Nginx Nginx access (404)

ahmed · Apr 1, 2017

Hello

what is the security rules that controls access, for example
Code:
invalid_request: Failed to fetch configuration from: https://domain/.well-known/oauth2-client-configuration
also

this wordpress plugin showed the same when putting its nginx config in the domain vhost

http://www.wplocker.com/plugins/cod...p-v501-no-one-can-know-you-use-wordpress.html

eva2000 · Apr 2, 2017

If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know

Nginx web servers do not support Apache web server .htaccess files. So any web application which relies on .htaccess to protect directories will be fully open to the public on Nginx web servers unless your Nginx vhost config file has specific location directory matches to deny and/or password protect them.

tools/autoprotect.sh runs via cronjob and basically checks entire Centmin Mod LEMP stack server's Nginx vhost site's public web accessible directories for .htaccess files that exist. Then grabbing their directory path to .htaccess file and auto generating an Nginx equivalent location match and deny all setup.
Click to expand...

So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.

Is it better to add an exeption for 127.0.0.1 for autoprotect rules? | Centmin Mod Community

IP.Board - Query on autoprotect + IPB forums | Centmin Mod Community

Wordpress - Akismet JS and CSS - Forbidden? | Centmin Mod Community

https://community.centminmod.com/posts/45782/

ahmed · Apr 2, 2017

This is my autoprotect and dosn't have any restrtictions for that

Code:

# /home/nginx/domains/DOMAIN/public/wp-content/plugins/akismet

location /wp-content/plugins/akismet/ {
  location ~ ^/wp-content/plugins/akismet/(.+/)?(form|akismet)\.(css|js)$ { allow all; expires 30d;}
  location ~ ^/wp-content/plugins/akismet/(.+/)?(.+)\.(png|gif)$ { allow all; expires 30d;}
  location ~* /wp-content/plugins/akismet/.*\.php$ {
    include /usr/local/nginx/conf/php.conf;
    allow 127.0.0.1;
    deny all;
  }
}

# /home/nginx/domains/DOMAIN/public/wp-content/plugins/sucuri-scanner

location /wp-content/plugins/sucuri-scanner/ {
  location ~ ^/wp-content/plugins/sucuri-scanner/(.+/)?(.+)\.(gif|jpe?g|png|css|js)$ { allow all; expires 30d; }
  allow 127.0.0.1;
  deny all;
}

# /home/nginx/domains/DOMAIN/public/wp-content/plugins/p3-profiler/classes
location ~* ^/wp-content/plugins/p3-profiler/classes/ { allow 127.0.0.1; deny all; }
# /home/nginx/domains/DOMAIN/public/wp-content/plugins/p3-profiler/exceptions
location ~* ^/wp-content/plugins/p3-profiler/exceptions/ { allow 127.0.0.1; deny all; }
# /home/nginx/domains/DOMAIN/public/wp-content/plugins/p3-profiler/languages
location ~* ^/wp-content/plugins/p3-profiler/languages/ { allow 127.0.0.1; deny all; }
# /home/nginx/domains/DOMAIN/public/wp-content/plugins/p3-profiler/templates
location ~* ^/wp-content/plugins/p3-profiler/templates/ { allow 127.0.0.1; deny all; }
# /home/nginx/domains/DOMAIN/public/wp-content/plugins/hide_my_wp/lib/mute-screamer/libraries/IDS
location ~* ^/wp-content/plugins/hide_my_wp/lib/mute-screamer/libraries/IDS/ { allow 127.0.0.1; deny all; }
# https://community.centminmod.com/posts/35394/
# /home/nginx/domains/DOMAIN/public/wp-content/plugins/all-in-one-wp-security-and-firewall/logs

location /wp-content/plugins/all-in-one-wp-security-and-firewall/logs/ {
  location ~ ^/wp-content/plugins/all-in-one-wp-security-and-firewall/logs/(.+/)?(.+)\.(js)$ { allow all; expires 30d; }
  location ~ ^/wp-content/plugins/all-in-one-wp-security-and-firewall/logs/(.+/)?(.+)\.(css)$ { allow all; expires 30d; }
  location ~ ^/wp-content/plugins/all-in-one-wp-security-and-firewall/logs/(.+/)?(.+)\.(gif|jpe?g|png|webp|eot|svg|ttf|woff|woff)$ { allow all; expires 30d; }
  location ~ ^/wp-content/plugins/all-in-one-wp-security-and-firewall/logs/(.+/)?(.+)\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)$ { allow 127.0.0.1; deny all; }
}

