Learn about Centmin Mod LEMP Stack today
Register Now

Nginx Nginx access (404)

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by ahmed, Apr 1, 2017.

  1. ahmed

    ahmed Member

    201
    15
    18
    Feb 21, 2017
    Ratings:
    +21
    Local Time:
    5:35 AM
  2. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    1:35 PM
    Nginx 1.13.x
    MariaDB 5.5
    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
     
    • Like Like x 1
  3. ahmed

    ahmed Member

    201
    15
    18
    Feb 21, 2017
    Ratings:
    +21
    Local Time:
    5:35 AM
    This is my autoprotect and dosn't have any restrtictions for that

    Code:
    # /home/nginx/domains/DOMAIN/public/wp-content/plugins/akismet
    
    location /wp-content/plugins/akismet/ {
      location ~ ^/wp-content/plugins/akismet/(.+/)?(form|akismet)\.(css|js)$ { allow all; expires 30d;}
      location ~ ^/wp-content/plugins/akismet/(.+/)?(.+)\.(png|gif)$ { allow all; expires 30d;}
      location ~* /wp-content/plugins/akismet/.*\.php$ {
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        deny all;
      }
    }
    
    # /home/nginx/domains/DOMAIN/public/wp-content/plugins/sucuri-scanner
    
    location /wp-content/plugins/sucuri-scanner/ {
      location ~ ^/wp-content/plugins/sucuri-scanner/(.+/)?(.+)\.(gif|jpe?g|png|css|js)$ { allow all; expires 30d; }
      allow 127.0.0.1;
      deny all;
    }
    
    # /home/nginx/domains/DOMAIN/public/wp-content/plugins/p3-profiler/classes
    location ~* ^/wp-content/plugins/p3-profiler/classes/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/DOMAIN/public/wp-content/plugins/p3-profiler/exceptions
    location ~* ^/wp-content/plugins/p3-profiler/exceptions/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/DOMAIN/public/wp-content/plugins/p3-profiler/languages
    location ~* ^/wp-content/plugins/p3-profiler/languages/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/DOMAIN/public/wp-content/plugins/p3-profiler/templates
    location ~* ^/wp-content/plugins/p3-profiler/templates/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/DOMAIN/public/wp-content/plugins/hide_my_wp/lib/mute-screamer/libraries/IDS
    location ~* ^/wp-content/plugins/hide_my_wp/lib/mute-screamer/libraries/IDS/ { allow 127.0.0.1; deny all; }
    # https://community.centminmod.com/posts/35394/
    # /home/nginx/domains/DOMAIN/public/wp-content/plugins/all-in-one-wp-security-and-firewall/logs
    
    location /wp-content/plugins/all-in-one-wp-security-and-firewall/logs/ {
      location ~ ^/wp-content/plugins/all-in-one-wp-security-and-firewall/logs/(.+/)?(.+)\.(js)$ { allow all; expires 30d; }
      location ~ ^/wp-content/plugins/all-in-one-wp-security-and-firewall/logs/(.+/)?(.+)\.(css)$ { allow all; expires 30d; }
      location ~ ^/wp-content/plugins/all-in-one-wp-security-and-firewall/logs/(.+/)?(.+)\.(gif|jpe?g|png|webp|eot|svg|ttf|woff|woff)$ { allow all; expires 30d; }
      location ~ ^/wp-content/plugins/all-in-one-wp-security-and-firewall/logs/(.+/)?(.+)\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)$ { allow 127.0.0.1; deny all; }
    }
    
    # /home/nginx/domains/DOMAIN/public/wp-content/uploads/sucuri
    location ~* ^/wp-content/uploads/sucuri/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/DOMAIN/public/wp-content/uploads/learn-press-logs
    location ~* ^/wp-content/uploads/learn-press-logs/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/DOMAIN/public/wp-content/uploads/woocommerce_uploads
    location ~* ^/wp-content/uploads/woocommerce_uploads/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/DOMAIN/public/wp-content/uploads/wc-logs
    location ~* ^/wp-content/uploads/wc-logs/ { allow 127.0.0.1; deny all; }
    # /home/nginx/domains/DOMAIN/public/wp-content/uploads/profiles
    location ~* ^/wp-content/uploads/profiles/ { allow 127.0.0.1; deny all; }
    
    
     
  4. ahmed

    ahmed Member

    201
    15
    18
    Feb 21, 2017
    Ratings:
    +21
    Local Time:
    5:35 AM
    I remeber from the old nginx guide

    that the
    /.well-known

    needs to be enabled as it is needed for the let's encrypt, is it already allowd on centmin?
     
