Learn about Centmin Mod LEMP Stack today
Register Now

Maintenace whitelisting and IPB admin directory

Discussion in 'Install & Upgrades or Pre-Install Questions' started by menister, Aug 11, 2019.

  1. menister

    menister New Member

    9
    3
    3
    May 17, 2019
    Ratings:
    +5
    Local Time:
    3:57 AM
    1.15.12
    10.3.15
    Please fill in any relevant information that applies to you:

    CentOS Version: CentOS 7 64bit ?
    Centmin Mod Version Installed: 123.09beta01
    Nginx Version Installed: 1.17.2
    PHP Version Installed: 7.2.21
    MariaDB MySQL Version Installed: 10.3.17
    When was last time updated Centmin Mod code base ? : 1 hour ago
    Persistent Config:
    Code (Text):
        NGINX_SSLCACHE_ALLOWOVERRIDE='y'
        SET_DEFAULT_MYSQLCHARSET='utf8mb4'
        AUTOHARDTUNE_NGINXBACKLOG='y'
        ZSTD_LOGROTATE_NGINX='y'
        ZSTD_LOGROTATE_PHPFPM='y'
        NGINX_LIBBROTLI='y'
        NGXDYNAMIC_BROTLI='y'
        PHP_PGO='y'
        PHP_BROTLI='y'
        PHP_LZFOUR='y'
        PHP_LZF='y'
        PHP_ZSTD='y'
        MARCH_TARGETNATIVE='n'
        LETSENCRYPT_DETECT='y'
        DUALCERTS='y'
        AUDITD_ENABLE='y'
        




    Hello, I am currently trying to install IPB and have a little issues with the maintenance mode and securing the admin folder.

    I have whitelisted my IPv4 to the maintenance.conf and restarted nginx/php with nprestart, but I still see the maintenance mode, even on different browsers.

    Code (Text):
             # IPs you can whitelist from maintenance mode
             geo $maint_whitelist {
                  include /usr/local/nginx/conf/sitestatus.conf;
                  127.0.0.1 0;
                  MYIPv4 0;
             }
    
             map $http_host$uri $exclude_url {
                  default                                                0;
                  "~^newdomain1.com/js/jquery.fittext.js"                1;
                  "~^newdomain1.com/blog/js/jquery.fittext.js"           1;
             }
    
             map $maint_whitelist$exclude_url $maintenance {
                  default        1;
                  10             1;
                  11             1;
                  00             0;
                  01             0;
             }
        



    And for the IPB Admin part:

    This part is in my ssl.conf:

    Code (Text):
            # Mask fake admin directory
            # Must comment this during install.  Uncomment after you change the name of the admin directory.
             location ~^/admin/(.*)$ {
                deny all;
             }
    
            # Secure real Admin Directory
            # Replace /your_admin_renamed_directory/ with your renamed directory.
             location ~ ^/RANDOMSTRING/.+\.php$ {
                allow 127.0.0.1;
                deny all;
                auth_basic "Restricted Area";
                auth_basic_user_file /usr/local/nginx/conf/htpasswd_admin_php;
                include /usr/local/nginx/conf/php.conf;
                allow MYIPv4;
            }
        


    I have generated the htpasswd_admin_php with:

    Code (Text):
        htpasswd -c /etc/nginx/.htpasswd username
        


    Thats the output from the error.log:

    Code (Text):
        2019/08/10 14:48:57 [error] 18206#18206: *8 access forbidden by rule, client: 141.101.XX.XX, server: DOMAIN.com, request: "GET /RANDOMSTRING/ HTTP/1.1", host: "DOMAIN.com"
        2019/08/10 14:49:03 [error] 18206#18206: *9 access forbidden by rule, client: 172.69.XX.XX, server: DOMAIN.com, request: "GET /RANDOMSTRING/ HTTP/1.1", host: "DOMAIN.com"
        2019/08/10 14:55:08 [error] 18206#18206: *21 access forbidden by rule, client: 141.101.XX.XX, server: DOMAIN.com, request: "GET /RANDOMSTRING/ HTTP/1.1", host: "DOMAIN.com"
        


    PS: none of those listed IPs in the error.log is mine o_O
     
  2. eva2000

    eva2000 Administrator Staff Member

    42,268
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    12:57 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    I assume maintenance mode via https://community.centminmod.com/threads/sitestatus-maintenance-mode.5599/ right ?

    are you behind cloudflare or a front end reverse proxy in front of Centmin Mod Nginx ? if so you need to ensure proper nginx real IP configuration is done otherwise, Centmin Mod Nginx will see visitor's IP coming from cloudflare or reverse proxy server IP and not the visitor's IP.
     
    • Winner Winner x 1
  3. menister

    menister New Member

    9
    3
    3
    May 17, 2019
    Ratings:
    +5
    Local Time:
    3:57 AM
    1.15.12
    10.3.15
    Cloudflare, uncomment the cloudflare.conf part in the ssl.conf..working now. So blind...

    But the IPB Admin part is still bugging me.
     
  4. eva2000

    eva2000 Administrator Staff Member

    42,268
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    12:57 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    haha it's the simple stuff we overlook :)

    admin logs look right if those ips aren't yours, then the admin protection is working blocking access
     
  5. menister

    menister New Member

    9
    3
    3
    May 17, 2019
    Ratings:
    +5
    Local Time:
    3:57 AM
    1.15.12
    10.3.15
    Yeah but I don't have access aswell :D

    Getting 403 Forbidden
     
  6. eva2000

    eva2000 Administrator Staff Member

    42,268
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    12:57 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    try placing your allow IP; directive above the deny all; and restart nginx/php-fpm

    see http://nginx.org/en/docs/http/ngx_http_access_module.html

     
    • Winner Winner x 1
  7. menister

    menister New Member

    9
    3
    3
    May 17, 2019
    Ratings:
    +5
    Local Time:
    3:57 AM
    1.15.12
    10.3.15
    Man, eva.. you are the best!

    Its working!

    Just need to figure out why its redirecting to /admin as soon as I login and therefore giving me forbidden, since /admin is denied.

    iirc, I need to put the new admin folder somewhere in a config file or was that only for IPB 3.X?
     
    • Like Like x 1
  8. eva2000

    eva2000 Administrator Staff Member

    42,268
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    12:57 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  9. Jimmy

    Jimmy Well-Known Member

    1,646
    353
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +884
    Local Time:
    9:57 PM
    1.17.x
    MariaDB 10.3.x
    You need to add the new admin location to the constants.php file.

    Code:
    \define( 'CP_DIRECTORY', 'mydirectory' );
     
    • Winner Winner x 1
    • Informative Informative x 1
  10. menister

    menister New Member

    9
    3
    3
    May 17, 2019
    Ratings:
    +5
    Local Time:
    3:57 AM
    1.15.12
    10.3.15
    Perfect!

    It works!

    Thank you very much.
     
    • Like Like x 1