Welcome to Centmin Mod Community
Register Now

Nginx Is it better to add an exeption for 127.0.0.1 for autoprotect rules?

Discussion in 'Install & Upgrades or Pre-Install Questions' started by pamamolf, Aug 28, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    42,049
    9,488
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,599
    Local Time:
    10:53 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    i believe the problem you had is due to the use of internal directive required by nginx for library and internal_data and missing from autoprotect.sh so best to bypass autoprotect.sh and manually use

    Code (Text):
            location /internal_data/ {
            internal;
            allow 127.0.0.1;
            allow YOURIPADDRESS;
            deny all;
            }
    
            location /library/ {
            internal;
            allow 127.0.0.1;
            allow YOURIPADDRESS;
            deny all;
            }


    Updating tools/autoprotect.sh to bypass xenforo directories if they are detected because of this
     
  2. eva2000

    eva2000 Administrator Staff Member

    42,049
    9,488
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,599
    Local Time:
    10:53 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    • Like Like x 1
  3. negative

    negative Active Member

    349
    39
    28
    Apr 11, 2015
    Ratings:
    +81
    Local Time:
    2:53 AM
    1.9.10
    10.1.11
    Okay i put the above config (xenforo standart nginx rules) to my domain.com.conf again and re-run the updated centmin core autoprotect.sh and now they are not duplicated and works fine.

    Thanks.
     
    • Like Like x 1
  4. eva2000

    eva2000 Administrator Staff Member

    42,049
    9,488
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,599
    Local Time:
    10:53 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    excellent thanks for the needed feedback and testing too :D
     
  5. BamaStangGuy

    BamaStangGuy Active Member

    608
    179
    43
    May 25, 2014
    Ratings:
    +244
    Local Time:
    6:53 PM
    So by default the autoprotect is uncommented inside the vhosts be default but everything within the autoprotect file is commented out? Would it not be better to do it the other way around? Would result in less work to uncomment.
     
  6. eva2000

    eva2000 Administrator Staff Member

    42,049
    9,488
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,599
    Local Time:
    10:53 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    autoprotect include file in vhost is uncommented by default yes but contents should be uncommented where it matters, there's alot of comments added inside the file to describe stuff, but actual location contexts should be live and uncommented.
     
  7. GhoHan

    GhoHan Member

    33
    14
    8
    Jun 1, 2014
    Ratings:
    +14
    Local Time:
    7:53 AM
    Nginx 1.13.X
    MariaDB 10.1.X
    maybe for this need improvement option attribut for add .autoprotect-bypass files on folder
    Code:
    ./usr/local/src/centminmod/tools/autoprotect.sh -b demodomain.com/public/themes
    or like nprestart command: [[email protected] ]# autoprotect -b demodomain.com/public/themes
    wherever type or whatever for make it simple to do automatic this command:

    Code:
    touch /home/nginx/domains/demodomain.com/public/themes/.autoprotect-bypass
    regards
     
    • Like Like x 1
  8. eva2000

    eva2000 Administrator Staff Member

    42,049
    9,488
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,599
    Local Time:
    10:53 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    @GhoHan thanks for the interesting suggestion - baking in the whitelisting/bypassing file creation into autoprotect.sh script itself :) Have a few ideas to test out .. cheers :)
     
  9. Kintaro

    Kintaro Member

    63
    3
    8
    Dec 2, 2016
    Italy
    Ratings:
    +14
    Local Time:
    1:53 AM
    1.15.x
    MariaDB 10
    I just installed thirtybees* (default theme) and fontsawesome don't load and console gives:
    Code:
    *48 access forbidden by rule
    commenting this location in the autoprotect conf solved the problem:
    Code:
    # /home/nginx/domains/domain.com/public/themes
    location ~* ^/themes/ { allow 127.0.0.1; deny all; }
    # https://community.centminmod.com/posts/35394/
    # /home/nginx/domains/domain.com/public/log
    can you give me info about it? is it possible to add exceptions that are not going to overwritten automatically? is it possible to add thirtybees "specific" rules to the default autoprotect for future users?

    this is the actual documentroot .htaccess:

    Code:
    # ~~start~~ Do not remove this comment, thirty bees will keep automatically the code outside this comment when .htaccess will be generated again
    # .htaccess automatically generated by thirty bees e-commerce open-source solution
    # http://www.thirtybees.com - http://www.thirtybees.com/forums
    
    <IfModule mod_rewrite.c>
    <IfModule mod_env.c>
    SetEnv HTTP_MOD_REWRITE On
    </IfModule>
    
    RewriteEngine on
    RewriteCond %{HTTP:Authorization} ^(.*)
    RewriteRule . - [E=HTTP_AUTHORIZATION:%1]
    
    
    
    #Domain: new.modellismodoneda.it
    RewriteRule . - [E=REWRITEBASE:/]
    RewriteRule ^api$ api/ [L]
    
    RewriteRule ^api/(.*)$ %{ENV:REWRITEBASE}webservice/dispatcher.php?url=$1 [QSA,L]
    
