I'm kind of ashame to bother you with a question so simple but I cannot figure out why the configuration of nginx is not enforcing a simple deny rule for a subfolder and really hope you can push me to the obvious mistake.
So, the setup: I got an nginx webserver running, /var/www is root directory and there are some subfolders. SSL is enforced and as I am using baikal CalDAV/CardDAV the settings for fastcgi origin from the corresponding documentation. Here is the currently working config file:
server {
listen 443 ssl;
root /var/www;
index index.html index.htm index.php;
server_name mydomain.org;
ssl_certificate /path/to/nginx.crt;
ssl_certificate_key /path/to/nginx.key;
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
allow ::1;
deny all;
}
location ~ ^(.+\.php)(.*)$ {
try_files $fastcgi_script_name =404;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
include /etc/nginx/fastcgi_params;
}
rewrite ^/.well-known/caldav /baikal/cal.php redirect;
rewrite ^/.well-known/carddav /baikal/card.php redirect;
charset utf-8;
location ~ /(\.ht|Core|Specific) {
deny all;
return 404;
}
}
Now, I simply want to restrict access to a subsubfolder called /my/data/ which I first added in the deny block like this:
location ~ /(\.ht|Core|Specific|my/data/) {
deny all;
return 404;
}
But this did not work out, so I defined an own location like:
location ~ /my/data {
deny all;
return 404;
}
Tried with and without trailing slash, with and without ~ like in /doc/ as well as putting the deny location block before any other one and now I am at a loss. Access to /my/data and all subfolders and files is still granted. Can anyone help me out?
Thanks for reading!
Location order is important if you are using locations with regular expressions, as locations given by regular expressions are checked in order and first matched wins. That is, a configuration like this:
location ~ \.php$ { fastcgi_pass ... }
location ~ /my/data { deny all; }
will always allow access to any .php files, even matching /my/data. To fix this, you have to maintain proper order of locations, i.e., keep location ~ /my/data first:
location ~ /my/data { deny all; }
location ~ \.php$ { fastcgi_pass ... }
Or, better yet, use prefix location with the ^~ modifier instead - in this case order will not be important. This also ensures that proper prefix matching will be used, and regular expressions won't be checked at all. E.g.:
location ~ \.php$ { fastcgi_pass ... }
location ^~ /my/data { deny all; }
See http://nginx.org/r/location for more details about location matching in nginx.
Note well that return 404 in your configuration is redundant if you use deny all, or vice versa. Just use one of the directives.
It's also important to note that when testing, you shouldn't rely on your browser. Testing with browser often leads to confusing results due to caching. It's better idea to use, e.g., curl.
Related
I have a few websites which use the following code to restrict the admin area. So far have not found a better solution than this.
##> COMMENT - WordPress Admin Area Passwords
location ^~ /wp-admin/ {
auth_basic "Restricted Access";
auth_basic_user_file /home/bea/panel/security/.htpasswd;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm-website123.com.sock;
}
}
We are using a plug-in that allows users to see and under construction page but provides a login to allow website owner to view their website while it is being built. Have a look at the image below.
As you can see below the user is prompted to fill in a password to access the website but also they are prompted to fill in the username and password to access the admin area. this pop-up only comes up when the user has put in a password to access the website and clicks on "Access the site".
After contacting the plug-in creator, they suggested to exclude wp-admin/admin-ajax.php?
Or is there a better practice to follow. I have noticed from time to time that some plug-ins require access to the admin area to function correctly.
I may have found a solution:
##> COMMENT - WordPress Admin Area Password, usally for LIVE sites
location /wp-admin {
location ~ /wp-admin/admin-ajax.php$
{
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm-WEBSITE.tv.com.sock;
}
location ^~ /wp-admin/ {
auth_basic "Restricted Access";
auth_basic_user_file /home/user/panel/security/._htpasswd;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm-WEBSITE.tv.sock;
}
}
I just want somebody to validate the code above and check that it is secure? I'm still willing to offer a bounty to validate its level of security.
