Get the most out of your Centmin Mod LEMP stack
Become a Member

Wordpress Wordpress Plugins 403 errors when plugin opens ZIP / txt file download

Discussion in 'Blogs & CMS usage' started by Benjamin74, Apr 7, 2017.

  1. Benjamin74

    Benjamin74 Member

    32
    2
    8
    May 2, 2016
    Ratings:
    +5
    Local Time:
    11:09 AM
    Hello guys,

    I'm pretty sure it's an easy one but I couldn't find anything.

    Here is my install info :

    - CentOS 6 64 bit
    - 123.09beta01
    - nginx 1.11.10
    - php 5.6.30
    - Centmin installed yesterday April 6, 2017
    - Wordpress installed through Menu 22 + Cache Enabler settings. Then content imported through All In One Wp Migration.

    PROBLEM :

    Various plugins seem to create files for me to download "on the fly". However each time these plugin send me to the download/view page, it triggers a 403.

    These plugins are :

    GravityForms, triggers a 403 when trying to view the log file located at /wp-content/uploads/gravity_forms/logs/gravityforms_1ee031bac0fea6f6f05936a2bd5e24f0c773a12c.txt

    Post Snippets, triggers a 403 when trying to download the export ZIP files located at /wp-content/uploads/post-snippets-export.zip

    I suspect the nginx configuration to be expecting txt and zip files to be served from these folders but I have no clue how to fix this.

    Any pointer ?

    Thanks a lot,

    Cheers,
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,994
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,424
    Local Time:
    8:09 PM
    Nginx 1.13.x
    MariaDB 5.5
    Security is why as Centmin Mod values security and puts additional measures in place so that end users are also mindful of security. So in your case you need to whitelist or unblock Gravity Forms and Post Snippets.

    If you used centmin.sh menu option 22 auto installer Wordpress Nginx Auto Installer, the default wpsecure conf file at /usr/local/nginx/conf/wpsecure_${vhostname}.conf where vhostname is your domain name, blocks php scripts from executing in wp-content for security

    Below links you can see examples of setting up specific wordpress location matches to punch a hole in the wpsecure blocking to whitelist specific php files that need to be able to run.
    If on Centmin Mod 123.09beta01, you may have ran into the new tools/autoprotect.sh cronjob feature outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community You uploaded scripts may have .htaccess deny from all type files in their directories which may need bypassing autoprotect. It's a security feature that no other nginx based stack has as far as I know :)

    So instead, all .htaccess 'deny from all' detected directories now get auto generated Nginx equivalent location match and deny all setups except if you want to manually bypass the directory from auto protection via a .autoprotect-bypass file - details below here.

    You can read a few threads below on how autoprotect.sh may have caught some folks web apps falsely and the workarounds or improvements made to autoprotect.sh with the help of users feedback and troubleshooting.
     
  3. Benjamin74

    Benjamin74 Member

    32
    2
    8
    May 2, 2016
    Ratings:
    +5
    Local Time:
    11:09 AM
    OK.

    So apparently the wpsecure file are now (for the beta branch) in:

    /usr/local/nginx/conf/wpincludes/mydomain.com/wpsecure_mydomain.com.conf

    and not in:

    /usr/local/nginx/conf/wpsecure_${vhostname}.conf

    Else I'm finding these security settings very very hard to understand, I'm a noob so no real surprise I guess. For example, let's pick these lines :

    Code:
    # Whitelist Exception for mediagrid timthumb
    location ~ ^/wp-content/plugins/media-grid/classes/ {
      include /usr/local/nginx/conf/php.conf;
      # below include file needs to be manually created at that path and to be uncommented
      # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
      # allows you to add commonly shared settings to all wp plugin location matches which
      # whitelist php processing access at /usr/local/nginx/conf/wpincludes/mydomain.com/wpsecure_mydomain.com.conf
      #include /usr/local/nginx/conf/wpincludes/mydomain.com/wpwhitelist_common.conf;
    }
    => It seems to suggest to uncomment the last line:
    Code:
    include /usr/local/nginx/conf/wpincludes/mydomain.com/wpwhitelist_common.conf;
    => and to manually create the corresponding wpwhitelist_common.conf file.
    => but what are we supposed to put in that whitelist file ?

