How to secure xenforo with Nginx
- Thread starter DRaver
- Start date
TPerry
Well-known member
Really? How well does that work on Debian?Basic Nginx Setup for newbie
centminmod.com
DRaver
Active member
This is my conf file:
What I need is the code vor the install directory.
Any more ?
Code:
server {
listen xxx.xx.xxx.xxx:80;
server_name mysite.net xxx.xx.xxx.xxx;
return 301 http://www.mysite.net$request_uri;
}
server {
listen xxx.xx.xxx.xxx:80;
server_name www.mysite.net;
root /var/www/mysite;
index index.php index.html index.htm;
access_log /var/log/nginx/mysite.net.access.log;
error_log /var/log/nginx/mysite.net.error.log;
# Make site accessible from http://localhost/
#server_name localhost;
if ($allowed_country = no) {
return 444;
}
location ~/admin\.php$ {
auth_basic "Administrator Login";
auth_basic_user_file /var/www/htpasswd;
root /var/www/mysite;
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_read_timeout 300;
fastcgi_param HTTP_SCHEME https;
include fastcgi_params;
}
location / {
try_files $uri $uri/ /index.php?$uri&$args;
}
# Media: images, icons, video, audio, HTC
location ~* \.(?:jpg|jpeg|gif|png|ico|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 1M;
access_log off;
add_header Cache-Control "public";
}
# CSS and Javascript
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
add_header Cache-Control "public";
}
location ~ /(internal_data|library) {
internal;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_read_timeout 300;
fastcgi_send_timeout 180;
fastcgi_connect_timeout 60;
fastcgi_ignore_client_abort off;
fastcgi_intercept_errors on;
}
}What I need is the code vor the install directory.
Any more ?
As you can do with almost all web servers. ;-)
TPerry
Well-known member
Adam Howard
Well-known member
12. Will there be a Debian or FreeBSD version with full menu support ?Really? How well does that work on Debian?
Currently, only testing Debian for MariaDB 5.2.x Mysql tuning and optimisation and for the Debian version of my mysqlmymonlite.sh server stats gathering script. But there's a definite possibility that in future, I'll write up a Debian version once I have Centmin Mod version settled in terms of features and stability. As for a FreeBSD Nginx auto installer script, there's no plans right now. But that can change.
http://centminmod.com/faq.html
TPerry
Well-known member
In another words... it don't.
I was already aware of the "in the works for the future" statement that was made in reference to it.... but it's here and now currently.
HittingSmoke
Active member
The first thing you need to go is read the Nginx pitfalls docs: http://wiki.nginx.org/Pitfalls
Specifically, the sections about uncontrolled PHP execution and checking for a valid file extension. Without the first, a user could upload a PHP script with an image extension then if called by the browser it would execute the PHP script. Without the second someone could go to someting like www.example.com/library and browse your file system to download your config.php file to get your database credentials.
The XenForo friendly URLs page has some additional config options for security related to the last point: http://xenforo.com/help/friendly-urls/
Specifically these lines:
This prevents ANY remote access to your library or internal_data directories so only scripts on the server can see or execute scripts in them.
As others have said, secure your admin page with HTTP auth or via allow: ipaddress;.
You can also move certain sensitive directories out of the web root with config.php: http://xenforo.com/help/config-php-options/
If you've followed the previous instructions then it's not an issue as you're restricting any external access to those directories anyway, but it's something you can do for a little extra peace of mind.
Not specifically Nginx related, but don't allow network connections to your database server. Make sure XenForo is communicating with your database via a UNIX socket and put skip-networking; in your MySQL server config.
That sort of mentality leads me to believe your web server is improperly configured and vulnerable to attack. If you think a firewall is protecting you from SQL injection or uncontrolled PHP execution then you probably shouldn't be giving advice related to securing a server.
Specifically, the sections about uncontrolled PHP execution and checking for a valid file extension. Without the first, a user could upload a PHP script with an image extension then if called by the browser it would execute the PHP script. Without the second someone could go to someting like www.example.com/library and browse your file system to download your config.php file to get your database credentials.
The XenForo friendly URLs page has some additional config options for security related to the last point: http://xenforo.com/help/friendly-urls/
Specifically these lines:
Code:
location /internal_data/ {
internal;
}
location /library/ {
internal;
}This prevents ANY remote access to your library or internal_data directories so only scripts on the server can see or execute scripts in them.
As others have said, secure your admin page with HTTP auth or via allow: ipaddress;.
You can also move certain sensitive directories out of the web root with config.php: http://xenforo.com/help/config-php-options/
If you've followed the previous instructions then it's not an issue as you're restricting any external access to those directories anyway, but it's something you can do for a little extra peace of mind.
Not specifically Nginx related, but don't allow network connections to your database server. Make sure XenForo is communicating with your database via a UNIX socket and put skip-networking; in your MySQL server config.
That sort of mentality leads me to believe your web server is improperly configured and vulnerable to attack. If you think a firewall is protecting you from SQL injection or uncontrolled PHP execution then you probably shouldn't be giving advice related to securing a server.
DRaver
Active member
I have this in my conf:
Code:
location ~ /(internal_data|library) {
internal;
}Is that not the same like your code?
MattW
Well-known member
Yes it's the same, just in a single line, rather the split into separate location sections.
TPerry
Well-known member
Yep...it's exactly what I have also.
TPerry
Well-known member
Easy... basically the same way you are doing in your example for the admin.php. Here is what I use:
Code:
location /install {
auth_basic "Administrator Login";
auth_basic_user_file /my/secret/sauce/my.pass.word;
index index.php index.html index.htm;
}
Floren
Well-known member
Did you tested those locations to see if you get a 404?
To OP:
https://www.axivo.com/community/threads/basic-nginx-configuration-file.128/
http://xenforo.com/community/threads/nginx.46328/page-2#post-624044
MattW
Well-known member
On my site, yes, but then I followed one of your posts on nesting them
Code:
location /internal_data {
location ~ \.(data|html|php)$ {
internal;
}
internal;
}
location /library {
location ~ \.(default|html|php|txt|xml)$ {
internal;
}
internal;
}Similar threads
- Question
