Welcome to Centmin Mod Community
Become a Member

Beta Branch update tools/autoprotect.sh add .autoprotect-bypass file option

Discussion in 'Centmin Mod Github Commits' started by eva2000, May 16, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    29,037
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    2:28 PM
    Nginx 1.13.x
    MariaDB 5.5
    update tools/autoprotect.sh add .autoprotect-bypass file option

    Give end user option to manually bypass autoprotect.sh script and NOT create a nginx deny all location match by manually creating a .autoprotect-bypass file within the directory you want to bypass and exclude from autoprotect.sh. You may want to do this if your nginx deny location match for a directory involves whitelisting ip addresses' access to the directory. The autoprotect.sh has no way of detecting if you already setup a nginx deny location match for a directory but also added whitelisted ips for the nginx location so will try to generate a nginx deny all rule if .htaccess file is in the directory with contents of 'deny from all' text. If you manually create a /privatedirectoryname/.autoprotect-bypass file, autoprotect.sh script skips generating the nginx deny all rule.

    Continue reading...

    123.09beta01 branch
     
  2. pamamolf

    pamamolf Well-Known Member

    2,533
    231
    63
    May 31, 2014
    Ratings:
    +394
    Local Time:
    7:28 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Just block my site :(

    Code:
    # /home/nginx/domains/domain.com/public/vqmod
    location ~* ^/vqmod/ { deny all; }
    # /home/nginx/domains/domain.com/public
    location ~* ^/ { deny all; }
    Disabling autoprotect on domain vhost is working again...
     
  3. eva2000

    eva2000 Administrator Staff Member

    29,037
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    2:28 PM
    Nginx 1.13.x
    MariaDB 5.5
    hmm what's output for this command - replace domain.com with your actual domain name
    Code (Text):
    find /home/nginx/domains/domain.com -name ".htaccess" -print0 | xargs -0 echo | grep "domain.com/public"

    and
    Code (Text):
    grep -iR 'Deny from all' /home/nginx/domains/domain.com/*
    
     
  4. pamamolf

    pamamolf Well-Known Member

    2,533
    231
    63
    May 31, 2014
    Ratings:
    +394
    Local Time:
    7:28 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    I think the issue is this one:

    Code:
    location ~* ^/ { deny all; }
    The script got confused as i do not have at all a .htaccess file at root but only one blabla.htaccess.txt and maybe got the info from this one....?

    Code:
    /home/nginx/domains/domain.com/public/vqmod/.htaccess
    /home/nginx/domains/domain.com/public/.htaccess
    /home/nginx/domains/domain.com/public/domainold/vqmod/.htaccess
    /home/nginx/domains/domain.com/public/domainold/.htaccess
    /home/nginx/domains/domain.com/public/domainold/admin/view/javascript/ckeditor/.htaccess
    /home/nginx/domains/domain.com/public/admin/view/javascript/ckeditor/.htaccess
    /home/nginx/domains/domain.com/public/stats/.htaccess
    and

    Code:
    /home/nginx/domains/domain.com/public/vqmod/.htaccess:Deny from all
    /home/nginx/domains/domain.com/public/.htaccess: Deny from all
    /home/nginx/domains/domain.com/public/blabla.htaccess.txt: Deny from all
    /home/nginx/domains/domain.com/public/domainold/vqmod/.htaccess:Deny from all
    /home/nginx/domains/domain.com/public/domainold/.htaccess: Deny from all
    /home/nginx/domains/domain.com/public/domainold/.htaccess_old: Deny from all
    /home/nginx/domains/domain.com/public/stats/.htaccess:deny from all
    It will be better to check only for .htaccess file name and nothing else i think....
     
  5. eva2000

    eva2000 Administrator Staff Member

    29,037
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    2:28 PM
    Nginx 1.13.x
    MariaDB 5.5
    that is all i check for .htaccess and then derive the path to .htaccess
    hmmm it must be matching on the
    Code (Text):
    grep "domain.com/public"
    
     
  6. eva2000

    eva2000 Administrator Staff Member

    29,037
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    2:28 PM
    Nginx 1.13.x
    MariaDB 5.5
    strange not seeing it on my test server
    Code (Text):
    find /home/nginx/domains/testdomain9.com -name ".htaccess" -print0 | xargs -0 echo | grep "testdomain9.com/public"
    /home/nginx/domains/testdomain9.com/public/testdir10/.htaccess /home/nginx/domains/testdomain9.com/public/testdir13/.htaccess /home/nginx/domains/testdomain9.com/public/testdir4/.htaccess /home/nginx/domains/testdomain9.com/public/testdir11/.htaccess /home/nginx/domains/testdomain9.com/public/testdir9/.htaccess /home/nginx/domains/testdomain9.com/public/testdir2/.htaccess /home/nginx/domains/testdomain9.com/public/testdir5/.htaccess /home/nginx/domains/testdomain9.com/public/testdir/.htaccess /home/nginx/domains/testdomain9.com/public/testdir7/.htaccess /home/nginx/domains/testdomain9.com/public/testdir3/.htaccess /home/nginx/domains/testdomain9.com/public/testdir8/.htaccess /home/nginx/domains/testdomain9.com/public/testdir12/.htaccess /home/nginx/domains/testdomain9.com/public/testdir6/.htaccess /home/nginx/domains/testdomain9.com/public/testdir111/.htaccess
    
     
  7. eva2000

    eva2000 Administrator Staff Member

    29,037
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    2:28 PM
    Nginx 1.13.x
    MariaDB 5.5
    Ah i see, i guess i need to check for 'deny from all' earlier in script

    but what's output for you
    Code (Text):
    grep -i 'Deny from all' "/home/nginx/domains/domain.com/public/.htaccess" >/dev/null 2>&1; echo $?

    and
    Code (Text):
    grep -i 'Deny from all' "/home/nginx/domains/domain.com/public/.htaccess"
     
  8. pamamolf

    pamamolf Well-Known Member

    2,533
    231
    63
    May 31, 2014
    Ratings:
    +394
    Local Time:
    7:28 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    The first command returns "0" and the second "Deny from all"

    I am sure that the script got the content from root file blabla.htaccess.txt and add a rewrite rule for it but it shouldn't....