# /home/nginx/domains/DOMAIN/public/wp-content/uploads/sucuri
location ~* ^/wp-content/uploads/sucuri/ { allow 127.0.0.1; deny all; }
# /home/nginx/domains/DOMAIN/public/wp-content/uploads/learn-press-logs
location ~* ^/wp-content/uploads/learn-press-logs/ { allow 127.0.0.1; deny all; }
# /home/nginx/domains/DOMAIN/public/wp-content/uploads/woocommerce_uploads
location ~* ^/wp-content/uploads/woocommerce_uploads/ { allow 127.0.0.1; deny all; }
# /home/nginx/domains/DOMAIN/public/wp-content/uploads/wc-logs
location ~* ^/wp-content/uploads/wc-logs/ { allow 127.0.0.1; deny all; }
# /home/nginx/domains/DOMAIN/public/wp-content/uploads/profiles
location ~* ^/wp-content/uploads/profiles/ { allow 127.0.0.1; deny all; }

ahmed · Apr 2, 2017

I remeber from the old nginx guide

that the
/.well-known

needs to be enabled as it is needed for the let's encrypt, is it already allowd on centmin?

eva2000 · Apr 2, 2017

ahmed said: ↑

I remeber from the old nginx guide

that the
/.well-known

needs to be enabled as it is needed for the let's encrypt, is it already allowd on centmin?
Click to expand...

yes it is in staticfiles.conf include file and /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf include file where ${vhostname} is your domain name

When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)

Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf

Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf

Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com

Vhost public web root will be at /home/nginx/domains/newdomain.com/public

Vhost log directory will be at /home/nginx/domains/newdomain.com/log

Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

ahmed · Apr 2, 2017

I used option 22

- I don't have any file at /usr/local/nginx/conf/conf.d/newdomain.com.conf

the SSL is:
/usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf

Code (Text):

#x# HTTPS-DEFAULT
 server {

   server_name DOMAIN www.DOMAIN;
   return 302 https://$server_name$request_uri;
   include /usr/local/nginx/conf/staticfiles.conf;
 }

server {
  listen 443 ssl http2;
  server_name DOMAIN www.DOMAIN;

  include /usr/local/nginx/conf/ssl/DOMAIN/DOMAIN.crt.key.conf;
  include /usr/local/nginx/conf/ssl_include.conf;

  http2_max_field_size 16k;
  http2_max_header_size 32k;
  # mozilla recommended
  ssl_ciphers 000000000000000000000H+AES128:!aNULL$
  ssl_prefer_server_ciphers   on;
  #add_header Alternate-Protocol  443:npn-spdy/3;

  # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
  #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;
  #spdy_headers_comp 5;
  ssl_buffer_size 1369;
  ssl_session_tickets on;

  # enable ocsp stapling
  resolver 8.8.8.8 8.8.4.4 valid=10m;
  resolver_timeout 10s;
  ssl_stapling on;
  ssl_stapling_verify on;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Xss-Protection "1; mode=block" always;
  #add_header X-Content-Type-Options "nosniff" always;

  # limit_conn limit_per_ip 16;
  # ssi  on;

 access_log /home/nginx/domains/DOMAIN/log/access.log main_ext buffer=256k flush=60m;
  error_log /home/nginx/domains/DOMAIN/log/error.log;

  include /usr/local/nginx/conf/autoprotect/DOMAIN/autoprotect-DOMAIN.conf;
  root /home/nginx/domains/DOMAIN/public;
  # uncomment cloudflare.conf include if using cloudflare for
  # server and/or vhost site
  #include /usr/local/nginx/conf/cloudflare.conf;
  include /usr/local/nginx/conf/503include-main.conf;