    # Images
    RewriteRule ^([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$1$2$3.jpg [L]
    RewriteRule ^([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$1$2$3$4.jpg [L]
    RewriteRule ^([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$1$2$3$4$5.jpg [L]
    RewriteRule ^([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$1$2$3$4$5$6.jpg [L]
    RewriteRule ^([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$1$2$3$4$5$6$7.jpg [L]
    RewriteRule ^([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$6/$1$2$3$4$5$6$7$8.jpg [L]
    RewriteRule ^([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$6/$7/$1$2$3$4$5$6$7$8$9.jpg [L]
    RewriteRule ^([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])(\-[_a-zA-Z0-9-]*)?(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/p/$1/$2/$3/$4/$5/$6/$7/$8/$1$2$3$4$5$6$7$8$9$10.jp$
    RewriteRule ^c/([0-9]+)(\-[\.*_a-zA-Z0-9-]*)(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/c/$1$2$3.jpg [L]
    RewriteRule ^c/([a-zA-Z_-]+)(-[0-9]+)?/.+\.jpg$ %{ENV:REWRITEBASE}img/c/$1$2.jpg [L]
    # AlphaImageLoader for IE and fancybox
    RewriteRule ^images_ie/?([^/]+)\.(jpe?g|png|gif)$ js/jquery/plugins/fancybox/images/$1.$2 [L]
    
    # Dispatcher
    RewriteCond %{REQUEST_FILENAME} -s [OR]
    RewriteCond %{REQUEST_FILENAME} -l [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^.*$ - [NC,L]
    RewriteRule ^.*$ %{ENV:REWRITEBASE}index.php [NC,L]
    </IfModule>
    
    AddType application/vnd.ms-fontobject .eot
    AddType font/ttf .ttf
    AddType font/otf .otf
    AddType application/font-woff .woff
    AddType application/font-woff2 .woff2
    <IfModule mod_headers.c>
            <FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|svg)$">
                    Header add Access-Control-Allow-Origin "*"
            </FilesMatch>
    </IfModule>
    
    #If rewrite mod isn't enabled
    ErrorDocument 404 /index.php?controller=404
    
    # ~~end~~ Do not remove this comment, thirty bees will keep automatically the code outside this comment when .htaccess will be generated again
    
    
    the actual documentroot/themes/.htacces is this:
    Code:
    <FilesMatch "\.tpl$">
    Deny from all
    </FilesMatch>
    now I added .autoprotect-bypass to the themes directory and fontawesome are working... but now tpl files are exposed.

    *thirtybees is a prestashop 1.6 fork that is actively developed, @Matt I saw that you're using prestashop take a look at thirtybees forum and their homepage!
     
    Last edited: Oct 18, 2018
  10. rdan

    rdan Well-Known Member

    4,713
    1,137
    113
    May 25, 2014
    Ratings:
    +1,691
    Local Time:
    8:53 AM
    Mainline
    10.2
    That is a very slow website :rolleyes:
     
  11. Kintaro

    Kintaro Member

    63
    3
    8
    Dec 2, 2016
    Italy
    Ratings:
    +14
    Local Time:
    1:53 AM
    1.15.x
    MariaDB 10
  12. rdan

    rdan Well-Known Member

    4,713
    1,137
    113
    May 25, 2014
    Ratings:
    +1,691
    Local Time:
    8:53 AM
    Mainline
    10.2
    Still very slow, and it's expected as they reside on same server.
     
  13. eva2000

    eva2000 Administrator Staff Member

    42,049
    9,488
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,599
    Local Time:
    10:53 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    in that case autoprotect.sh has done it's job in alerting you to a nginx rule you need to add to your vhost after you setup .autoprotect-bypass, in nginx vhost set nginx rule manually to equivalent of .htaccess that autoprotect has flagged
    Code (Text):
    location ~* \.tpl$ {
      return 444;
    }
    

    Code (Text):
    location ~* \.tpl$ {
      deny all;
    }
    

    without autoprotect.sh alert/warnings, you would of had tpl files accessible to public since nginx doesn't support .htaccess :)

    I should probably add .tpl to ban list for centmin.sh menu option 22 installed/generated wpsecure include file too.

    i.e. ban list generated include file /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf where ${vhostname} is your domain name when centmin.sh menu option 22 wordpress installer runs.
    Code (Text):
    # Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
    location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)\$|^(\..*|Entries.*|Repository|Root|Tag|Template)\$|\.php_
    {
    return 444;
    }
    
     
    • Like Like x 1
  14. Kintaro

    Kintaro Member

    63
    3
    8
    Dec 2, 2016
    Italy
    Ratings:
    +14
    Local Time:
    1:53 AM
    1.15.x
    MariaDB 10
    Ok now it's working adding manually the directive.

    do you think that is possible to modify autoprotect.sh to work out of the box for thirtybees and prestashop1.6?

    but this will cover wp installations only, right?
     
  15. eva2000

    eva2000 Administrator Staff Member

    42,049
    9,488
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,599
    Local Time:
    10:53 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    yes only for wordpress installs

    don't have 1st hand experience with both scripts so would rely on users like yourself reporting what location context/directory entries are showing up in their include file at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf which are trapping thirtybees and prestashop urls and what .htaccess files are in those directories