    Thanks
     
  9. eva2000

    eva2000 Administrator Staff Member

    29,037
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    2:28 PM
    Nginx 1.13.x
    MariaDB 5.5
    that means .htaccess in web root had deny from all so is correct autoprotect.sh does not touch contents of .htaccess just reads it for deny from all
     
  10. pamamolf

    pamamolf Well-Known Member

    2,533
    231
    63
    May 31, 2014
    Ratings:
    +394
    Local Time:
    7:28 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    But i do not have any .htaccess file in the root :(

    I only have a file named: blabla.htaccess.txt
     
  11. eva2000

    eva2000 Administrator Staff Member

    29,037
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    2:28 PM
    Nginx 1.13.x
    MariaDB 5.5
    oh i see it matched on that then.. need to revise the check :)
     
  12. eva2000

    eva2000 Administrator Staff Member

    29,037
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    2:28 PM
    Nginx 1.13.x
    MariaDB 5.5
    actually latest autoprotect.sh update should of fixed it in 123.09beta01 ;)
     
    • Like Like x 1
  13. pamamolf

    pamamolf Well-Known Member

    2,533
    231
    63
    May 31, 2014
    Ratings:
    +394
    Local Time:
    7:28 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    How can i completely disabled it?

    Not from vhost file ,,,,, looking for a Global switch to disable it....

    Is there any permanent option to add somewhere so it will never get activated?
     
  14. eva2000

    eva2000 Administrator Staff Member

    29,037
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    2:28 PM
    Nginx 1.13.x
    MariaDB 5.5
    why is it still causing problems ? fixing the problems would be better - feedback ;)
     
  15. pamamolf

    pamamolf Well-Known Member

    2,533
    231
    63
    May 31, 2014
    Ratings:
    +394
    Local Time:
    7:28 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Yes it was causing a problem with a script on a folder that autoprotect.....

    Didn't keep any notes as i disable it a few days ago and i don't have any feedback for it :(

    Ok if i have again any issues i will let you know....
     
  16. eva2000

    eva2000 Administrator Staff Member

    29,037
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    2:28 PM
    Nginx 1.13.x
    MariaDB 5.5
    If you have a directory with .htaccess in it with deny from all, it will trigger autoprotect unless you add to directory a file, .autoprotect-bypass i.e. /privatedirectoryname/.autoprotect-bypass or remove that .htaccess file as it's useless on nginx anyway.

    But if you script has .htaccess with deny from all it, then developer of that script intended for that directory to be not accessible on Apache so should be same for Nginx = not accessible. This is where security could be compromised for a web app script which was written for Apache in mind with .htaccess deny from all that is migrated to Nginx as it leaves the intended no access directories open on Nginx if autoprotect.sh didn't exist.
     
    Last edited: Jun 8, 2016
  17. pamamolf

    pamamolf Well-Known Member

    2,533
    231
    63
    May 31, 2014
    Ratings:
    +394
    Local Time:
    7:28 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Yes i know and you did it right but a user seems to try to install after that an addon and the developer maybe try to access the script using the domain link and it doesn't work or they do something like this....

    Keep it as it is as your way is the correct one to do this :)
     
    • Like Like x 1
  18. eva2000

    eva2000 Administrator Staff Member

    29,037
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    2:28 PM
    Nginx 1.13.x
    MariaDB 5.5
    in that case probably best to just temporary add a .autoprotect-bypass file to that directory and then remove it after the developer has accessed it :)
     
  19. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +161
    Local Time:
    12:28 PM
    latest
    latest
    getting these emails

    subject: Cron <root@xx> /root/centminmod-123.09beta01/tools/autoprotect.sh

    body:

    generated nginx include file: /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
    generated nginx include file: /usr/local/nginx/conf/autoprotect/domain2.xyz/autoprotect-domain2.xyz.conf
    generated nginx include file: /usr/local/nginx/conf/autoprotect/domain3.com/autoprotect-domain3.com.conf

    autoprotect.sh run completed...

    /usr/bin/ngxrestart: line 1: service: command not found
     
  20. eva2000

    eva2000 Administrator Staff Member

    29,037
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    2:28 PM
    Nginx 1.13.x
    MariaDB 5.5
    check if it exists ?
    Code (Text):
     ls -lah /usr/bin/ngxrestart
    -rwx------. 1 root root 22 May 20 18:07 /usr/bin/ngxrestart

    Oh i see the problem similar to @pamamolf reported at Autoprotect nginx wrong path | Centmin Mod Community the cronjob is incorrect linked to /root/centminmod-123.09beta01/tools/autoprotect.sh instead of /usr/local/src/centminmod/tools/autoprotect.sh
     
    • Informative Informative x 1