IPS4 on CENTMIN MOD / vhost Creation

[Bluto]

The one listed is the current version.  I have updated the vhost file to limit the

limit_conn limit_per_ip 16;

for the entire site except for the admin area, but I haven't tested it yet.  I had to add a section in the nginx.conf file to prohibit only that directory.

Currently, my local Centminmod testing server is down.  I expect to have it back up and running with PHP7 over the weekend.

How is everything working with PHP7?  Any issues?

[sasiko]

what does this actually do since even without it, board can still access that js just fine

Allow access to JS file
    location ~^/(applications/core/interface/js/js.php) {
        include /usr/local/nginx/conf/php.conf;
        allow     all;
    }

[Gary_J_Wright]

my php7.0.0 is just a test - but seems to work fine so far - but not actually able to check now till monday as got my kids this weekend

[Bluto]

15 hours ago, maidos said:

what does this actually do since even without it, board can still access that js just fine

Allow access to JS file
    location ~^/(applications/core/interface/js/js.php) {
        include /usr/local/nginx/conf/php.conf;
        allow     all;
    }

I had an issue with the block manager in the front-end of the site.  Without that location, the block manager wouldn't work for me.

Also, that was changed to this:

# Allow access to JS file
    location ^~ /applications/core/interface/js/js.php {
        include /usr/local/nginx/conf/php.conf;
        allow  all;
    }

and image proxy was added.  Since I can't update the OP of this thread, the changes are posted farther down in the thread.

[sasiko]

@Bluto would u consider using addheader config to improve the security overall?

https://gist.github.com/plentz/6737338

[Bluto]

2 minutes ago, maidos said:

@Bluto would u consider using addheader config to improve the security overall?

https://gist.github.com/plentz/6737338

You mean this, which is already included?

# Mozilla Recommended
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
    ssl_prefer_server_ciphers   on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    add_header  X-Content-Type-Options "nosniff";
    add_header X-Frame-Options DENY;
    ssl_buffer_size 1400;
    ssl_session_tickets on;

 

[sasiko]

sorry i need to rephrase that, do I need to add it to improve security? i dont use centamin instead use directadmin would this still work for my server?

[Bluto]

Just now, maidos said:

sorry i need to rephrase that, do I need to add it to improve security? i dont use centamin instead use directadmin would this still work for my server?

I have no idea what directadmin is doing and I wouldn't want to recommend you something and then have it break your site.  

This thread is specifically focused on Centminmod.  Unless you need some sort of GUI to run your server, I would highly suggest you take a look at Centminmod... it's actually quite simple to use.

[sasiko]

what about add_header X-XSS-Protection "1; mode=block";

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";

 

[Bluto]

1 minute ago, maidos said:

what about add_header X-XSS-Protection "1; mode=block";

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";

Are we talking about Centminmod or general Nginx?  If it's not related to Centminmod, I would kindly ask you to start another thread for your specific setup.

[RevengeFNF]

@Bluto have your tried using Nginx Microcache with IPS4?

[Bluto]

2 hours ago, RevengeFNF said:

@Bluto have your tried using Nginx Microcache with IPS4?

I haven't specifically set it up for my local install, but it might be included in Centminmod.  I'll have to check.

[icedream]

I have configured microcache

nginx.conf

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nobody;
worker_processes 1;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
    worker_connections	1024;
    use	epoll;
    multi_accept	on;
}

http {
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  /var/log/nginx/access.log  main;

    sendfile            	on;
    tcp_nopush          	on;
    tcp_nodelay         	on;
    keepalive_timeout   	30;
    reset_timedout_connection	on;
    keepalive_requests		100000;
    types_hash_max_size 	2048;

#    client_body_buffer_size	10K;
#    client_header_buffer_size	1k;
    client_max_body_size	500m;
#    large_client_header_buffers	2 1k;
    client_body_timeout		5s;
    client_header_timeout	5s;

    open_file_cache		max=50000 inactive=20s;
    open_file_cache_valid	30s;
    open_file_cache_min_uses	2;
    open_file_cache_errors	on;

    fastcgi_cache_path		/datadrive/cache levels=1:2 keys_zone=mods:40m max_size=10m inactive=60m use_temp_path=off;
    fastcgi_temp_path		/datadrive/tmp;