    Every other thread doesn't say much about creating this whitelist conf file so I'm a bit lost.

    Also another finding I have is that it seems like my problem is actually coming from the very last line:

    Code:
    location ~* /(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z|txt)$ { deny all; }
    => This line here is basically blocking ALL serving of zip, txt, etc files from wp-content, is that correct ? So basically any plugin which generates temporary zip/txt files in the wp-content directory will get blocked, right ?

    If that's the case then it's this rule that is blocking me from accessing ZIP and TXT files generated by Gravityforms and Post Snippets in the /wp-content/uploads/ directory.

    Isn't this rule a bit extreme ? I've rarely seen any WP install that hasn't any plugins generating something in the /wp-content/uploads/ from time to time (usually backups of site, backup of plugin settings, log files, etc).
     
    Last edited: Apr 10, 2017
  4. eva2000

    eva2000 Administrator Staff Member

    30,994
    6,919
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,424
    Local Time:
    8:09 PM
    Nginx 1.13.x
    MariaDB 5.5
    no need to do anything or uncomment anything, the entry itself IS the whitelisting - it's as it says
    generally you do not need to uncomment
    Code (Text):
    #include /usr/local/nginx/conf/wpincludes/mydomain.com/wpwhitelist_common.conf;
    

    difference between 123.09beta01 path vs old 123.08stable path

    that is correct as alot of wp backup plugins place backups in /wp-content/ or /wp-content/uploads/ which isn't secure as anyone who knows the locations can download your backups !!!!!!!!!!!!! Majority of wordpress plugin authors use .htaccess to protect such zips etc but on Nginx .htaccess isn't supported so visitors are free to start download your wordpress site's backups at known common locations !!! This is why tools/autoprotect.sh was created https://community.centminmod.com/th...ccess-check-migration-to-nginx-deny-all.7308/

    Use the existing whitelist rules as examples but ultimate nginx requires learning about syntax unique to nginx eventually unlike apache which alot of wp plugin authors provide .htaccess protections i.e. nginx http auth basic module Module ngx_http_auth_basic_module

    example this below whitelist rule allows /wp-content/plugin/akismet directory and subdirectories to serve to visitors form.css, form.js and .png and .gif files but blocks visitor access to .php files with deny all
    Code (Text):
    # Whitelist Exception for https://wordpress.org/plugins/akismet/
    location ~ ^/wp-content/plugins/akismet/ {
      location ~ ^/wp-content/plugins/akismet/(.+/)?(form|akismet)\.(css|js)$ { allow all; }
      location ~ ^/wp-content/plugins/akismet/(.+/)?(.+)\.(png|gif)$ { allow all; }
      location ~* /wp-content/plugins/akismet/akismet/.*\.php$ {
        include /usr/local/nginx/conf/php.conf;
        # below include file needs to be manually created at that path and to be uncommented
        # by removing the hash # in front of below line to take effect. This wpwhitelist_common.conf
        # allows you to add commonly shared settings to all wp plugin location matches which
        # whitelist php processing access at /usr/local/nginx/conf/wpincludes/${vhostname}/wpsecure_${vhostname}.conf
        #include /usr/local/nginx/conf/wpincludes/${vhostname}/wpwhitelist_common.conf;
        allow 127.0.0.1;
        deny all;
      }
    }
    

    to not confuse you, simplifying it to below also works
    Code (Text):
    # Whitelist Exception for https://wordpress.org/plugins/akismet/
    location ~ ^/wp-content/plugins/akismet/ {
      location ~ ^/wp-content/plugins/akismet/(.+/)?(form|akismet)\.(css|js)$ {
         allow all;
      }
      location ~ ^/wp-content/plugins/akismet/(.+/)?(.+)\.(png|gif)$ {
         allow all;
      }
      location ~* /wp-content/plugins/akismet/akismet/.*\.php$ {
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        deny all;
      }
    }
    


    Using Nginx with any web app like wordpress requires understanding the web app's author intention to block or prevent sensitive files or directories with .htaccess and then understanding that Nginx doesn't support .htaccess so you need to write a custom location match/protection for each of those directories with .htaccess files provided by web app's author for security.

