Welcome to Centmin Mod Community
Become a Member

Wordpress woocommerce issue and question about whitelisting

Discussion in 'Blogs & CMS usage' started by Altair, Feb 10, 2018.

  1. Altair

    Altair Member

    33
    3
    8
    Jan 27, 2018
    Ratings:
    +3
    Local Time:
    3:23 AM
    I installed wordpress manually by creating a mysql database and username and password via command line, then via winSCP I uploaded my wordpress files, imported backup through a wordpress plugin.

    However, I installed wordpress in a sub-directory, as on the main directory I have xenforo.
    I executed:
    Code:
    chown -R nginx:nginx /home/nginx/domains/domain.com/public/wp/wp-content/plugins/
    Code:
    chown nginx:nginx /home/nginx/domains/domain.com/public/wp
    chown -R nginx:nginx /home/nginx/domains/domain.com/public/wp
    nginx vhost:
    nano /usr/local/nginx/conf/conf.d/domain.com.conf
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    
    # redirect from non-www to www
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    #server {
    #            listen   80;
    #            server_name domain.com;
    #            return 301 $scheme://www.domain.com$request_uri;
    #       }
    
    server {
    
      server_name domain.com www.domain.com;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      #add_header X-Frame-Options SAMEORIGIN;
      #add_header X-Xss-Protection "1; mode=block" always;
      #add_header X-Content-Type-Options "nosniff" always;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf;
      root /home/nginx/domains/domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      #include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      # prevent access to ./directories and files
      #location ~ (?:^|/)\. {
      # deny all;
      #}
    
      location / {
        try_files $uri $uri/ /index.php?$uri&$args;
        index index.php index.html index.htm;
    
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
      }
    
      location /wp {
       try_files $uri $uri/ /wp/index.php?q=$request_uri;
         include /usr/local/nginx/conf/wpsecure.conf;
         include /usr/local/nginx/conf/wpnocache.conf;
      }
    
      location /internal_data/ {
      internal;
      allow 127.0.0.1;
      deny all;
      }
    
      location /library/ {
      internal;
      allow 127.0.0.1;
      deny all;
      }
    
      location /install/templates/ {
               internal;
      }
    
      location /install/data/ {
                internal;
     }
    
      location /wp {
       try_files $uri $uri/ /wp/index.php?q=$request_uri;
         include /usr/local/nginx/conf/wpsecure.conf;
         include /usr/local/nginx/conf/wpnocache.conf;
      }
    
      location /internal_data/ {
      internal;
      allow 127.0.0.1;
      deny all;
      }
    
      location /library/ {
      internal;
      allow 127.0.0.1;
      deny all;
      }
    
      location /install/templates/ {
               internal;
      }
    
      location /install/data/ {
                internal;
    
      }
    
    
      include /usr/local/nginx/conf/pre-staticfiles-local-domain.com.conf;
      include /usr/local/nginx/conf/pre-staticfiles-global.conf;
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
    
      include /usr/local/nginx/conf/drop.conf;
      include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    

    nano /usr/local/nginx/conf/wpsecure.conf
    Code:
    # Deny access to any files with a .php extension in the uploads directory
    # Works in sub-directory installs and also in multisite network
    location ~* /(?:uploads|files)/.*\.php$ {
            deny all;
    }
    
    # Whitelist Exception for https://wordpress.org/plugins/woocommerce/
    location ~ ^/wp-content/plugins/woocommerce/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for gravityforms
    location ~ ^/wp-content/plugins/gravityforms/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for gravityforms iframe master
    location ~ ^/wp-content/plugins/gravity-forms-iframe-master/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for gravityforms custom post types
    location ~ ^/wp-content/plugins/gravity-forms-custom-post-types/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for custom plugin
    location ~ ^/wp-content/plugins/reuse_cartItems_after_checkout_for_diff_payment_methods/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for woocommerce-conditional-product-fees-for-checkout
    location ~ ^/wp-content/plugins/woocommerce-conditional-product-fees-for-checkout/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Whitelist Exception for modular-custom-css
    location ~ ^/wp-content/plugins/modular-custom-css/ {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
    location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
    {
            return 444;
    }
    
    #nocgi
    location ~* \.(pl|cgi|py|sh|lua)\$ {
            return 444;
    }
    
    #disallow
        location ~* (roundcube|webdav|smtp|http\:|soap|w00tw00t) {
            return 444;
    }
    
    location ~ /(\.|wp-config\.php|readme\.html|license\.txt) { deny all; }
    
    Is my whitelisting of woocommerce right? or do I need to specify the subdirectory that wp is installed on, in this example and others:
    Code:
    # Whitelist Exception for https://wordpress.org/plugins/woocommerce/
    location ~ ^/wp-content/plugins/woocommerce/ {
      include /usr/local/nginx/conf/php.conf;
    }
    The issue is that on woocommerce checkout page for a product, the spinning wheel on choosing payment option keeps spinning like not loading the full page.
     
