Want more timely Centmin Mod News Updates?
Become a Member

Beta Branch update tools/autoprotect.sh add .autoprotect-bypass file option

Discussion in 'Centmin Mod Github Commits' started by eva2000, May 16, 2016.

  1. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    5:08 AM
    latest
    latest
    yes it does

    # ls -lah /usr/bin/ngxrestart
    -rwx------ 1 root root 22 Jan 22 20:57 /usr/bin/ngxrestart
    [root@alpha ~]# /usr/bin/ngxrestart
    Restarting nginx (via systemctl): [ OK ]
     
  2. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,361
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,080
    Local Time:
    7:08 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Fixed up tools/autoprotect.sh cronjob set path with latest centmin mod 123.09beta01 updated code. Just update to latest 123.09beta01 code via centmin.sh menu option 23, submenu option 2 and then run centmin.sh once more after update code in place. The cronjob path should auto fix and you can confirm via command to list cronjobs
    Code (Text):
    crontab -l
    
     
  3. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    5:08 AM
    latest
    latest
    I just noticed this but apparently the images in one of my wordpress installs is not loading (403 forbidden)

    and it's because autoprotect-domain.com.conf

    contains

    # /home/nginx/domains/domain.com/public/wp-content/uploads
    location ~* ^/wp-content/uploads/ { allow 127.0.0.1; deny all; }

    I don't know for how long this has been going on but can we please have an option (for users who want to waive their rights to be protected) to disable autoprotect altogether?
     
    Last edited: Apr 9, 2017
  4. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,361
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,080
    Local Time:
    7:08 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    what does your /home/nginx/domains/domain.com/public/wp-content/uploads/.htaccess file contain ?

    Whole point of autoprotect.sh is so folks are alerted to the fact that some directories need to be looked at more closely than others. Blind assumption that is all is okay with autoprotect.sh disabled isn't a good idea especially for nginx noobs would expect it to behave like apache for non-public directories protected by apache .htaccess.

    As per https://community.centminmod.com/th...-migration-to-nginx-deny-all.7308/#post-31027 you can check which directories you need to pay closer attention to with command (and bypass if needed)

    where domain.com is yourdomain.com name
    Code (Text):
    grep location /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
    


    Just checked default wordpress installs via centmin.sh do not have a .htaccess file there

    Code (Text):
    ls -lah /home/nginx/domains/newdomain2.com/public/wp-content/uploads/
    total 0
    drwxr-sr-x 4 nginx nginx  30 Apr  7 17:31 .
    drwxr-s--- 7 nginx nginx 114 Apr  7 17:30 ..
    drwxr-sr-x 3 nginx nginx  15 Apr  7 17:29 2017
    drwxr-sr-x 2 nginx nginx  59 Apr  8 10:04 sucuri
    

    Code (Text):
    find /home/nginx/domains/newdomain2.com/public/ -type f -name "*.htaccess"            
    /home/nginx/domains/newdomain2.com/public/wp-content/plugins/akismet/.htaccess
    /home/nginx/domains/newdomain2.com/public/wp-content/plugins/sucuri-scanner/.htaccess
    

    contents of newdomain2.com nginx vhost's /usr/local/nginx/conf/autoprotect/newdomain2.com/autoprotect-newdomain2.com.conf include file generated by /usr/local/src/centminmod/tools/autoprotect.sh
    Code (Text):
    # /home/nginx/domains/newdomain2.com/public/wp-content/plugins/akismet
    
    location /wp-content/plugins/akismet/ {
      location ~ ^/wp-content/plugins/akismet/(.+/)?(form|akismet)\.(css|js)$ { allow all; expires 30d;}
      location ~ ^/wp-content/plugins/akismet/(.+/)?(.+)\.(png|gif)$ { allow all; expires 30d;}
      location ~* /wp-content/plugins/akismet/.*\.php$ {
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        deny all;
      }
    }
    
    # /home/nginx/domains/newdomain2.com/public/wp-content/plugins/sucuri-scanner
    
    location /wp-content/plugins/sucuri-scanner/ {
      location ~ ^/wp-content/plugins/sucuri-scanner/(.+/)?(.+)\.(gif|jpe?g|png|css|js)$ { allow all; expires 30d; }
      allow 127.0.0.1;
      deny all;
    }
    

    hence why most folks haven't reported this issue

    though looks like default centmin.sh menu option 22 installed wordpress site has already protected /wp-content/uploads via /usr/local/nginx/conf/wpincludes/newdomain2.com/wpsecure_newdomain2.com.conf include file

