Discover Centmin Mod today
Register Now

Nginx Is it better to add an exeption for 127.0.0.1 for autoprotect rules?

Discussion in 'Install & Upgrades or Pre-Install Questions' started by pamamolf, Aug 28, 2016.

  1. pamamolf

    pamamolf Well-Known Member

    2,819
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    1:14 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Hi

    I am just wondering if it is better Centminmod to add automatically at :

    Code:
    /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
    a rule for everything that is blocking to allow 127.0.0.1 ?

    I think that will solve many problems with plugins/addos .....

    Thanks
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,924
    6,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,406
    Local Time:
    9:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    probably but is it needed ? you ran into any examples where this is required ?
     
  3. pamamolf

    pamamolf Well-Known Member

    2,819
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    1:14 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    After having some issues with many addons i give up and i am just disabling it always....

    I know that i should try to fix them but there was so many that was not able to access some folders so i just think that this rule may help a lot !
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,924
    6,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,406
    Local Time:
    9:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    for what wordpress ?
     
  5. pamamolf

    pamamolf Well-Known Member

    2,819
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    1:14 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    IPB forum...
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,924
    6,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,406
    Local Time:
    9:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    just remember nginx doesn't support .htaccess so if author of addon intended for a directory to have .htaccess with deny from all, that directory is meant to be private and not publicly accessible - so it is a security issue unless you have specific nginx equivalent deny rules added yourself.

    autoprotect.sh is meant to plug those potential security holes in 123.09beta01
     
  7. pamamolf

    pamamolf Well-Known Member

    2,819
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    1:14 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok so it will be great if autoprotect allow 127.0.0.1 access on every block as default !!!! :)
     
  8. eva2000

    eva2000 Administrator Staff Member

    30,924
    6,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,406
    Local Time:
    9:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    just updated centmin mod 123.09beta001 for allow 127.0.0.1

    so update via centmin.sh menu option 23 submenu option 2 and then re-run manually tools/autoprotect.sh
    Code (Text):
    /usr/local/src/centminmod/tools/autoprotect.sh
     
    • Like Like x 1
  9. eva2000

    eva2000 Administrator Staff Member

    30,924
    6,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,406
    Local Time:
    9:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    also if you can post output for the generated autoprotect include file /usr/local/nginx/conf/autoprotect/yourdomain.com/autoprotect-yourdomain.com.conf would help to see what IPB directories are being picked up for 'deny from all' .htaccess files

    just like @Colin report for IPB which was resolved IP.Board - Query on autoprotect + IPB forums | Centmin Mod Community
     
    Last edited: Aug 28, 2016
  10. pamamolf

    pamamolf Well-Known Member

    2,819
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    1:14 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Sure now i will enable it again and post back if i have any issues :)
     
  11. pamamolf

    pamamolf Well-Known Member

    2,819
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    1:14 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Found one issue :)

    Code:
    # /home/nginx/domains/domain.com/public/uploads
    location ~* ^/uploads/ { allow 127.0.0.1; deny all; }
    /home/nginx/domains/domain.com/public/uploads/.htaccess content:

    Code:
    #<ipb-protection>
    <Files ~ "^.*\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)">
        Order allow,deny
        Deny from all
    </Files>
    #</ipb-protection>
    Site looks like having broken css when i enable the include for autoprotect and it has only this rule inside.

    When i disable it all working great :)
     
  12. eva2000

    eva2000 Administrator Staff Member

    30,924
    6,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,406
    Local Time:
    9:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    did you re-run updated tools/autoprotect.sh ?

    your problem should of been taken care of by previous fix from @Colin's thread at IP.Board - Query on autoprotect + IPB forums | Centmin Mod Community
     
  13. eva2000

    eva2000 Administrator Staff Member

    30,924
    6,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,406
    Local Time:
    9:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    looks like your IPB .htaccess differs from @Colin's at IP.Board - Query on autoprotect + IPB forums | Centmin Mod Community as the updated fixed tools/autoprotect.sh is also looking for Header set line to trigger the custom rule
    Code (Text):
    #<ipb-protection>
    <Files ~ "^.*\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)">
        Order allow,deny
        Deny from all
    </Files>
    <Files ~ "^.*\.(ipb)$">
    Header set Content-Disposition attachment
    </Files>
    #</ipb-protection>
     
    • Informative Informative x 1
  14. pamamolf

    pamamolf Well-Known Member

    2,819
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    1:14 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    I just update Centminmod and run:

    Code:
    /usr/local/src/centminmod/tools/autoprotect.sh
    so yes i re run it....

    I can see that it looks like the same and that you have a fix for it but it doesn't work for me :(
     
  15. eva2000

    eva2000 Administrator Staff Member

    30,924
    6,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,406
    Local Time:
    9:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    It doesn't work as autoprotect.sh also looks for Header set in .htaccess for ipb-protection filtered files. Seems your .htaccess in upload doesn't have the Header set part
     
  16. pamamolf

    pamamolf Well-Known Member

    2,819
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    1:14 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Is there a way to got a fix for this?

    I can add manually the missing header line so it can trigger it but maybe i will get another similar .htaccess and get the same issue.....

    It seems that i missing three lines :

    Code:
    <Files ~ "^.*\.(ipb)$">
    Header set Content-Disposition attachment
    </Files>
     
  17. eva2000

    eva2000 Administrator Staff Member

    30,924
    6,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,406
    Local Time:
    9:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    if you can provide contents of all .htaccess picked up by autoprotect.sh in generated autoprotect include file /usr/local/nginx/conf/autoprotect/yourdomain.com/autoprotect-yourdomain.com.conf - i can probably get custom rules added
     
  18. pamamolf

    pamamolf Well-Known Member

    2,819
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    1:14 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Don't know why but i got only this one....
     
  19. eva2000

    eva2000 Administrator Staff Member

    30,924
    6,910
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,406
    Local Time:
    9:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    is IPB upload folder always named /upload ? or can it change ?
     
  20. pamamolf

    pamamolf Well-Known Member

    2,819
    251
    83
    May 31, 2014
    Ratings:
    +445
    Local Time:
    1:14 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    You can change it to any folder but 99% of the installations use the default...as i do.

    Maybe i delete the .htaccess from there but i wil check it later.....

    looking to fix the current issue at the moment....if possible