    Last edited: Feb 10, 2018
  2. Altair

    Altair Member

    33
    3
    8
    Jan 27, 2018
    Ratings:
    +3
    Local Time:
    3:23 AM
    Aside from the woocommerce checkout page loading correctly however PAYMENT options spinning indefinitely which might be related to cache? even though I haven't set up any cache plugins or options. I saw this thread, does it apply here with centmin mod?
    Settings nginx + woocommerce



    I really appreciate any input as my whole project is based on this concept of iframing that specific form from my wordpress directory to my xenforo custom page.

    .
     
    Last edited: Feb 10, 2018
  3. eva2000

    eva2000 Administrator Staff Member

    35,100
    7,750
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,951
    Local Time:
    10:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yes you need to tag your subdirectory on the front of the example whitelisting as that is only if wp installed in web root
     
  4. eva2000

    eva2000 Administrator Staff Member

    35,100
    7,750
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,951
    Local Time:
    10:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    FYI your /usr/local/nginx/conf/conf.d/domain.com.conf listed above has duplication location contexts so might want to double check
     
  5. Altair

    Altair Member

    33
    3
    8
    Jan 27, 2018
    Ratings:
    +3
    Local Time:
    3:23 AM
    would it be like that?

    Code:
    # Whitelist Exception for https://wordpress.org/plugins/woocommerce/
    location ~ ^wp/wp-content/plugins/woocommerce/ {
      include /usr/local/nginx/conf/php.conf;
    }
    I see it's at location /wp, I'll delete the duplicate.
     
  6. eva2000

    eva2000 Administrator Staff Member

    35,100
    7,750
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,951
    Local Time:
    10:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    need forward slash
    Code (Text):
    location ~ ^/wp/wp-content/plugins/woocommerce/ {
      include /usr/local/nginx/conf/php.conf;
    }
    

    You also have duplicate xenforo location contexts too
     
  7. Altair

    Altair Member

    33
    3
    8
    Jan 27, 2018
    Ratings:
    +3
    Local Time:
    3:23 AM
    thanks for the whitelisitng, in-regards to the duplicate I see it's at:

    Code:
      location /install/templates/ {
               internal;
      }
    
      location /install/data/ {
                internal;
    
      }
     
    Last edited: Feb 10, 2018
  8. Altair

    Altair Member

    33
    3
    8
    Jan 27, 2018
    Ratings:
    +3
    Local Time:
    3:23 AM
    What about these?

    Code:
    # Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
    location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
    {
            return 444;
    }
    
    #nocgi
    location ~* \.(pl|cgi|py|sh|lua)\$ {
            return 444;
    }
    
    #disallow
        location ~* (roundcube|webdav|smtp|http\:|soap|w00tw00t) {
            return 444;
    }
    
    location ~ /(\.|wp-config\.php|readme\.html|license\.txt) { deny all; }
    Would it be:?

    Code:
    # Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
    location ~* \wp\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
    {
            return 444;
    }
    
    #nocgi
    location ~* \wp\.(pl|cgi|py|sh|lua)\$ {
            return 444;
    }
    
    #disallow
        location ~* (roundcube|webdav|smtp|http\:|soap|w00tw00t) {
            return 444;
    }
    
    location ~ /wp/(\.|wp-config\.php|readme\.html|license\.txt) { deny all; }
     
  9. Altair

    Altair Member

    33
    3
    8
    Jan 27, 2018
    Ratings:
    +3
    Local Time:
    3:23 AM
    for iframe I figured out I need to add this:

    Code:
    Configuring nginx
    To configure nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:
    
    add_header X-Frame-Options SAMEORIGIN;
    Do I add it in
    Code:
    location / {
    }
    and
    Code:
    location /wp {
    }
    or just outside locations?

    also, is location /wp -OR- location /wp/? trailing slash?
     
  10. eva2000

    eva2000 Administrator Staff Member

    35,100
    7,750
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,951
    Local Time:
    10:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    no need to do anything those are extension matches not directory matches
     
    • Like Like x 1
  11. eva2000

    eva2000 Administrator Staff Member

    35,100
    7,750
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,951
    Local Time:
    10:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    no trailing slash but try within each location.
     
