Join the community today
Register Now

Nginx Is it better to add an exeption for 127.0.0.1 for autoprotect rules?

Discussion in 'Install & Upgrades or Pre-Install Questions' started by pamamolf, Aug 28, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    48,881
    11,187
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,421
    Local Time:
    4:42 PM
    Nginx 1.21.x
    MariaDB 10.x
    hmm that would make it difficult to filter just for upload directory

    i updated 123.09beta01's tools/autoprotect.sh with a custom rule fix for this let me know if it works

     
  2. pamamolf

    pamamolf Premium Member Premium Member

    3,986
    414
    83
    May 31, 2014
    Ratings:
    +803
    Local Time:
    9:42 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Yes it works now :)
     
  3. eva2000

    eva2000 Administrator Staff Member

    48,881
    11,187
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,421
    Local Time:
    4:42 PM
    Nginx 1.21.x
    MariaDB 10.x
    great.. i think i might have come up with a smarter way for autoprotect.sh, check .htaccess for deny from all but also filter out 'Order allow' and then check if there is any existence of 'allow' in in the .htaccess and if there is just deny php, pl, cgi extension files but allow css and js files.
     
  4. pamamolf

    pamamolf Premium Member Premium Member

    3,986
    414
    83
    May 31, 2014
    Ratings:
    +803
    Local Time:
    9:42 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    I think also this one (from opencart) is not correct:

    Code:
    Options +SymLinksIfOwnerMatch
    
    # Prevent Directoy listing
    Options +Indexes
    
    # Prevent Direct Access to files
    <FilesMatch "\.(tpl|ini|log)">
    Order deny,allow
    Deny from all
    </FilesMatch>
    And i got for this:

    Code:
    location ~* ^/ { allow 127.0.0.1; deny all; }
    If i am not wrong it should limit only tpl|ini|log files and not all ?
     
  5. eva2000

    eva2000 Administrator Staff Member

    48,881
    11,187
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,421
    Local Time:
    4:42 PM
    Nginx 1.21.x
    MariaDB 10.x
    what directory is that for ? deny all can still be valid if you don't need any other files from that directory i.e. css, js or images
     
  6. pamamolf

    pamamolf Premium Member Premium Member

    3,986
    414
    83
    May 31, 2014
    Ratings:
    +803
    Local Time:
    9:42 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Also do you recommend me to replace this custom rule:

    Code:
       location ~^(/uploads/).*(\.php)$ {
            deny     all;
        }
    with this one:

    Code:
    location ~ ^/uploads/ {
      location ~ ^/uploads/(.*)\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)$ { allow 127.0.0.1; deny all; }
    }
    ?
     
  7. pamamolf

    pamamolf Premium Member Premium Member

    3,986
    414
    83
    May 31, 2014
    Ratings:
    +803
    Local Time:
    9:42 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    It is from:

    Code:
    /home/nginx/domains/domain.com/public/
     
  8. eva2000

    eva2000 Administrator Staff Member

    48,881
    11,187
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,421
    Local Time:
    4:42 PM
    Nginx 1.21.x
    MariaDB 10.x
    the aim is for tools/autoprotect.sh to run and generate the correct rule

    both of those should be fine
    hmm that's a tricky one if it's in web root
     
  9. pamamolf

    pamamolf Premium Member Premium Member

    3,986
    414
    83
    May 31, 2014
    Ratings:
    +803
    Local Time:
    9:42 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    That's what i thought when i saw it :)
     
  10. eva2000

    eva2000 Administrator Staff Member

    48,881
    11,187
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,421
    Local Time:
    4:42 PM
    Nginx 1.21.x
    MariaDB 10.x
  11. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    2:42 PM
    latest
    latest
    How do I stop autoprotect from sending me emails?

    is it ok to change the cron line from this

    Code (Text):
    /usr/local/src/centminmod/tools/autoprotect.sh 2>/dev/null


    to this

    Code (Text):
    /usr/local/src/centminmod/tools/autoprotect.sh >/dev/null 2>&1
     
  12. eva2000

    eva2000 Administrator Staff Member

    48,881
    11,187
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,421
    Local Time:
    4:42 PM
    Nginx 1.21.x
    MariaDB 10.x
    yup - the emails do serve a purpose if you regularly read them you may find .htaccess files you need to account for in your nginx vhost properly
     
  13. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    9:42 AM
    1.9.10
    10.1.11
    Ah, today our nginx webserver was down due that autoprotect.sh because of i was added manually the internal_data directory deny permissions so it did duplicated and nginx was down, i fix that after about 15 min :)

    So, we don't need any custom security rules to nginx conf files of wordpress and xenforo websites, right?
     
  14. eva2000

    eva2000 Administrator Staff Member

    48,881
    11,187
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,421
    Local Time:
    4:42 PM
    Nginx 1.21.x
    MariaDB 10.x
    maybe not if autoprotect.sh covered it properly but if you already covered it as per setup at Nginx Rewrites for Xenforo Friendly Urls - CentminMod.com LEMP Nginx web stack for CentOS then i can see why it could conflict. In such case just add the .autoprotect-bypass file as per Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community to internal_data directory

    what does your /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf contain now ?
     
  15. eva2000

    eva2000 Administrator Staff Member

    48,881
    11,187
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,421
    Local Time:
    4:42 PM
    Nginx 1.21.x
    MariaDB 10.x
    what did you specifically add and where did you add it ?
     
  16. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    9:42 AM
    1.9.10
    10.1.11
    My domain.com.conf was including that as your xenforo nginx install guide

    Code (Text):
            location /internal_data/ {
            internal;
            allow 127.0.0.1;
            allow YOURIPADDRESS;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
            allow YOURIPADDRESS;
            deny all;
            }


    But, after autoprotect.sh installed and run on our side (it did auto install while centmin updates i think), it crashed suddenly i don't understand. I didn't login the ssh or restart nginx but it happen itself. Probably when run the autoprotect.sh cron.
     