    Code (Text):
    # Block PHP files in uploads, content, and includes directory.
    location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ {
      deny all;
    }

    so I should add an exclusion to tools/autoprotect.sh if centmin.sh menu option 22 based wordpress install and /usr/local/nginx/conf/wpincludes/newdomain2.com/wpsecure_newdomain2.com.conf include file are detected

    edit: even stranger is i tested added .htaccess deny from all content based file to wp-contents/uploads and re-run tools/autoprotect.sh to regenerate the /usr/local/nginx/conf/wpincludes/newdomain2.com/wpsecure_newdomain2.com.conf include file but my instance generated a whitelist entry

    within /usr/local/nginx/conf/wpincludes/newdomain2.com/wpsecure_newdomain2.com.conf there's this entry
    Code (Text):
    # https://community.centminmod.com/posts/35394/
    # /home/nginx/domains/newdomain2.com/public/wp-content/uploads
    
    location /wp-content/uploads/ {
      location ~ ^/wp-content/uploads/(.+/)?(.+)\.(js)$ { allow all; expires 30d; }
      location ~ ^/wp-content/uploads/(.+/)?(.+)\.(css)$ { allow all; expires 30d; }
      location ~ ^/wp-content/uploads/(.+/)?(.+)\.(gif|jpe?g|png|webp|eot|svg|ttf|woff|woff)$ { allow all; expires 30d; }
      location ~ ^/wp-content/uploads/(.+/)?(.+)\.(php|cgi|pl|php3|php4|php5|php6|phtml|shtml)$ { allow 127.0.0.1; deny all; }
    }
    
     
    Last edited: Apr 9, 2017
  5. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,361
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,080
    Local Time:
    7:08 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Just updated 123.09beta01's tools/autoprotect.sh to by pass auto protecting /wp-content/uploads if it detects centmin.sh menu option 22 based Wordpress install which has a generated /usr/local/nginx/conf/wpincludes/newdomain2.com/wpsecure_newdomain2.com.conf include file where domain = newdomain2.com

    example of newly generated tools/autoprotect.sh include file for /usr/local/nginx/conf/autoprotect/newdomain2.com/autoprotect-newdomain2.com.conf
    Code (Text):
    # /home/nginx/domains/newdomain2.com/public/wp-content/plugins/akismet
    
    location /wp-content/plugins/akismet/ {
      location ~ ^/wp-content/plugins/akismet/(.+/)?(form|akismet)\.(css|js)$ { allow all; expires 30d;}
      location ~ ^/wp-content/plugins/akismet/(.+/)?(.+)\.(png|gif)$ { allow all; expires 30d;}
      location ~* /wp-content/plugins/akismet/.*\.php$ {
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        deny all;
      }
    }
    
    # /home/nginx/domains/newdomain2.com/public/wp-content/plugins/sucuri-scanner
    
    location /wp-content/plugins/sucuri-scanner/ {
      location ~ ^/wp-content/plugins/sucuri-scanner/(.+/)?(.+)\.(gif|jpe?g|png|css|js)$ { allow all; expires 30d; }
      allow 127.0.0.1;
      deny all;
    }
    
    # centmin.sh menu option 22 installed WP bypass /home/nginx/domains/newdomain2.com/public/wp-content/uploads
    
     
  6. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    5:08 AM
    latest
    latest
    htaccess of this particular domain

    Code (Text):
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    # END WordPress
    
    # BEGIN MainWP
    
    # END MainWP


    and it's autoprotect-mydomain.com.conf

    Code (Text):
    # /home/nginx/domains/mydomain.com/public/wp-content/plugins/akismet
    
    location /wp-content/plugins/akismet/ {
      location ~ ^/wp-content/plugins/akismet/(.+/)?(form|akismet)\.(css|js)$ { allow all; expires 30d;}
      location ~ ^/wp-content/plugins/akismet/(.+/)?(.+)\.(png|gif)$ { allow all; expires 30d;}
      location ~* /wp-content/plugins/akismet/.*\.php$ {
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        deny all;
      }
    }
    
    # /home/nginx/domains/mydomain.com/public/wp-content/uploads
    location ~* ^/wp-content/uploads/ { allow 127.0.0.1; deny all; }
     
  7. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    5:08 AM
    latest
    latest
    oops wrong htaccess :D

    this is the .htaccess in the uploads folder

    Code (Text):
    <Files *.php>
    deny from all
    </Files>
     
  8. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,361
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,080
    Local Time:
    7:08 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
  9. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    5:08 AM
    latest
    latest
    I re-ran

    /usr/local/src/centminmod/tools/autoprotect.sh

    and it's back

    # /home/nginx/domains/mydomain.com/public/wp-content/uploads
    location ~* ^/wp-content/uploads/ { allow 127.0.0.1; deny all; }
     
  10. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,361
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,080
    Local Time:
    7:08 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    did you run centmin.sh menu option 23 submenu option 2 first to update ?
     