After playing around for many hours I have found a working solution but I am not quite sure if it is secure?
location /wp-admin {
location ~ /wp-admin/admin-ajax.php$
{
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm-WEBSITE.tv.com.sock;
}
location ^~ /wp-admin/ {
auth_basic "Restricted Access";
auth_basic_user_file /home/user/panel/security/._htpasswd;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm-WEBSITE.tv.sock;
}
}
But it is a working solution
I think something like below should do the job for you
location ^~ /wp-admin/ {
auth_basic "Restricted Access";
auth_basic_user_file /home/bea/panel/security/.htpasswd;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm-website123.com.sock;
}
}
location = /wp-admin/admin-ajax.php {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm-website123.com.sock;
}
My client moved to new server which nginx & percona server. Problem is the forward slash is being removed from end of the url. as you can see on the picture http://imgur.com/8OAUQZb
therefor the design files such as js, css files are not loading or something it gives magento 404 not found page. it happens randomly.
on the database web/unsecure/base_url and web/secure/base_url are set with forward slash http://78.137.115.47.srvlist.ukfast.net/
I'm assuming something wrong with nginx file. The rewrite rules might be wrong. I have tried every possible way that I found on this website and on google but nothing work. It might be something else. Could you please help?
This is nginx conf file for the domain
# Uncomment the server definition below should you wish to
# redirect from punkyfish.com to www.punkyfish.com
#server {
# listen 192.168.92.247;
# server_name punkyfish.com;
# #rewrite / $scheme://www.$host$request_uri permanent;
#}
#
# Change this backend name (and the socket pointer)
# as additional virtual hosts are added. This should
# point to the spawn-fcgi wrapper running as the
# appropriate user.
#
upstream punkyfishcombackend {
server unix:/var/run/php-fcgi-punkyfishcom.sock;
}
server {
listen 192.168.92.247:80;
server_name punkyfish.com;
root /var/www/vhosts/punkyfish.com/htdocs;
location / {
index index.html index.php;
try_files $uri $uri/ #handler;
expires 30d;
}
location /app/ { deny all; }
location /includes/ { deny all; }
location /lib/ { deny all; }
location /media/downloadable/ { deny all; }
location /pkginfo/ { deny all; }
location /report/config.xml { deny all; }
location /var/ { deny all; }
location /. {
return 404;
}
location #handler {
rewrite / /index.php;
}
location ~ .php/ {
rewrite ^(.*.php)/ $1 last;
}
include "ssl_offloading.inc";
location ~ .php$ {
if (!-e $request_filename) { rewrite / /index.php last; }
expires off;
fastcgi_pass punkyfishcombackend;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_param MAGE_RUN_CODE default;
# fastcgi_param MAGE_RUN_TYPE store;
include fastcgi_params;
}
This was due to nginx was caching everything. regardless of my changes on db and files wasn't reflecting. I cleaned the cache from ngnix cache folder and problem solved.
Thanks.
I need to only serve .vmdk and .vmx files on a virtual server, no matter what directory level. This is my current configuration (right now it serves all, but if I uncomment the lower part it serves nothing):
server {
listen 80;
server_name vmdk;
access_log /var/log/nginx/localhost.access.log;
root /srv/vmdk/public;
location ~ (./?|\vmdk|\vmx)$ {
autoindex on;
}
#location / {
# deny all;
#}
}
How do I achieve this?
If it is easier to achieve with Apache, then an example Apache configuration is also appreciated.
This should work
server {
listen 80;
server_name vmdk;
access_log /var/log/nginx/localhost.access.log;
root /srv/vmdk/public;
location / {
deny all; # deny by default
location ~ "\.(vmdk|vmx)$" {
allow all; # allow vm disk images, etc.
}
location ~ "/$" {
allow all;
autoindex on; # allow listing directory contents
}
}
}
I have a DigitalOcean VPS running nginx which has two websites on it. The two sites on it are: www.ingledow.co.uk and blog.ingledow.co.uk.
