doesn't work for me :(
     
  15. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    It doesn't work as autoprotect.sh also looks for Header set in .htaccess for ipb-protection filtered files. Seems your .htaccess in upload doesn't have the Header set part
     
  16. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:14 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Is there a way to got a fix for this?

    I can add manually the missing header line so it can trigger it but maybe i will get another similar .htaccess and get the same issue.....

    It seems that i missing three lines :

    Code:
    <Files ~ "^.*\.(ipb)$">
    Header set Content-Disposition attachment
    </Files>
     
  17. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    if you can provide contents of all .htaccess picked up by autoprotect.sh in generated autoprotect include file /usr/local/nginx/conf/autoprotect/yourdomain.com/autoprotect-yourdomain.com.conf - i can probably get custom rules added
     
  18. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:14 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Don't know why but i got only this one....
     
  19. eva2000

    eva2000 Administrator Staff Member

    53,248
    12,117
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,655
    Local Time:
    12:14 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    is IPB upload folder always named /upload ? or can it change ?
     
  20. pamamolf

    pamamolf Premium Member Premium Member

    4,068
    427
    83
    May 31, 2014
    Ratings:
    +832
    Local Time:
    5:14 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    You can change it to any folder but 99% of the installations use the default...as i do.

    Maybe i delete the .htaccess from there but i wil check it later.....

    looking to fix the current issue at the moment....if possible