  11. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,361
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,080
    Local Time:
    7:08 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    post to gist.github.com or pastebin.com the output for debug mode of running /usr/local/src/centminmod/tools/autoprotect.sh
    Code (Text):
    bash -x /usr/local/src/centminmod/tools/autoprotect.sh
    
     
  12. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    5:08 AM
    latest
    latest
    Centmin Mod local code up to date at /usr/local/src/centminmod
    no available updates at this time...

    [Bash] autoprotect - Pastebin.com

    domain3.com is the one that's having an issue.
     
  13. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,361
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,080
    Local Time:
    7:08 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    what's contents of
    /home/nginx/domains/domain3.com/public/wp-content/uploads/.htaccess ?
     
  14. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,361
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,080
    Local Time:
    7:08 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    try these commands for manual update of centmin mod code
    Code (Text):
    cd /usr/local/src/centminmod
    git stash
    git pull
    /usr/local/src/centminmod/tools/autoprotect.sh
    

    then check contents of /usr/local/nginx/conf/autoprotect/domain3.com/autoprotect-domain3.com.conf
     
  15. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,361
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,080
    Local Time:
    7:08 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    also does your
    /usr/local/nginx/conf/wpincludes/domain3.com/wpsecure_domain3.com.conf exist ? as centmin mod uses that to determine if wordpress install was created via centmin.sh menu option 22 to add the bypass skip rule

    you can check path in vhost with command
    Code (Text):
    grep -rin wpsecure /usr/local/nginx/conf/conf.d/domain3.com.*
    


    example
    Code (Text):
    grep -rin wpsecure /usr/local/nginx/conf/conf.d/
    /usr/local/nginx/conf/conf.d/newdomain2.com.conf:84:  include /usr/local/nginx/conf/wpincludes/newdomain2.com/wpsecure_newdomain2.com.conf;
    /usr/local/nginx/conf/conf.d/newdomain3.com.conf:84:  include /usr/local/nginx/conf/wpincludes/newdomain3.com/wpsecure_newdomain3.com.conf;
    
     
    Last edited: Apr 9, 2017
  16. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    5:08 AM
    latest
    latest
    98: include /usr/local/nginx/conf/wpsecure.conf;
     
  17. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,361
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,080
    Local Time:
    7:08 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    ah you have old paths but even 123.08stable IIRC appended domain name to it like /usr/local/nginx/conf/wpsecure_domain3.conf so are you sure your ran centmin.sh menu option 22 to create wp or did you manually setup wordpress site ?

    as 123.09beta01 centmin.sh menu option 22 updated them to /usr/local/nginx/conf/wpincludes/domain3.com/wpsecure_domain3.com.conf so you can create it yourself

    Code (Text):
    mkdir -p /usr/local/nginx/conf/wpincludes/domain3.com/
    cp -a /usr/local/nginx/conf/wpsecure.conf /usr/local/nginx/conf/wpincludes/domain3.com/wpsecure_domain3.com.conf
    

    edit your nginx vhost include file

    from

    /usr/local/nginx/conf/wpsecure.conf

    to

    /usr/local/nginx/conf/wpincludes/domain3.com/wpsecure_domain3.com.conf
     
  18. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    5:08 AM
    latest
    latest
    are the contents of

    /usr/local/nginx/conf/wpincludes/domain1.com/wpsecure_domain1.com.conf
    /usr/local/nginx/conf/wpincludes/domain2.com/wpsecure_domain2.com.conf
    /usr/local/nginx/conf/wpincludes/domain3.com/wpsecure_domain3.com.conf

    the same or it depends?

    Say they are all wordpress sites. Won't they all be the same? Or would it be different depending on the installed plugins on each?
     
  19. eva2000

    eva2000 Administrator Staff Member

    45,662
    10,361
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,080
    Local Time:
    7:08 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    they're the same.. but having them separate allows for per site customisations :)