Learn about Centmin Mod LEMP Stack today
Become a Member

Beta Branch update tools/autoprotect.sh

Discussion in 'Centmin Mod Github Commits' started by eva2000, May 15, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    30,949
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,415
    Local Time:
    4:28 PM
    Nginx 1.13.x
    MariaDB 5.5
    • Winner Winner x 1
  2. pamamolf

    pamamolf Well-Known Member

    2,820
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    8:28 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Nice :)

    Only one question :

    If a user doesn't have any index to display and there is no .htaccess on the folder at all does the script finds that it must protect this folder or it works only when .htaccess file is there?
     
  3. eva2000

    eva2000 Administrator Staff Member

    30,949
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,415
    Local Time:
    4:28 PM
    Nginx 1.13.x
    MariaDB 5.5
    nginx by default doesn't list files in directory without index page and gives 403 errors. You'd need to know exact name of files in such a directory to access it.

    tools/autoprotect.sh won't protect directories without a .htaccess file which contains 'Deny from all' text as .htaccess files are used for much more than one purpose i.e. for rewrites in apache
     
  4. pamamolf

    pamamolf Well-Known Member

    2,820
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    8:28 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Confused :(

    If a folder is autoprotected from directory listing by nginx then what the script do?

    The .htaccess can contain a lot of stuff like rewrite rules that will be cool to have an automated way to convert to Nginx rules but as the script doesn't do that then what it does?

    An example maybe or a few more info?

    Sorry mate :(
     
  5. eva2000

    eva2000 Administrator Staff Member

    30,949
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,415
    Local Time:
    4:28 PM
    Nginx 1.13.x
    MariaDB 5.5
    tools/autoprotect.sh in cases with .htaccess, deny all access to all files within directory and while nginx without index.html still allow access if you know the file name within the directory which doesn't have an index file so directly access the file instead

    so if directory = /private
    • /private/index.html with .htaccess (containing 'deny from all' text) converted to nginx deny all by tools/autoprotect.sh, will prevent all files under /private directory from being accessed i.e. /private/secretfile.html gives 403 status
    • while /private directory without an index.html will give 403 on /private directory access but if you know /private/secretfile.html exists, you can directly access /private/secretfile.html gives 200 status
    Purpose of tools/autoprotect.sh is outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all. If you have a web app like wordpress, joomla, drupal etc, a lot of developers and plugin authors assume apache .htaccess and bundle .htaccess files with their scripts. But uploading those files to nginx based server will by default leave those intended directories with .htaccess deny from all settings wide open to the public if you don't have nginx deny all location context match rules setup. So tools/autoprotect.sh tries to automatically catch any such directories that folks miss when they setup their nginx vhost's nginx deny all location context match rules.
     
    Last edited: May 15, 2016
    • Informative Informative x 1
  6. pamamolf

    pamamolf Well-Known Member

    2,820
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    8:28 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    But isn't possible for the script to detect a folder like /private that don't have an index file and no .htaccesss file and protect it?

    Or it will be a mess trying to do it that way and maybe auto protect folders that shouldn't?
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,949
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,415
    Local Time:
    4:28 PM
    Nginx 1.13.x
    MariaDB 5.5
    that would mess with alot of folks scripts though as that would mean every directory within a site gets deny all 403 permission denied as most directories do not have .htaccess files and autoprotect.sh script has no way to know which directory is private or public without a .htaccess file indicating such via 'deny from all' text within .htaccess file
     
    • Informative Informative x 1