  #include /usr/local/nginx/conf/wpincludes/DOMAIN/wpcacheenabler_DOMAIN.conf;
  #include /usr/local/nginx/conf/wpincludes/DOMAIN/wpsupercache_DOMAIN.conf;
  # https://community.centminmod.com/posts/18828/
  include /usr/local/nginx/conf/wpincludes/DOMAIN/rediscache_DOMAIN.conf;

  location / {
  include /usr/local/nginx/conf/503include-only.conf;


  # Enables directory listings when index file not found
  #autoindex  on;

  # for wordpress super cache plugin
  #try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?q=$uri&$args;

  # for wp cache enabler plugin
  # try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;
 
   # Wordpress Permalinks
 try_files $uri $uri/ /index.php?q=$uri&$args;

  # Nginx level redis Wordpress
  # https://community.centminmod.com/posts/18828/
 # try_files $uri $uri/ /index.php?$args;

  }

location ~* /(wp-login\.php) {
    limit_req zone=xwplogin burst=1 nodelay;
    #limit_conn xwpconlimit 30;
    auth_basic "Private";
    auth_basic_user_file /home/nginx/domains/DOMAIN/htpasswd_wplogin;
    include /usr/local/nginx/conf/php-wpsc.conf;
    # https://community.centminmod.com/posts/18828/
    include /usr/local/nginx/conf/php-rediscache.conf;
}

location ~* /(xmlrpc\.php) {
    limit_req zone=xwprpc burst=45 nodelay;
    #limit_conn xwpconlimit 30;
    include /usr/local/nginx/conf/php-wpsc.conf;
    # https://community.centminmod.com/posts/18828/
    include /usr/local/nginx/conf/php-rediscache.conf;
}

  include /usr/local/nginx/conf/wpincludes/DOMAIN/wpsecure_DOMAIN.conf;
  #include /usr/local/nginx/conf/php-wpsc.conf;
  # https://community.centminmod.com/posts/18828/
  include /usr/local/nginx/conf/php-rediscache.conf;
  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

eva2000 · Apr 2, 2017

that looks about right, .well-known location allowances would be within these 2 include files
Code (Text):
  include /usr/local/nginx/conf/wpincludes/DOMAIN/wpsecure_DOMAIN.conf;

  include /usr/local/nginx/conf/staticfiles.conf;
so letsencrypt would work for fresh Nginx vhost installs on centmin Mod but if you have wordpress plugins added that try to read and use .well-known directory and have location contexts added above those 2 include files then they are't read due to the order of files. So you need to add you own specific location context for any additionally added location contexts for plugins that utilise .well-known

what wordpress plugin is trying to use .well-known/oauth2-client-configuration ?

ahmed · Apr 2, 2017

eva2000 said: ↑

what wordpress plugin is trying to use .well-known/oauth2-client-configuration ?
Click to expand...

auth0.com plugin

- Thanks a lot for your continuous help and rapid support

-I will look into these files. but why then the hide my wp nginx settings faild? I will try to play with them in another installation and see

Log in / Register

Forums

Join the community today

Nginx Nginx access (404)

ahmed Active Member

eva2000 Administrator Staff Member

ahmed Active Member

ahmed Active Member

eva2000 Administrator Staff Member

ahmed Active Member

eva2000 Administrator Staff Member

ahmed Active Member

.

Log in / Register

Useful Searches

Join the community today

Nginx Nginx access (404)

ahmed Active Member

eva2000 Administrator Staff Member

ahmed Active Member

ahmed Active Member

eva2000 Administrator Staff Member

ahmed Active Member

eva2000 Administrator Staff Member

ahmed Active Member

.