  5. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    1:35 PM
    Nginx 1.13.x
    MariaDB 5.5
    yes it is in staticfiles.conf include file and /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf include file where ${vhostname} is your domain name

    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)
     
  6. ahmed

    ahmed Member

    201
    15
    18
    Feb 21, 2017
    Ratings:
    +21
    Local Time:
    5:35 AM
    I used option 22

    - I don't have any file at /usr/local/nginx/conf/conf.d/newdomain.com.conf


    the SSL is:
    /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf

    Code (Text):
    #x# HTTPS-DEFAULT
     server {
    
       server_name DOMAIN www.DOMAIN;
       return 302 https://$server_name$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    server {
      listen 443 ssl http2;
      server_name DOMAIN www.DOMAIN;
    
      include /usr/local/nginx/conf/ssl/DOMAIN/DOMAIN.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      http2_max_field_size 16k;
      http2_max_header_size 32k;
      # mozilla recommended
      ssl_ciphers 000000000000000000000H+AES128:!aNULL$
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
     access_log /home/nginx/domains/DOMAIN/log/access.log main_ext buffer=256k flush=60m;
      error_log /home/nginx/domains/DOMAIN/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/DOMAIN/autoprotect-DOMAIN.conf;
      root /home/nginx/domains/DOMAIN/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      #include /usr/local/nginx/conf/wpincludes/DOMAIN/wpcacheenabler_DOMAIN.conf;
      #include /usr/local/nginx/conf/wpincludes/DOMAIN/wpsupercache_DOMAIN.conf;
      # https://community.centminmod.com/posts/18828/
      include /usr/local/nginx/conf/wpincludes/DOMAIN/rediscache_DOMAIN.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # for wordpress super cache plugin
      #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;
    
      # for wp cache enabler plugin
      # try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;
     
       # Wordpress Permalinks
     try_files $uri $uri/ /index.php?q=$uri&$args;
    
      # Nginx level redis Wordpress
      # https://community.centminmod.com/posts/18828/
     # try_files $uri $uri/ /index.php?$args;
    
      }
    
    location ~* /(wp-login\.php) {
        limit_req zone=xwplogin burst=1 nodelay;
        #limit_conn xwpconlimit 30;
        auth_basic "Private";
        auth_basic_user_file /home/nginx/domains/DOMAIN/htpasswd_wplogin;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://community.centminmod.com/posts/18828/
        include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
    location ~* /(xmlrpc\.php) {
        limit_req zone=xwprpc burst=45 nodelay;
        #limit_conn xwpconlimit 30;
        include /usr/local/nginx/conf/php-wpsc.conf;
        # https://community.centminmod.com/posts/18828/
        include /usr/local/nginx/conf/php-rediscache.conf;
    }
    
      include /usr/local/nginx/conf/wpincludes/DOMAIN/wpsecure_DOMAIN.conf;
      #include /usr/local/nginx/conf/php-wpsc.conf;
      # https://community.centminmod.com/posts/18828/
      include /usr/local/nginx/conf/php-rediscache.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    
    
    
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,161
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    1:35 PM
    Nginx 1.13.x
    MariaDB 5.5
    that looks about right, .well-known location allowances would be within these 2 include files
    Code (Text):
      include /usr/local/nginx/conf/wpincludes/DOMAIN/wpsecure_DOMAIN.conf;
    
      include /usr/local/nginx/conf/staticfiles.conf;
    

    so letsencrypt would work for fresh Nginx vhost installs on centmin Mod but if you have wordpress plugins added that try to read and use .well-known directory and have location contexts added above those 2 include files then they are't read due to the order of files. So you need to add you own specific location context for any additionally added location contexts for plugins that utilise .well-known

    what wordpress plugin is trying to use .well-known/oauth2-client-configuration ?
     
  8. ahmed

    ahmed Member

    201
    15
    18
    Feb 21, 2017
    Ratings:
    +21
    Local Time:
    5:35 AM
    auth0.com plugin


    - Thanks a lot for your continuous help and rapid support :)


    -I will look into these files. but why then the hide my wp nginx settings faild? I will try to play with them in another installation and see