Floren
Well-known member
https://www.google.com/search?q=nginx+php-fpm+0-exploit
Anyways, I'm not here to tell you what to do, nobody is forcing you to use something different than the configuration you linked.
Last edited:
Password protecting admin.php with nginx ?
- Thread starter Mouth
- Start date
Anyways, I'm not here to tell you what to do, nobody is forcing you to use something different than the configuration you linked.
Mouth
Well-known member
The discussion referenced was on fastcgi parameters and differences(incompleteness) between default includes on operating systems, not exploits available with location block on old examples. The exploit was addresses since php 5.3.9 too, some 2 yrs ago. Most people still using php older than this probably don't have access to their php config either.
No, but IMHO, by always pointing people to documentation and telling them to read and understand it you are effectively obsfucating the issue and concerns without really helping them. Always better to give a direct answer and help, and direct to documentation for better. The more examples - and recent too - on the net with correct configurations the better everyones is, and much less likely to locate and use old and incomplete examples found/indexed.
CarlosMST
Member
You just showed to a hacker a possible way to exploit your server.
Here it is the secure way to process PHP files with Nginx.
I see everyone keeps on adding the fastcgi_index to their configuration... are you guys reading the Nginx documentation?
I think you can get it for cheaper... @digitalpoint paid $80/year for a wildcard. I only need a certificate so I got one for $36, for 5 years. I recently paid another $36 for a 5 years extension.
Thanks @Floren I revised your Tutorial https://www.axivo.com/resources/basic-configuration.3/update?update=5
I was trying in many ways to password protect the admin.php, but any works correctly, when I put the password the admin.php file was downloaded, but did not run on the server.
Now this is my current configuration:
Code:
location /install {
auth_basic "Restricted Access";
auth_basic_user_file nginx-passwd;
try_files $uri $uri/ /secret/index.php =404;
}
location = /admin.php {
auth_basic "Restricted Access";
auth_basic_user_file nginx-passwd;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;
include fastcgi.conf;
}Thanks again @Floren
rizx
Member
Here's mine (keep in mind, this one redirects all http traffic to https)
Remember to replace "mysite.org" with the name of your site
Remember to create an .htpasswd file
Hope this help.
Remember to replace "mysite.org" with the name of your site
Remember to create an .htpasswd file
Hope this help.
Code:
server {
listen 80;
server_name mysite.org;
return 301 https://mysite.org;
}
server {
# address and port accepted by the server
listen 443; ## listen for ipv4
#listen [::]:80 default ipv6only=on; ## listen for ipv6
ssl_certificate /etc/nginx/ssl/ssl.bundle;
ssl_certificate_key /etc/nginx/ssl/site.key;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
server_name mysite.org www.mysite.org;
# document root for request, uncomment and set proper value
root /var/www/mysite.org;
### Uncomment these line if you want to protect the whole site with login/pwd
#auth_basic "Administrator Login";
#auth_basic_user_file /etc/nginx/.htpasswd;
# log files, uncomment and set proper values
access_log /var/log/nginx/mysite.org_access.log;
error_log /var/log/nginx/mysite.orgerror.log;
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?$uri&$args;
}
location ~/admin\.php$ {
auth_basic "Administrator Login";
auth_basic_user_file /etc/nginx/.htpasswd;
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
include fastcgi_params;
}
location ~ /(internal_data|library) {
internal;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}Floren
Well-known member
@rizx, don't use a regex location ~/admin\.php$.
https://www.axivo.com/resources/nginx-basic-configuration.3/update?update=7
https://www.axivo.com/resources/nginx-basic-configuration.3/update?update=7
Glockie
Well-known member
Hi guys, sorry to bump an old thread.. I use Nginx, and https, and for love nor money I cannot protect admin.php
I have tried htaccess, then remembered it doesn't work on Nginx, so tried these and can't get it going. Someone tried accessing our admin so I need to protect it really.
Thank you, here's what I have after reading this thread:
I have tried htaccess, then remembered it doesn't work on Nginx, so tried these and can't get it going. Someone tried accessing our admin so I need to protect it really.
Thank you, here's what I have after reading this thread:
Code:
location = /admin.php {
auth_basic "Staff Only";
auth_basic_user_file /home/nginx/domains/mysite.com/private/adminaccess/.htpasswd;
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
include fastcgi_params;
}Mouth
Well-known member
Here's mine, that works fine.
Code:
location = /admin.php {
auth_basic "Restricted Access";
auth_basic_user_file htpass;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php5-fpm.sock;
include fastcgi_params;
}Mouth
Well-known member
eva2000 explains in post below.
Last edited:
eva2000
Well-known member
He's using Centmin Mod LEMP stack so mysite.com/private is private only web root is mysite.com/public http://centminmod.com/configfiles.html
eva2000
Well-known member
if ya using centmin mod stack guide at http://centminmod.com/nginx_configure_xenforo_seo_friendly_urls.html has password protection for admin.php outlined
Glockie
Well-known member
He's using Centmin Mod LEMP stack so mysite.com/private is private only web root is mysite.com/public http://centminmod.com/configfiles.html
Correct, it's NOT within my web directory
.. Okay thank you very much, will look now. Appreciate the info..
Glockie
Well-known member
Yes using this and Nginx....He's using Centmin Mod LEMP stack so mysite.com/private is private only web root is mysite.com/public http://centminmod.com/configfiles.html
Starting to miss Ubuntu and Apache now though, I was so familiar with that. This is proving challenging.
Still can't do it and now having issues getting perl scripts to run, just to run db backups.
Bloody frustrating as hell...
MattW
Well-known member
It does nowYes using this and Nginx....
Starting to miss Ubuntu and Apache now though, I was so familiar with that. This is proving challenging.
Still can't do it and now having issues getting perl scripts to run, just to run db backups.
Bloody frustrating as hell...
Code:
location ~ ^/(admin.php) {
auth_basic "Private";
auth_basic_user_file /usr/local/nginx/conf/htpasswd;
include /usr/local/nginx/conf/php.conf;
}Glockie
Well-known member
It does now
Code:location ~ ^/(admin.php) { auth_basic "Private"; auth_basic_user_file /usr/local/nginx/conf/htpasswd; include /usr/local/nginx/conf/php.conf; }
Seriously ?
And this is why anyone who needs a server admin, needs to be with you...
Matt you've made my day as I was ready to kill my PC
EDIT:
I see now my errors;
my config -
Code:
location = /admin.php {
auth_basic "Staff Only";
auth_basic_user_file /home/nginx/domains/mysite.com/private/adminaccess/.htpasswd;
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
include fastcgi_params;
}location = / admin.php
Yours is so simple;
location ~ ^/(admin.php) {
I signed up to Nginx own tutorials and server sheets a few weeks back, maybe I should try and read more...
Attachments
Last edited:
SneakyDave
Well-known member
You're trying to protect the install directory, not the admin.php file?
maszd
Well-known member
i already protect admin.php file and need to protect install folder too, its unnecessary protect install folder if admin.php already protected?
Similar threads
