/ Register

Get the most out of your Centmin Mod LEMP stack
Become a Member

Nginx Is it better to add an exeption for 127.0.0.1 for autoprotect rules?

Discussion in 'Install & Upgrades or Pre-Install Questions' started by pamamolf, Aug 28, 2016.

Tags:
Previous Thread Next Thread
Loading...
Page 1 of 3
  1. Aug 28, 2016 #1
    pamamolf

    pamamolf Well-Known Member

    4,028
    421
    83
    May 31, 2014
    Ratings:
    +817
    Local Time:
    6:25 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Hi

    I am just wondering if it is better Centminmod to add automatically at :

    Code:
    /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
    a rule for everything that is blocking to allow 127.0.0.1 ?

    I think that will solve many problems with plugins/addos .....

    Thanks
     
  2. Aug 28, 2016 #2
    eva2000

    eva2000 Administrator Staff Member

    50,928
    11,808
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,267
    Local Time:
    2:25 AM
    Nginx 1.25.x
    MariaDB 10.x
    probably but is it needed ? you ran into any examples where this is required ?
     
  3. Aug 28, 2016 #3
    pamamolf

    pamamolf Well-Known Member

    4,028
    421
    83
    May 31, 2014
    Ratings:
    +817
    Local Time:
    6:25 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    After having some issues with many addons i give up and i am just disabling it always....

    I know that i should try to fix them but there was so many that was not able to access some folders so i just think that this rule may help a lot !
     
  4. Aug 28, 2016 #4
    eva2000

    eva2000 Administrator Staff Member

    50,928
    11,808
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,267
    Local Time:
    2:25 AM
    Nginx 1.25.x
    MariaDB 10.x
    for what wordpress ?
     
  5. Aug 28, 2016 #5
    pamamolf

    pamamolf Well-Known Member

    4,028
    421
    83
    May 31, 2014
    Ratings:
    +817
    Local Time:
    6:25 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    IPB forum...
     
  6. Aug 28, 2016 #6
    eva2000

    eva2000 Administrator Staff Member

    50,928
    11,808
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,267
    Local Time:
    2:25 AM
    Nginx 1.25.x
    MariaDB 10.x
    just remember nginx doesn't support .htaccess so if author of addon intended for a directory to have .htaccess with deny from all, that directory is meant to be private and not publicly accessible - so it is a security issue unless you have specific nginx equivalent deny rules added yourself.

    autoprotect.sh is meant to plug those potential security holes in 123.09beta01
     
  7. Aug 28, 2016 #7
    pamamolf

    pamamolf Well-Known Member

    4,028
    421
    83
    May 31, 2014
    Ratings:
    +817
    Local Time:
    6:25 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Ok so it will be great if autoprotect allow 127.0.0.1 access on every block as default !!!! :)
     
  8. Aug 28, 2016 #8
    eva2000

    eva2000 Administrator Staff Member

    50,928
    11,808
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,267
    Local Time:
    2:25 AM
    Nginx 1.25.x
    MariaDB 10.x
    just updated centmin mod 123.09beta001 for allow 127.0.0.1

    so update via centmin.sh menu option 23 submenu option 2 and then re-run manually tools/autoprotect.sh
    Code (Text):
    /usr/local/src/centminmod/tools/autoprotect.sh
     
  9. Aug 28, 2016 #9
    eva2000

    eva2000 Administrator Staff Member

    50,928
    11,808
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,267
    Local Time:
    2:25 AM
    Nginx 1.25.x
    MariaDB 10.x
    also if you can post output for the generated autoprotect include file /usr/local/nginx/conf/autoprotect/yourdomain.com/autoprotect-yourdomain.com.conf would help to see what IPB directories are being picked up for 'deny from all' .htaccess files

    just like @Colin report for IPB which was resolved IP.Board - Query on autoprotect + IPB forums | Centmin Mod Community
     
    Last edited: Aug 28, 2016
  10. Aug 28, 2016 #10
    pamamolf

    pamamolf Well-Known Member

    4,028
    421
    83
    May 31, 2014
    Ratings:
    +817
    Local Time:
    6:25 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Sure now i will enable it again and post back if i have any issues :)
     
  11. Aug 29, 2016 #11
    pamamolf

    pamamolf Well-Known Member

    4,028
    421
    83
    May 31, 2014
    Ratings:
    +817
    Local Time:
    6:25 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Found one issue :)

    Code:
    # /home/nginx/domains/domain.com/public/uploads
location ~* ^/uploads/ { allow 127.0.0.1; deny all; }
    /home/nginx/domains/domain.com/public/uploads/.htaccess content:

    Code:
    #<ipb-protection>
<Files ~ "^.*\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)">
    Order allow,deny
    Deny from all
</Files>
#</ipb-protection>
    Site looks like having broken css when i enable the include for autoprotect and it has only this rule inside.