My main (www.) domain is predominantly a static site, but my blog (blog.) subdomain runs on Ghost.
Everything works perfectly apart from that I can access my blog from both www. and blog.. For example, here is a blog post at http://blog.ingledow.co.uk/puma-social-club/, but the same blog post can be seen from http://www.ingledow.co.uk/puma-social-club/.
Another point to note is that if you try to go to http://ingledow.co.uk/puma-social-club/ without the www. or blog. it 404s.
The problem lies in having two sites on the same VPS, but not sure if there's a problem with my nginx configs or whether it's problems with my DNS, or both?
The nginx config files are in /sites-available/ and symlinked to /sites-enabled/
I need to get this fixed because it is causing issues with Google search results and SEO.
Here's my DNS:
blog.ingledow.co.uk.conf
# blog.ingledow.co.uk running on Ghost
server {
listen 80; ## listen for ipv4; this line is default and implied
#listen [::]:80 default ipv6only=on; ## listen for ipv6
root /var/www/ghost;
index index.php index.html index.htm;
# Make site accessible from http://localhost/
server_name blog.ingledow.co.uk;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://127.0.0.1:2369;
client_max_body_size 10m;
break;
}
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
deny all;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location /phpmyadmin { index index.php; }
}
ingledow.co.uk.conf
# ingledow.co.uk.conf
server {
listen 80; ## listen for ipv4; this line is default and implied
#listen [::]:80 default ipv6only=on; ## listen for ipv6
root /var/www/ingledow.co.uk/public_html;
index index.php index.html index.htm;
# Make site accessible from http://localhost/
server_name ingledow.co.uk;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri $uri/ /index.html /index.php;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
deny all;
}
# Only for nginx-naxsi : process denied requests
#location /RequestDenied {
# For example, return an error code
#return 418;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location /phpmyadmin { index index.php; }
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
Try adding www. to sever_name ingledow.co.uk; in the ingledow.co.uk server block. e.g. :
server_name www.ingledow.co.uk ingledow.co.uk;
If you don't want to site to be accessed without the www. subdomain prefix you should remove it from the server_name.
Another way to do it is to have the server block as is for the blog, and just use a catch all server block for the main static site.
I installed sqlbuddy following the guide by arstechnia, but I cannot seem to access sqlbuddy.
This is the setup for /etc/nginx/sites-available/www
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm index.php;
# Make site accessible from http://localhost/
server_name localhost;
location / {
try_files $uri $uri/ =404;
allow 192.168.1.0/24;
allow 127.0.0.1;
deny all;
}
location ~ \.php$ {
try_files $uri =404;
allow 192.168.1.0/24;
allow 127.0.0.1;
deny all;
include fastcgi_params;
fastcgi_pass php5-fpm-sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}
location ~ /\. {access_log off; log_not_found off; deny all; }
location ~ ~$ {access_log off; log_not_found off; deny all; }
location ~ /sqlbuddy/.*\.php$ {
allow 192.168.1.0/24;
allow 127.0.0.1;
deny all;
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php5-fpm-sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}
}
When I try to access sqlbuddy via 192.168.1.128/sqlbuddy I get this page from chrome:
http://imgur.com/8pomz3m
Nginx access log shows no record of me trying to access sqlbuddy but does record me accessing the index page and 192.168.1.128/phpinfo.php
No errors present in nginx error log either.
I tried individually commenting sections of the location ~ /sqlbuddy/... to no avail. Really lost on this one.
Following the same guide I came across with the same problem.
I commented out the location that made all requests to sqlbuddy go through https, I see you don't have it so it shouldn't be a problem.
Try deleting the browser's cache. That dit it for me.
Hope it helps.-
Check your sqlbuddy folder structure, make sure your index is in /sqlbuddy/index.php and not in /sqlbuddy/src/index.php. I had to copy all sources to /sqlbuddy.
also check your permission and owner for sqlbuddy (www-data:www-data).