Learn about Centmin Mod LEMP Stack today
Become a Member

IP.Board Query on autoprotect + IPB forums

Discussion in 'Forum software usage' started by Colin, Jul 27, 2016.

  1. Colin

    Colin Premium Member Premium Member

    191
    59
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +153
    Local Time:
    10:36 AM
    1.19.#
    MariaDB 10.1.#
    Hi,
    I understand the reasons and agree it's needed for some apps.

    I think it might need some tweaking, or not... This topic is to discuss that and slightly biased ;)

    The current problem is the current IPB .htaccess for a folder { uploads } ( This goes away soon as I move to XF ~ only PHP application in stack )


    Code:
    #<ipb-protection>
    <Files ~ "^.*\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)">
        Order allow,deny
        Deny from all
    </Files>
    <Files ~ "^.*\.(ipb)$">
    Header set Content-Disposition attachment
    </Files>
    #</ipb-protection>
    
    The autoprotect runs and creates the following
    Code:
    location ~* ^/forums/uploads/ { deny all; }
    
    I think I need?
    Code:
    location ~* ^/forums/uploads/.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml) { deny all; }
    
    Ok, except the .htaccess isn't really a deny all, unless I want no images...

    I've mitigated this with a .autoprotect-bypass file as mentioned and this indeed skips the autoprotect on the dir, but leaves me manually applying the right setup.

    I'm happy with the by default it will deny all as a safety net for us humans.

    I'm wondering if a slightly better 'tweak' might be to take the content of the .autoprotect-bypass and use that as the rule, if empty use the default etc... So in effect, saying .autoprotect-bypass is a nginx location directive.

    The downside, is scattering config everywhere...but it is very directory and application specific.

    Thoughts?
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:36 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    not entirely sure i understand what you mean ?
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:36 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    can you confirm if this works for your ipb install. you can comment out the autoprotect include file in nginx vhost temporarily for the ipb vhost to disable autoprotect
    Code (Text):
    #include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
    

    Try this does it work ?
    Code (Text):
    location ~ ^/forums/uploads/ {
      location ~* ^/forums/uploads/(.*)\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)$ { deny all; }
      location ~* ^/forums/uploads/(.*)\.(ipb)$ {
        add_header 'Content-Disposition' "attachment";
      }
    }
    
     
    Last edited: Jul 28, 2016
  4. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:36 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    also does IP also have such a .htaccess in /datastore ?
     
  5. Colin

    Colin Premium Member Premium Member

    191
    59
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +153
    Local Time:
    10:36 AM
    1.19.#
    MariaDB 10.1.#
    Sorry. I meant, use the fact that if a .autoprotect-bypass file exists, do something.
    Read it's content. If it's content is not empty then use that as the directive*. If it is empty, then do nothing; bypass, and if it's not present then do the default action as per now.

    *We'll trust the content is valid!

    Will try and report back, this rule is what I was suggesting goes in the bypass file to be used in the autoprotect-domain.com.conf file.

    There are a few, I'll check.
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:36 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  7. Colin

    Colin Premium Member Premium Member

    191
    59
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +153
    Local Time:
    10:36 AM
    1.19.#
    MariaDB 10.1.#
    Hi this did appear to work. This is also IPB 3.4 which I'm holding on to. Nothing in 4 has made me keen to upgrade, rather migrate. So I'm not sure a specific rule set for IPB3 is worth it.

    I really was just thinking of hijacking the autoprotect bypass to be a .htaccess for nginx(centminmod).

    To make it work at the moment then, I'm touching each location and adding the rules to the main conf.

    - These outcomes are the same .htaccess as uploads, other installs may vary, e.g. those with blog or content...:
    #location ~* ^/forums/hooks/ { deny all; }
    #location ~* ^/forums/cache/ { deny all; }
    #location ~* ^/forums/public/style_emoticons/ { deny all; }
    #location ~* ^/forums/public/style_captcha/ { deny all; }
    #location ~* ^/forums/public/style_extra/ { deny all; }
    #location ~* ^/forums/public/style_css/ { deny all; }
    #location ~* ^/forums/public/style_images/ { deny all; }
     
    Last edited: Jul 29, 2016
  8. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,110
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,645
    Local Time:
    7:36 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+