/ Register

Want to subscribe to topics you're interested in?
Become a Member

Beta Branch update tools/autoprotect.sh custom akismet wordpress plugin nginx rules

Discussion in 'Centmin Mod Github Commits' started by eva2000, Jul 19, 2016.

Tags:
Previous Thread Next Thread
Loading...
  1. Jul 19, 2016 #1
    eva2000

    eva2000 Administrator Staff Member

    55,237
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    6:18 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    update tools/autoprotect.sh custom akismet wordpress plugin nginx rules

    update both tools/autoprotect.sh and inc/wpsetup.inc centmin.sh menu option 22 wp_secure include file rules for akismet wordpress plugin to use nginx rules to whitelist css and png files but protect the /akismet directory and akismet.php file from public access

    Continue reading...

    123.09beta01 branch
     
  2. Jul 19, 2016 #2
    eva2000

    eva2000 Administrator Staff Member

    55,237
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    6:18 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    This update is to fix @GamerJota's reported issues with centmin.sh menu option 22 auto installed wordpress install's extra security via tools/autoprotect.sh and akismet wordpress plugin at Wordpress - Akismet JS and CSS - Forbidden? | Centmin Mod Community

    Testing out some updates to centmin mod 123.09beta01's tools/autoprotect.sh to auto detect akismet and add additional whitelisting rules

    before the tools/autoprotect.sh updates = 403 permission denied vs 200 status ok
    Code (Text):
    cat /usr/local/nginx/conf/autoprotect/domain8.com/autoprotect-domain8.com.conf
# /home/nginx/domains/domain8.com/public/wp-content/plugins/akismet
location ~* ^/wp-content/plugins/akismet/ { deny all; }
# /home/nginx/domains/domain8.com/public/wp-content/plugins/sucuri-scanner
location ~* ^/wp-content/plugins/sucuri-scanner/ { deny all; }

    Code (Text):
    [root@centos7 akismet]# curl -I http://domain8.com/wp-content/plugins/akismet/
HTTP/1.1 403 Forbidden
Date: Mon, 18 Jul 2016 18:34:11 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 162
Connection: keep-alive
Server: nginx centminmod
X-Powered-By: centminmod

[root@centos7 akismet]# curl -I http://domain8.com/wp-content/plugins/akismet/_inc/akismet.css
HTTP/1.1 403 Forbidden
Date: Mon, 18 Jul 2016 18:34:33 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 162
Connection: keep-alive
Server: nginx centminmod
X-Powered-By: centminmod

[root@centos7 akismet]# curl -I http://domain8.com/wp-content/plugins/akismet/_inc/img/logo-full-2x.png
HTTP/1.1 403 Forbidden
Date: Mon, 18 Jul 2016 18:34:48 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 162
Connection: keep-alive
Server: nginx centminmod
X-Powered-By: centminmod

    after tools/autoprotect.sh update
    Code (Text):
    [root@centos7 akismet]# cat /usr/local/nginx/conf/autoprotect/domain8.com/autoprotect-domain8.com.conf
# /home/nginx/domains/domain8.com/public/wp-content/plugins/akismet

location ~ ^/wp-content/plugins/akismet/ {
  location ~ ^/wp-content/plugins/akismet/(.+/)?(form|akismet)\.(css|js)$ { allow all; }
  location ~ ^/wp-content/plugins/akismet/(.+/)?(.+)\.(png|gif)$ { allow all; }
  location ~* /wp-content/plugins/akismet/.*\.php$ {
    include /usr/local/nginx/conf/php.conf;
    allow 127.0.0.1;
    deny all;
  }
}

# /home/nginx/domains/domain8.com/public/wp-content/plugins/sucuri-scanner
location ~* ^/wp-content/plugins/sucuri-scanner/ { deny all; }

    Code (Text):
    [root@centos7 akismet]#
curl -I http://domain8.com/wp-content/plugins/akismet/
HTTP/1.1 403 Forbidden
Date: Mon, 18 Jul 2016 19:57:45 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 162
Connection: keep-alive
Server: nginx centminmod
X-Powered-By: centminmod

[root@centos7 akismet]# curl -I http://domain8.com/wp-content/plugins/akismet/_inc/akismet.css   
HTTP/1.1 200 OK
Date: Mon, 18 Jul 2016 19:54:44 GMT
Content-Type: text/css
Content-Length: 8748
Last-Modified: Mon, 18 Jul 2016 18:27:00 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "578d1f74-222c"
Server: nginx centminmod
X-Powered-By: centminmod
Accept-Ranges: bytes

[root@centos7 akismet]# curl -I http://domain8.com/wp-content/plugins/akismet/_inc/img/logo-full-2x.png
HTTP/1.1 200 OK
Date: Mon, 18 Jul 2016 19:54:46 GMT
Content-Type: image/png
Content-Length: 4970
Last-Modified: Mon, 18 Jul 2016 18:27:00 GMT
Connection: keep-alive
ETag: "578d1f74-136a"
Server: nginx centminmod
X-Powered-By: centminmod
Accept-Ranges: bytes
     
    Last edited: Jul 19, 2016
  3. Jul 19, 2016 #3
    eva2000

    eva2000 Administrator Staff Member

    55,237
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    6:18 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If you are using Centmin Mod 123.09beta01, updating to latest code via outlined methods would update tools/autoprotect.sh and then you just manually run it once or wait until the cronjob does it for you to update the changes.

    manually run the tools/autoprotect.sh script once after centmin mod menu option 23 updating
    Code (Text):
    /usr/local/src/centminmod/tools/autoprotect.sh

    via the cron listed below
    Code (Text):
    crontab -l
11 */23 * * * /usr/local/src/centminmod/tools/autoprotect.sh 2>/dev/null
0 */4 * * * /usr/bin/cminfo_updater 2>/dev/null
*/15 * * * * sleep 285s ; wget -O - -q -t 1 http://domain8.com/wp-cron.php?doing_wp_cron=1 > /dev/null 2>&1
0 */8 * * * sleep 105s ;/root/tools/wp_updater_domain8.com.sh 2>/dev/null


    Upgrading Centmin Mod Code to Latest Version



    Getting Started Guide step 19 outlines also how to keep Centmin Mod code updated or how to switch version branches.

    Centmin Mod LEMP stack's script code is constantly updated for improvements, bug fixes and security fixes so keeping the Centmin Mod code up to date is important. With Centmin Mod 1.2.3-eva2000.08) (123.08stable) and higher releases, a newly added centmin.sh menu option 23 allows much easier code updates and version branch swicthing via Git backed environment you can setup. For full details read the following links:
     
  4. Oct 11, 2016 #4
    dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    4:18 PM
    latest
    latest
    If I remove the akismet plugin, can I do away with this autoprotect script?
     
  5. Oct 11, 2016 #5
    eva2000

    eva2000 Administrator Staff Member

    55,237
    12,253
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,833
    Local Time:
    6:18 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what do you mean ? autoprotect.sh protects more than just akismet... it protects any and all php web app directories where .htaccess deny from all was relied on to prevent public access but nginx doesn't support .htaccess so autoprotect.sh tries to auto convert .htaccess to nginx rewrite deny all rules.

    when you remove akismet plugin, the next autoprotect.sh scheduled cron run will detect that akismet is gone and remove the rules specific to only akismet directories from the autoprotect include file. That's why autoprotect.sh is run as a cronjob so it can auto detect newly added or removed php related web directories/apps

    autoprotect.sh outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community
     
Previous Thread Next Thread
Loading...

.