    • Like Like x 1
  12. eva2000

    eva2000 Administrator Staff Member

    35,100
    7,750
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,951
    Local Time:
    10:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  13. Altair

    Altair Member

    33
    3
    8
    Jan 27, 2018
    Ratings:
    +3
    Local Time:
    3:23 AM
    got this in my error log:

    Code:
    2018/02/09 20:30:04 [error] 23945#23945: *1121 connect() failed (111: Connection refused) while connecting to upstream, client: xx.xx.xx5.216, server: domain.com, request: "GET /wp/gfembed/?f=1 HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "domain.com"
    
    And on access log

    Code:
    xx.xx.xx5.216 - - [09/Feb/2018:20:34:21 +0000] "GET /wp/gfembed/?f=1 HTTP/1.1" 500 2796 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0"

    also woocommerce checkout page, payment options still spinning wheel indefinitely.
     
  14. eva2000

    eva2000 Administrator Staff Member

    35,100
    7,750
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,951
    Local Time:
    10:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
     
  15. Altair

    Altair Member

    33
    3
    8
    Jan 27, 2018
    Ratings:
    +3
    Local Time:
    3:23 AM
    Yes I'm on
    Centmin Mod Menu 123.09beta01 centminmod.com
    and I don't have .htaccess in wordpress as far as I look into the directories of the wordpress installation and plugins using winSCP.
     
  16. eva2000

    eva2000 Administrator Staff Member

    35,100
    7,750
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,951
    Local Time:
    10:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    contents of vhost include file /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf ?
    Code (Text):
    cat /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
    
     
  17. Altair

    Altair Member

    33
    3
    8
    Jan 27, 2018
    Ratings:
    +3
    Local Time:
    3:23 AM
    returns nothing, what should it be?
     
  18. eva2000

    eva2000 Administrator Staff Member

    35,100
    7,750
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,951
    Local Time:
    10:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    as per Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all if autoprotect.sh detects .htaccess files with deny all in any vhost directory it will auto convert the .htaccess to nginx rule within /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf which is sometimes cause of 403 permission denied errors etc which isn't the case for you if empty

    but you get HTTP 500 status errors in access log.. you sure you have correct woocommerce nginx rules ? I never used woocommerce so have no idea myself

    what's current contents of your /usr/local/nginx/conf/conf.d/domain.com.conf vhost config file now ?
     
  19. Altair

    Altair Member

    33
    3
    8
    Jan 27, 2018
    Ratings:
    +3
    Local Time:
    3:23 AM
    Got both of the issues fixed, through including X-Frame-Options and changing wordpress location to:
    Code:
    try_files $uri $uri/ /wp/index.php?$args;
    
    I'm now on the process of implementing ssl
    still @eva2000 what would you recommend for SSL, spdy or Nginx HTTP/2, I've seen that http/2 doesn't support android default browsers which might break user experience if the certificate isn't valid or something?
     
    • Like Like x 1
  20. eva2000

    eva2000 Administrator Staff Member

    35,100
    7,750
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,951
    Local Time:
    10:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    glad to hear.. spdy is no longer supported in browsers so HTTP/2 HTTPS is centmin mod nginx default

    There's generally 3 ways of setting up HTTPS SSL certificate for Centmin Mod Nginx HTTP/2 based HTTPS

    Method 1. The traditional way via centmin.sh menu option 2, 22 and selecting yes to self-signed ssl certificates first. Then converting the self-signed ssl certificate to paid or free (Letsencrypt) web browser trusted SSL certificates outlined at How to switch self-signed SSL certificate to paid SSL certificate ? You would still need to follow the same steps outlined at Nginx SPDY SSL Configuration for obtaining and purchasing the paid SSL certificate and most important part is the concatenation of the SSL provider provided filesto create the mentioned /usr/local/nginx/conf/ssl/domaincom/ssl-unified.crt and /usr/local/nginx/conf/ssl/domaincom/ssl-trusted.crtfiles referenced in your Nginx SSL vhost config file.

    You may need to also decide if you want to enable HTTP to HTTPS redirect outlined at How to force redirect from HTTP:// to HTTPS:// ?

    If you didn't answer yes at time of initial nginx vhost creation to self-signed ssl certificates, you can manually setup the self-signed ssl certificate via the vhost generator by checking self-signed ssl box and enter a domain name. This will outline instructions for manually creating and setting up self-signed ssl certificate and nginx vhost settings. Then for web browser trusted ssl certificates you switch follow - How to switch self-signed SSL certificate to paid SSL certificate ?.

    Method 2. Using and testing Centmin Mod 123.09beta01's new addons/acmetool.sh addon which is still in beta testing only for integrating Letsencrypt SSL certificates. And has both auto and manual methods.

    Method 3. Fully manual method for free Letsencrypt SSL certificates.
    Note:
    • For wordpress auto installer, you actually need a read method 2 to enable LETSENCRYPT_DETECT='y' then run centmin.sh menu option 22 which will detect letsencrypt support and display the additional letsencrypt prompts required to issue free letsencrypt ssl certificates for wordpress auto installer
     
    • Like Like x 1
..