GetSimple CMS with NGINX
Posted by grymsten
|
GetSimple CMS with NGINX December 06, 2014 04:09PM |
Registered: 9 years ago Posts: 2 |
Hi,
I'm trying to secure GetSimple CMS, but I'm not able to disallow the download of files in the /admin/ folder, when using tools like curl or wget.
---------------------------
The server runs archlinux with php-fpm.
server configuration block in nginx.conf:
server {
index index.php index.html index.htm;
server_name example.com;
listen 80;
root /path/to/getsimplecms;
include php.conf;
# Stop deep linking or hot linking (except for own hosts)
location /uploads/ {
valid_referers none blocked <some hosts ...>
if ($invalid_referer) {
return 403;
}
}
location ~ \.(xml|xml\.bak)$ {
deny all;
}
location ~ /\. {
deny all;
}
location /admin/ {
auth_basic "Restricted";
auth_basic_user_file /path/to/some/htpasswd;
}
location = /sitemap.xml {
allow all;
}
}
php.conf:
location ~ \.php$ {
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
include fastcgi.conf;
}
fastcgi.conf:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
---------------------------
auth_basic is working as expected for the /admin/ location ..but I still can download files from that folder.
i.e.
$ wget http://example.com/admin/settings.php
--2014-12-06 21:56:06-- http://example.com/admin/settings.php
Resolving example.com (example.com)... XX.XX.XX.XX
Connecting to example.com (example.com)|XX.XX.XX.XX|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: index.php?redirect=/admin/settings.php? [following]
--2014-12-06 21:56:06-- http://example.com/admin/index.php?redirect=/admin/settings.php?
Reusing existing connection to example.com:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘settings.php’
0K .. 308K=0.009s
2014-12-06 21:56:06 (308 KB/s) - ‘settings.php’ saved [2234]
----
I'm really new to nginx and already tried different things to avoid that "index.php?redirect=/admin/.*\.php" can be processed... but nothing worked so far, please help!
I'm trying to secure GetSimple CMS, but I'm not able to disallow the download of files in the /admin/ folder, when using tools like curl or wget.
---------------------------
The server runs archlinux with php-fpm.
server configuration block in nginx.conf:
server {
index index.php index.html index.htm;
server_name example.com;
listen 80;
root /path/to/getsimplecms;
include php.conf;
# Stop deep linking or hot linking (except for own hosts)
location /uploads/ {
valid_referers none blocked <some hosts ...>
if ($invalid_referer) {
return 403;
}
}
location ~ \.(xml|xml\.bak)$ {
deny all;
}
location ~ /\. {
deny all;
}
location /admin/ {
auth_basic "Restricted";
auth_basic_user_file /path/to/some/htpasswd;
}
location = /sitemap.xml {
allow all;
}
}
php.conf:
location ~ \.php$ {
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
include fastcgi.conf;
}
fastcgi.conf:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
---------------------------
auth_basic is working as expected for the /admin/ location ..but I still can download files from that folder.
i.e.
$ wget http://example.com/admin/settings.php
--2014-12-06 21:56:06-- http://example.com/admin/settings.php
Resolving example.com (example.com)... XX.XX.XX.XX
Connecting to example.com (example.com)|XX.XX.XX.XX|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: index.php?redirect=/admin/settings.php? [following]
--2014-12-06 21:56:06-- http://example.com/admin/index.php?redirect=/admin/settings.php?
Reusing existing connection to example.com:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘settings.php’
0K .. 308K=0.009s
2014-12-06 21:56:06 (308 KB/s) - ‘settings.php’ saved [2234]
----
I'm really new to nginx and already tried different things to avoid that "index.php?redirect=/admin/.*\.php" can be processed... but nothing worked so far, please help!
|
Re: GetSimple CMS with NGINX December 07, 2014 05:10AM |
Registered: 9 years ago Posts: 2 |
Sleeping a night probably helped a bit.. I think I found the solution...my mistake was using parts of the configuration blocks from archlinux.org-nginx-wiki (the include php.conf-line with the php.conf-file).
So I removed those and added instead these lines to the server block:
# for php outside admin-folder
location ~ \.php$ {
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
include fastcgi.conf;
}
# for php and protection inside admin folder
location /admin/ {
auth_basic "Restricted";
auth_basic_user_file /path/to/some/htpasswd;
location ~ \.php$ {
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
include fastcgi.conf;
}
}
------------
wget now fails with "401 Unauthorized" and no redirection is being processed, even if redirect uri is used directly.
Problem solved :) Next time I should read more carefully how the location - statements are prioritized.
So I removed those and added instead these lines to the server block:
# for php outside admin-folder
location ~ \.php$ {
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
include fastcgi.conf;
}
# for php and protection inside admin folder
location /admin/ {
auth_basic "Restricted";
auth_basic_user_file /path/to/some/htpasswd;
location ~ \.php$ {
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
include fastcgi.conf;
}
}
------------
wget now fails with "401 Unauthorized" and no redirection is being processed, even if redirect uri is used directly.
Problem solved :) Next time I should read more carefully how the location - statements are prioritized.
Sorry, only registered users may post in this forum.
Online Users
Guests:
159
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|