Join the community today
Become a Member

nginx - access forbidden by rules

Discussion in 'System Administration' started by dgd132, Sep 23, 2018.

  1. dgd132

    dgd132 New Member

    14
    4
    3
    Sep 12, 2018
    Ratings:
    +4
    Local Time:
    5:16 AM
    i'm running a wordpress civicrm install on centminmod beta.

    nginx is blocking access to some urls generated by the crm

    /home/nginx/domains/mydomain/log/error.log gives the error below:


    2018/09/22 14:22:42 [error] 18616#18616: *3881 access forbidden by rule, client: 66.249.93.207, server: [mydomain.com], request: "GET /wp-content/plugins/civicrm/civicrm/extern/open.php?q=12 HTTP/1.1", host: "[mydomain.com]"

    the main nginx error log is empty

    can i conclude from this that the rule in question is in the mydomain nginx conf file? or could it also be in the main nginx conf file?

    is there a better way to diagnose than removing rules one by one to find which one is causing the problem? are there any clues as to which rule is forbidding access in the error log?
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    3:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
    Check if your nginx vhost at either or both /usr/local/nginx/conf/conf.d/domain.com.conf and/or /usr/local/nginx/conf/conf.d/domain.com.ssl.conf has include file for autoprotect example
    Code (Text):
    include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
    

    see if your directory for the script which has issues is caught in an autoprotect include entry in /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf which has a deny all entry
    Code (Text):
    cat /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
    

    i.e.
    Code (Text):
    # /home/nginx/domains/domain.com/public/subdirectory/js
    location ~* ^/subdirectory/js/ { allow 127.0.0.1; deny all; }
    

    If caught you can whitelist it by autoprotect bypass .autoprotect-bypass file - details below here. So if problem js file is at domain.com/subdirectory/js/file.js then it is likely /subdirectory/js has a .htaccess with deny all in it - make sure that directory is meant to be publicly accessible by contacting author of script and if so, you can whitelist it and re-run autoprotect script to regenerate your /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf include file
    Code (Text):
    cd /home/nginx/domains/domain.com/public/subdirectory/js
    touch .autoprotect-bypass
    /usr/local/src/centminmod/tools/autoprotect.sh
    nprestart
    

    it maybe you need to also whitelist /subdirectory then it would be as follows creating bypass files at /home/nginx/domains/domain.com/public/subdirectory/.autoprotect-bypass and /home/nginx/domains/domain.com/public/subdirectory/js/.autoprotect-bypass
    Code (Text):
    cd /home/nginx/domains/domain.com/public/subdirectory/
    touch .autoprotect-bypass
    cd /home/nginx/domains/domain.com/public/subdirectory/js
    touch .autoprotect-bypass
    /usr/local/src/centminmod/tools/autoprotect.sh
    nprestart
    

    then double check to see if updated /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf include file now doesn't show an entry for /subdirectory/js
     
  3. dgd132

    dgd132 New Member

    14
    4
    3
    Sep 12, 2018
    Ratings:
    +4
    Local Time:
    5:16 AM
    Hi Eva, having read through the above I don't think it is an autoprotect issue. There is no entry in autoprotect-domain.com.conf that would be denying access
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    3:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If you used centmin.sh menu option 22 auto installer Wordpress Nginx Auto Installer, the default wpsecure conf file at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf where vhostname is your domain name, blocks php scripts from executing in wp-content for security i.e. /wp-content/plugins/civicrm

    Below links you can see examples of setting up specific wordpress location matches to punch a hole in the wpsecure blocking to whitelist specific php files that need to be able to run.
     
  5. dgd132

    dgd132 New Member

    14
    4
    3
    Sep 12, 2018
    Ratings:
    +4
    Local Time:
    5:16 AM
    brilliant - thank you Eva. all working now. thanks so much for your help.
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    3:16 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Glad to hear :)