Join the community today
Register Now

[Solved] PHPi.php not password protected

Discussion in 'Bug Reports' started by Alex Y, Jun 3, 2017.

  1. Alex Y

    Alex Y New Member

    26
    5
    3
    Jun 3, 2017
    Ratings:
    +7
    Local Time:
    11:52 AM
    Nginx 1.13.1
    MariaDB 10
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.13.10
    • PHP Version Installed:7.1.5
    • MariaDB MySQL Version Installed: 10.1.24
    • When was last time updated Centmin Mod code base ? : 5 minutes ago as of this post
    • Persistent Config:
      Code:
      LETSENCRYPT_DETECT='y'
      NGINX_PAGESPEED='y'
      NGXDYNAMIC_NGXPAGESPEED='y'
    Not a big issue, just a minor security concern.

    So I did a fresh install of above settings (upgraded php post-install), along with wordpress vhost via option #22. Activated pagespeed following the centmin guide. Afterwards, I realized that XXX_phpi.php is not password protected anymore.

    My
    server {

    listen 80 default_server backlog=2048 reuseport;

    server_name XXXXX;

    root html;


    access_log /var/log/nginx/localhost.access.log combined buffer=8k flush=1m;

    error_log /var/log/nginx/localhost.error.log error;


    # ngx_pagespeed & ngx_pagespeed handler

    include /usr/local/nginx/conf/pagespeed.conf;

    include /usr/local/nginx/conf/pagespeedhandler.conf;

    include /usr/local/nginx/conf/pagespeedstatslog.conf;


    # limit_conn limit_per_ip 16;

    # ssi on;


    location /nginx_status {

    stub_status on;

    access_log off;

    allow 127.0.0.1;

    deny all;

    }


    location / {


    # block common exploits, sql injections etc

    #include /usr/local/nginx/conf/block.conf;


    # Enables directory listings when index file not found

    # autoindex on;


    # Shows file listing times as local time

    # autoindex_localtime on;


    # Enable for vBulletin usage WITHOUT vbSEO installed

    # try_files $uri $uri/ /index.php;


    }


    include /usr/local/nginx/conf/staticfiles.conf;

    include /usr/local/nginx/conf/include_opcache.conf;

    include /usr/local/nginx/conf/php.conf;

    #include /usr/local/nginx/conf/phpstatus.conf;

    include /usr/local/nginx/conf/drop.conf;

    #include /usr/local/nginx/conf/errorpage.conf;

    #include /usr/local/nginx/conf/vts_mainserver.conf;


    }

     
  2. eva2000

    eva2000 Administrator Staff Member

    55,796
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    4:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    As far back as I can remember, phpi.php was never password protected it was created with a randomly generated prefix XXXXX_phpi.php instead and is hosted off the main hostname's virtual host with web root at /usr/local/nginx/html outlined in step 1 of Getting Started Guide
    I guess I could add native password protection within the phpi.php file itself like I did for zend opcache and memcache.php files too.
     
  3. eva2000

    eva2000 Administrator Staff Member

    55,796
    12,271
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,857
    Local Time:
    4:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  4. Alex Y

    Alex Y New Member

    26
    5
    3
    Jun 3, 2017
    Ratings:
    +7
    Local Time:
    11:52 AM
    Nginx 1.13.1
    MariaDB 10
    @eva2000 Thanks for adding password protect in!