    When i disable it all working great :)
     
  12. Aug 29, 2016 #12
    eva2000

    eva2000 Administrator Staff Member

    50,928
    11,808
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,267
    Local Time:
    2:25 AM
    Nginx 1.25.x
    MariaDB 10.x
    did you re-run updated tools/autoprotect.sh ?

    your problem should of been taken care of by previous fix from @Colin's thread at IP.Board - Query on autoprotect + IPB forums | Centmin Mod Community
     
  13. Aug 29, 2016 #13
    eva2000

    eva2000 Administrator Staff Member

    50,928
    11,808
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,267
    Local Time:
    2:25 AM
    Nginx 1.25.x
    MariaDB 10.x
    looks like your IPB .htaccess differs from @Colin's at IP.Board - Query on autoprotect + IPB forums | Centmin Mod Community as the updated fixed tools/autoprotect.sh is also looking for Header set line to trigger the custom rule
    Code (Text):
    #<ipb-protection>
<Files ~ "^.*\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)">
    Order allow,deny
    Deny from all
</Files>
<Files ~ "^.*\.(ipb)$">
Header set Content-Disposition attachment
</Files>
#</ipb-protection>
     
  14. Aug 29, 2016 #14
    pamamolf

    pamamolf Well-Known Member

    4,028
    421
    83
    May 31, 2014
    Ratings:
    +817
    Local Time:
    6:25 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    I just update Centminmod and run:

    Code:
    /usr/local/src/centminmod/tools/autoprotect.sh
    so yes i re run it....

    I can see that it looks like the same and that you have a fix for it but it doesn't work for me :(
     
  15. Aug 29, 2016 #15
    eva2000

    eva2000 Administrator Staff Member

    50,928
    11,808
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,267
    Local Time:
    2:25 AM
    Nginx 1.25.x
    MariaDB 10.x
    It doesn't work as autoprotect.sh also looks for Header set in .htaccess for ipb-protection filtered files. Seems your .htaccess in upload doesn't have the Header set part
     
  16. Aug 29, 2016 #16
    pamamolf

    pamamolf Well-Known Member

    4,028
    421
    83
    May 31, 2014
    Ratings:
    +817
    Local Time:
    6:25 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Is there a way to got a fix for this?

    I can add manually the missing header line so it can trigger it but maybe i will get another similar .htaccess and get the same issue.....

    It seems that i missing three lines :

    Code:
    <Files ~ "^.*\.(ipb)$">
Header set Content-Disposition attachment
</Files>
     
  17. Aug 29, 2016 #17
    eva2000

    eva2000 Administrator Staff Member

    50,928
    11,808
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,267
    Local Time:
    2:25 AM
    Nginx 1.25.x
    MariaDB 10.x
    if you can provide contents of all .htaccess picked up by autoprotect.sh in generated autoprotect include file /usr/local/nginx/conf/autoprotect/yourdomain.com/autoprotect-yourdomain.com.conf - i can probably get custom rules added
     
  18. Aug 29, 2016 #18
    pamamolf

    pamamolf Well-Known Member

    4,028
    421
    83
    May 31, 2014
    Ratings:
    +817
    Local Time:
    6:25 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Don't know why but i got only this one....
     
  19. Aug 29, 2016 #19
    eva2000

    eva2000 Administrator Staff Member

    50,928
    11,808
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,267
    Local Time:
    2:25 AM
    Nginx 1.25.x
    MariaDB 10.x
    is IPB upload folder always named /upload ? or can it change ?
     
  20. Aug 29, 2016 #20
    pamamolf

    pamamolf Well-Known Member

    4,028
    421
    83
    May 31, 2014
    Ratings:
    +817
    Local Time:
    6:25 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    You can change it to any folder but 99% of the installations use the default...as i do.

    Maybe i delete the .htaccess from there but i wil check it later.....

    looking to fix the current issue at the moment....if possible
     
Previous Thread Next Thread
Loading...
Page 1 of 3

.