  17. eva2000

    eva2000 Administrator Staff Member

    48,881
    11,187
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,421
    Local Time:
    4:42 PM
    Nginx 1.21.x
    MariaDB 10.x
    strange indeed

    the internal_data and library directores do have a .htaccess file by xenforo with
    Code (Text):
    Order deny,allow
    Deny from all

    So autoprotect.sh will catch it but yes it would cause problems with xenforo ! Need figure that one out :)

    for now just add a .autoprotect-bypass file into both internal_data and library directories and re-run tools/autoprotect.sh to bypass it
     
  18. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    9:42 AM
    1.9.10
    10.1.11
    My autoprotect domain file including them:

    Code (Text):
    # /home/xxxx/public/assets/cms/plugins/filemanager/config
    location ~* ^/assets/cms/plugins/filemanager/config/ { allow 127.0.0.1; deny all; }
    # https://community.centminmod.com/posts/35394/
    # /home/xxxx/public/forum/library
    
    location /forum/library/ {
      location ~ ^/forum/library/(.+/)?(.+)\.(js)$ { allow all; expires 30d; }
      location ~ ^/forum/library/(.+/)?(.+)\.(css)$ { allow all; expires 30d; }
      location ~ ^/forum/library/(.+/)?(.+)\.(gif|jpe?g|png|webp|eot|svg|ttf|woff|woff)$ { allow all; expires 30d; }
      location ~ ^/forum/library/(.+/)?(.+)\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)$ { allow 127.0.0.1; deny all; }
    }
    
    # https://community.centminmod.com/posts/35394/
    # /home/xxx/public/forum/internal_data
    
    location /forum/internal_data/ {
      location ~ ^/forum/internal_data/(.+/)?(.+)\.(js)$ { allow all; expires 30d; }
      location ~ ^/forum/internal_data/(.+/)?(.+)\.(css)$ { allow all; expires 30d; }
      location ~ ^/forum/internal_data/(.+/)?(.+)\.(gif|jpe?g|png|webp|eot|svg|ttf|woff|woff)$ { allow all; expires 30d; }
      location ~ ^/forum/internal_data/(.+/)?(.+)\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)$ { allow 127.0.0.1; deny all; }
    }
    
    # https://community.centminmod.com/posts/35394/
    # /home/xxx/public/forum/install/templates
    
    location /forum/install/templates/ {
      location ~ ^/forum/install/templates/(.+/)?(.+)\.(js)$ { allow all; expires 30d; }
      location ~ ^/forum/install/templates/(.+/)?(.+)\.(css)$ { allow all; expires 30d; }
      location ~ ^/forum/install/templates/(.+/)?(.+)\.(gif|jpe?g|png|webp|eot|svg|ttf|woff|woff)$ { allow all; expires 30d; }
      location ~ ^/forum/install/templates/(.+/)?(.+)\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)$ { allow 127.0.0.1; deny all; }
    }
    
    # https://community.centminmod.com/posts/35394/
    # /home/xxx/public/forum/install/data
    
    location /forum/install/data/ {
      location ~ ^/forum/install/data/(.+/)?(.+)\.(js)$ { allow all; expires 30d; }
      location ~ ^/forum/install/data/(.+/)?(.+)\.(css)$ { allow all; expires 30d; }
      location ~ ^/forum/install/data/(.+/)?(.+)\.(gif|jpe?g|png|webp|eot|svg|ttf|woff|woff)$ { allow all; expires 30d; }
      location ~ ^/forum/install/data/(.+/)?(.+)\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)$ { allow 127.0.0.1; deny all; }
    }
    
    


    Problem was, nginx says internal_data location was duplicate entry so it didn't restart. After i delete these lines from domain.com.conf, everything was fixed.

    Code (Text):
            location /internal_data/ {
            internal;
            allow 127.0.0.1;
            allow YOURIPADDRESS;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
            allow YOURIPADDRESS;
            deny all;
            }


    But i shocked that, problem was occured suddenly. Probably was your autoprotect cron was runned itself :)
     
  19. eva2000

    eva2000 Administrator Staff Member

    48,881
    11,187
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,421
    Local Time:
    4:42 PM
    Nginx 1.21.x
    MariaDB 10.x
    I'd leave your custom vhost added originally settings and bypass autoprotect.sh instead. So if you installed Xenforo at /home/nginx/domains/domain.com/public, add .autoprotect-bypass files to Xenforo directories as follows.

    SSH commands to just create empty .autoprotect-bypass files to exclude from tools/autoprotect.sh
    Code (Text):
    touch /home/nginx/domains/domain.com/public/library/.autoprotect-bypass
    touch /home/nginx/domains/domain.com/public/internal_data/.autoprotect-bypass
    touch /home/nginx/domains/domain.com/public/install/data/.autoprotect-bypass
    touch /home/nginx/domains/domain.com/public/install/templates/.autoprotect-bypass
    


    updated Xenforo setup with this info too Nginx Rewrites for Xenforo Friendly Urls - CentminMod.com LEMP Nginx web stack for CentOS
     
    Last edited: Oct 25, 2016
  20. negative

    negative Active Member

    415
    50
    28
    Apr 11, 2015
    Ratings:
    +98
    Local Time:
    9:42 AM
    1.9.10
    10.1.11
    But, how about the bypass the autoprotect.sh rules?

    I think they works like standart xenforo rules already, isn't it ? So, i don't need custom modifications on my domain.com.conf. Autoprotect.sh securing everything already.