1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to secure xenforo with Nginx

Discussion in 'Server Configuration and Hosting' started by DRaver, Nov 7, 2013.

  1. DRaver

    DRaver Active Member

    What is to do, to protect Xenforo with Nginx and make your community save?
     
  2. RoldanLT

    RoldanLT Well-Known Member

    Basic Nginx Setup for newbie :)
    centminmod.com
     
  3. DRaver

    DRaver Active Member

    I dont need a newbie Nginx setup. Nginx is woking but I want some hints special secure the xenforo.
     
  4. MattW

    MattW Well-Known Member

    Limit access to admin.php to your IP address. Limit access to the install directory in the same way, or with a username / password.
     
  5. Tracy Perry

    Tracy Perry Well-Known Member

    Really? How well does that work on Debian? ;)
     
  6. HWS

    HWS Well-Known Member

    Nginx is a web server not a firewall.
     
  7. DRaver

    DRaver Active Member

    This is my conf file:


    Code:
    server {
          listen xxx.xx.xxx.xxx:80;
        server_name mysite.net xxx.xx.xxx.xxx;
          return      301 http://www.mysite.net$request_uri;
    }
    server {
          listen xxx.xx.xxx.xxx:80;  
        server_name www.mysite.net;
        root /var/www/mysite;
        index index.php index.html index.htm;
      access_log  /var/log/nginx/mysite.net.access.log;
        error_log /var/log/nginx/mysite.net.error.log;
        # Make site accessible from http://localhost/
        #server_name localhost;
    
    if ($allowed_country = no) {
    return 444;
    }
    
    location ~/admin\.php$ {
                            auth_basic "Administrator Login";
                            auth_basic_user_file /var/www/htpasswd;
                            root /var/www/mysite;
                            try_files $uri =404;
                            fastcgi_pass unix:/var/run/php5-fpm.sock;
                            fastcgi_index index.php;
                            fastcgi_read_timeout 300;
                            fastcgi_param  HTTP_SCHEME https;
                            include fastcgi_params;
                    }
    
        location / {
            try_files $uri $uri/ /index.php?$uri&$args;
        }
    
    # Media: images, icons, video, audio, HTC
            location ~* \.(?:jpg|jpeg|gif|png|ico|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
                expires 1M;
                access_log off;
                add_header Cache-Control "public";
        }
      
    # CSS and Javascript
            location ~* \.(?:css|js)$ {
                expires 1y;
                access_log off;
                add_header Cache-Control "public";
        }
    
    
        location ~ /(internal_data|library) {
            internal;
        }
    
        location ~ \.php$ {
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include fastcgi_params;
            fastcgi_read_timeout 300;
            fastcgi_send_timeout 180;
            fastcgi_connect_timeout 60;
            fastcgi_ignore_client_abort off;
            fastcgi_intercept_errors on;
        }
    }
    What I need is the code vor the install directory.

    Any more ?
     
  8. Tracy Perry

    Tracy Perry Well-Known Member

    No...it's not a firewall.. but you CAN protect files/directories by password and only allow access by certain IP's(specific and ranges) very easily.
     
  9. HWS

    HWS Well-Known Member

    As you can do with almost all web servers. ;-)
     
    SneakyDave likes this.
  10. Tracy Perry

    Tracy Perry Well-Known Member

    Yes, and the point is that he was referring to using nginx to protect (a very specific request). If he'd asked about iptables and nginx then that would be another type of catfish. :D
    Dual layer if you run a VPS or dedicated... iptables and additional restrictions via the web server.
     
    MattW likes this.
  11. Adam Howard

    Adam Howard Well-Known Member

    12. Will there be a Debian or FreeBSD version with full menu support ?

    Currently, only testing Debian for MariaDB 5.2.x Mysql tuning and optimisation and for the Debian version of my mysqlmymonlite.sh server stats gathering script. But there's a definite possibility that in future, I'll write up a Debian version once I have Centmin Mod version settled in terms of features and stability. As for a FreeBSD Nginx auto installer script, there's no plans right now. But that can change.

    http://centminmod.com/faq.html
     
  12. Tracy Perry

    Tracy Perry Well-Known Member

    In another words... it don't. ;)
    I was already aware of the "in the works for the future" statement that was made in reference to it.... but it's here and now currently. :p
     
    SneakyDave and Adam Howard like this.
  13. HittingSmoke

    HittingSmoke Active Member

    The first thing you need to go is read the Nginx pitfalls docs: http://wiki.nginx.org/Pitfalls

    Specifically, the sections about uncontrolled PHP execution and checking for a valid file extension. Without the first, a user could upload a PHP script with an image extension then if called by the browser it would execute the PHP script. Without the second someone could go to someting like www.example.com/library and browse your file system to download your config.php file to get your database credentials.

    The XenForo friendly URLs page has some additional config options for security related to the last point: http://xenforo.com/help/friendly-urls/

    Specifically these lines:
    Code:
    location /internal_data/ {
        internal;
    }
    location /library/ {
        internal;
    }
    This prevents ANY remote access to your library or internal_data directories so only scripts on the server can see or execute scripts in them.

    As others have said, secure your admin page with HTTP auth or via allow: ipaddress;.

    You can also move certain sensitive directories out of the web root with config.php: http://xenforo.com/help/config-php-options/

    If you've followed the previous instructions then it's not an issue as you're restricting any external access to those directories anyway, but it's something you can do for a little extra peace of mind.

    Not specifically Nginx related, but don't allow network connections to your database server. Make sure XenForo is communicating with your database via a UNIX socket and put skip-networking; in your MySQL server config.

    That sort of mentality leads me to believe your web server is improperly configured and vulnerable to attack. If you think a firewall is protecting you from SQL injection or uncontrolled PHP execution then you probably shouldn't be giving advice related to securing a server.
     
  14. DRaver

    DRaver Active Member

    I have this in my conf:

    Code:
     location ~ /(internal_data|library) {
            internal;
        }
    
    Is that not the same like your code?
     
  15. MattW

    MattW Well-Known Member

    Yes it's the same, just in a single line, rather the split into separate location sections.
     
  16. Tracy Perry

    Tracy Perry Well-Known Member

    Yep...it's exactly what I have also.
     
  17. DRaver

    DRaver Active Member

    Okay, this means that everything I need is to securing the install directory with a PW.
    How?
     
  18. Tracy Perry

    Tracy Perry Well-Known Member

    Easy... basically the same way you are doing in your example for the admin.php. Here is what I use:
    Code:
    location /install {
            auth_basic "Administrator Login";
            auth_basic_user_file /my/secret/sauce/my.pass.word;
            index index.php index.html index.htm;
            }
     
    DRaver likes this.
  19. Floren

    Floren Well-Known Member

  20. MattW

    MattW Well-Known Member

    Floren likes this.

Share This Page