• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

How to secure xenforo with Nginx

MattW

Well-known member
#4
Limit access to admin.php to your IP address. Limit access to the install directory in the same way, or with a username / password.
 

DRaver

Active member
#7
This is my conf file:


Code:
server {
      listen xxx.xx.xxx.xxx:80;
    server_name mysite.net xxx.xx.xxx.xxx;
      return      301 http://www.mysite.net$request_uri;
}
server {
      listen xxx.xx.xxx.xxx:80;  
    server_name www.mysite.net;
    root /var/www/mysite;
    index index.php index.html index.htm;
  access_log  /var/log/nginx/mysite.net.access.log;
    error_log /var/log/nginx/mysite.net.error.log;
    # Make site accessible from http://localhost/
    #server_name localhost;

if ($allowed_country = no) {
return 444;
}

location ~/admin\.php$ {
                        auth_basic "Administrator Login";
                        auth_basic_user_file /var/www/htpasswd;
                        root /var/www/mysite;
                        try_files $uri =404;
                        fastcgi_pass unix:/var/run/php5-fpm.sock;
                        fastcgi_index index.php;
                        fastcgi_read_timeout 300;
                        fastcgi_param  HTTP_SCHEME https;
                        include fastcgi_params;
                }

    location / {
        try_files $uri $uri/ /index.php?$uri&$args;
    }

# Media: images, icons, video, audio, HTC
        location ~* \.(?:jpg|jpeg|gif|png|ico|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
            expires 1M;
            access_log off;
            add_header Cache-Control "public";
    }
  
# CSS and Javascript
        location ~* \.(?:css|js)$ {
            expires 1y;
            access_log off;
            add_header Cache-Control "public";
    }


    location ~ /(internal_data|library) {
        internal;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_read_timeout 300;
        fastcgi_send_timeout 180;
        fastcgi_connect_timeout 60;
        fastcgi_ignore_client_abort off;
        fastcgi_intercept_errors on;
    }
}
What I need is the code vor the install directory.

Any more ?
 

Tracy Perry

Well-known member
#10
As you can do with almost all web servers. ;-)
Yes, and the point is that he was referring to using nginx to protect (a very specific request). If he'd asked about iptables and nginx then that would be another type of catfish. :D
Dual layer if you run a VPS or dedicated... iptables and additional restrictions via the web server.
 

Adam Howard

Well-known member
#11
Really? How well does that work on Debian? ;)
12. Will there be a Debian or FreeBSD version with full menu support ?

Currently, only testing Debian for MariaDB 5.2.x Mysql tuning and optimisation and for the Debian version of my mysqlmymonlite.sh server stats gathering script. But there's a definite possibility that in future, I'll write up a Debian version once I have Centmin Mod version settled in terms of features and stability. As for a FreeBSD Nginx auto installer script, there's no plans right now. But that can change.

http://centminmod.com/faq.html
 

Tracy Perry

Well-known member
#12
12. Will there be a Debian or FreeBSD version with full menu support ?

Currently, only testing Debian for MariaDB 5.2.x Mysql tuning and optimisation and for the Debian version of my mysqlmymonlite.sh server stats gathering script. But there's a definite possibility that in future, I'll write up a Debian version once I have Centmin Mod version settled in terms of features and stability. As for a FreeBSD Nginx auto installer script, there's no plans right now. But that can change.

http://centminmod.com/faq.html
In another words... it don't. ;)
I was already aware of the "in the works for the future" statement that was made in reference to it.... but it's here and now currently. :p
 
#13
The first thing you need to go is read the Nginx pitfalls docs: http://wiki.nginx.org/Pitfalls

Specifically, the sections about uncontrolled PHP execution and checking for a valid file extension. Without the first, a user could upload a PHP script with an image extension then if called by the browser it would execute the PHP script. Without the second someone could go to someting like www.example.com/library and browse your file system to download your config.php file to get your database credentials.

The XenForo friendly URLs page has some additional config options for security related to the last point: http://xenforo.com/help/friendly-urls/

Specifically these lines:
Code:
location /internal_data/ {
    internal;
}
location /library/ {
    internal;
}
This prevents ANY remote access to your library or internal_data directories so only scripts on the server can see or execute scripts in them.

As others have said, secure your admin page with HTTP auth or via allow: ipaddress;.

You can also move certain sensitive directories out of the web root with config.php: http://xenforo.com/help/config-php-options/

If you've followed the previous instructions then it's not an issue as you're restricting any external access to those directories anyway, but it's something you can do for a little extra peace of mind.

Not specifically Nginx related, but don't allow network connections to your database server. Make sure XenForo is communicating with your database via a UNIX socket and put skip-networking; in your MySQL server config.

Nginx is a web server not a firewall.
That sort of mentality leads me to believe your web server is improperly configured and vulnerable to attack. If you think a firewall is protecting you from SQL injection or uncontrolled PHP execution then you probably shouldn't be giving advice related to securing a server.
 

Tracy Perry

Well-known member
#18
Okay, this means that everything I need is to securing the install directory with a PW.
How?
Easy... basically the same way you are doing in your example for the admin.php. Here is what I use:
Code:
location /install {
        auth_basic "Administrator Login";
        auth_basic_user_file /my/secret/sauce/my.pass.word;
        index index.php index.html index.htm;
        }
 

MattW

Well-known member
#20