    The tools/autoprotect.sh https://community.centminmod.com/th...ccess-check-migration-to-nginx-deny-all.7308/ aims to make it easier to identify and alert owners to which directories/files you need to more closely look at to manually write up a nginx custom rule to do the equivalent task as intended by .htaccess file. As per https://community.centminmod.com/th...-migration-to-nginx-deny-all.7308/#post-31027 you can check with grep command which directories you need to pay closer attention to with command (and bypass if needed)

    where domain.com is yourdomain.com name
    Code (Text):
    grep location /usr/local/nginx/conf/autoprotect/domain.com/autoprotect-domain.com.conf
    

    Once, you have the nginx custom rule placed in nginx vhost or use tools/autoprotect.sh provided rule if it works, you can setup .autoprotect-bypass file in the relevant directory https://community.centminmod.com/posts/31027/ to exclude tools/autoprotect.sh from auto creating a rule as you manually added one in nginx vhost will do the equivalent task as intended by .htaccess file.

    Oh and don't forget you can also ask WP plugin's author if they have premade Nginx rules that are equivalent to their provided .htaccess ones for properly protecting directories and files in their respective WP plugins. Example Gravity forums relies on .htaccess https://www.gravityhelp.com/documentation/article/security/#the-htaccess-file
    This .htaccess protection is completely ignored by Nginx as it doesn't support or read apache mod_rewrite/.htaccess files. So you need to write up your own Nginx equivalent location context match for it. So quick example of allowing .txt and .log file access at /wp-content/uploads/gravity_forms/logs/ for just your ISP ip address would be
    Code (Text):
    location ~* ^/wp-content/uploads/gravity_forms/logs/(.+)\.(txt|log)$ {
        allow 127.0.0.1;
        allow YOURISPIP_ADDRESS;
        deny all;
    }
    

    basically creating that specific location context match, punches a hole in the protection of below location context if order of location contexts is correct as per http://nginx.org/en/docs/http/ngx_http_core_module.html#location
    Code (Text):
    location ~* /(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z|txt)$ { deny all; }
    

    thus whitelisting .txt and .log extension files and allowing access from only /wp-content/uploads/gravity_forms/logs/ for your ISP ip address

    If some of the zips and logs are for your eyes only, you can download them via sftp or ftp instead of the insecure convenience of browser based downloads.

    Example from my SSH client, SecureCRT of download files to my local pc via sftp

    SecureCRT's native sftp support allows to open an sftp connection within your SSH session so you can easily download (get) or upload (put) via sftp from your server to your local computer. Just using common ftp commands.

    Screenshot example is download centmin mod install log from /root/centminlogs to local D:\ftp directory

    securecrt-sftp.gif

    or just view log within SSH session via linux command tools like tail etc

    view last 100 lines of file at /home/nginx/domains/domain.com/wp-content/uploads/gravity_forms/logs/gravityforms_1e2c.txt
    Code (Text):
    tail -100 /home/nginx/domains/domain.com/wp-content/uploads/gravity_forms/logs/gravityforms_1e2c.txt
    


    edit: ouch do a google search just for gravity_forms/logs/ and you can see how many sites are unprotected and wide open for visitors to view directory files at gravity_forms/logs/ even for apache and nginx sites ! Even worse some have paypalpayments txt files in full public accessible view with transaction details, emails etc ! Centmin Mod 123.09beta01's tools/autoprotect.sh tries to prevent that from happening :)
     
    Last edited: Apr 10, 2017
    • Like Like x 1
  5. Benjamin74

    Benjamin74 Member

    32
    2
    8
    May 2, 2016
    Ratings:
    +5
    Local Time:
    11:09 AM
    Awesome, thanks for all the very detailed explanations it all starts to make sense :)