    #limit_conn_zone	$binary_remote_addr zone=conn_limit_per_ip:10m;
    #limit_req_zone	$binary_remote_addr zone=req_limit_per_ip:10m rate=50r/s;

    map $http_cookie $no_cache_cookie {
        default		0;
        ~IPS_member_id	1;
        ~noCache	1;
    }

    map $request_method $no_cache_method {
        default		0;
        GET		0;
        HEAD		1;
        POST		1;
    }

    map $no_cache_cookie$no_cache_method $no_cache {
        default		1;
        00		0;
    }

    include             mime.types;
    include             gzip.conf;
#    include             pagespeed.conf;	
    include             blockip.conf;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    index  index.php index.htm index.html;
    include /etc/nginx/conf.d/*.conf;

    server_tokens off;
}

gzip.conf

gzip			on; 
gzip_http_version	1.1; 
gzip_disable		msie6; 
gzip_comp_level		3; 
#gzip_static		on;
gzip_proxied		expired no-cache no-store private auth; 
gzip_vary		on; 
gzip_buffers		16 8k; 
gzip_min_length		1100; 
#gzip_types		text/plain text/xml text/css application/xml application/xhtml+xml application/rss+xml application/atom_xml application/javascript application/x-javascript;
gzip_types
    application/atom+xml
    application/javascript
    application/json
    application/ld+json
    application/manifest+json
    application/rss+xml
    application/vnd.geo+json
    application/vnd.ms-fontobject
    application/x-font-ttf
    application/x-web-app-manifest+json
    application/xhtml+xml
    application/xml
    font/opentype
    image/bmp
    image/svg+xml
    image/x-icon
    text/cache-manifest
    text/css
    text/plain
    text/vcard
    text/vnd.rim.location.xloc
    text/vtt
    text/x-component
    text/x-cross-domain-policy;
  # text/html is always compressed by HttpGzipModule

conf.d/mods.conf

server {
	server_name "";
	return	500;
}

server {
	server_name  xxxxxxx.com www.xxxxxxx.com;
	return       301 https://xxxxxxx.com$request_uri;
}

server {
	listen	443 ssl http2;
	charset utf-8;
	root   /datadrive/www/mods;

	ssl	on;
	ssl_certificate	/etc/nginx/conf.d/xxxxxxx.com.crt;
	ssl_certificate_key	/etc/nginx/conf.d/xxxxxxx.com.key;
	ssl_session_timeout	1d;
	ssl_session_cache	shared:SSL:30m;

	ssl_session_ticket_key	/etc/nginx/conf.d/xxxxxxx.com.tls_session_ticket.key;
	ssl_session_tickets	on;

	ssl_dhparam	/etc/nginx/conf.d/xxxxxxx.com.pem;

	ssl_protocols	TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers	'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers	on;

#	ssl_stapling	on;
#	ssl_stapling_verify	on;

#	ssl_trusted_certificate	/etc/nginx/conf.d/sinomod.com-complete.crt;
#	resolver	8.8.4.4 8.8.8.8 valid=300s;

	add_header	Strict-Transport-Security	"max-age=15552000; includeSubDomains; preload";
	add_header	X-Content-Type-Options		nosniff;
	# Limited by IPS as it adds X-XSS-Protection = 0: This is so when we post contents with scripts (which is possible in the editor, like when embedding a Twitter tweet) the broswer doesn't block it
#	add_header	X-XSS-Protection		'1; mode=block';
#	add_header	Content-Security-Policy		"upgrade-insecure-requests" always;
	add_header	X-Micro-Cache			$upstream_cache_status;
	
	# Set up rewrite rules.
	location / {
		try_files	$uri	$uri/	/index.php;
	}

	# Deny access to hidden files
	location ~ /\. {
		access_log	off;
		log_not_found	off;
		deny	all;
	}

	# Mask fake admin directory
	location ~ ^/admin/(.*)$ {
		deny	all;
	}
	
	# IP.Board PHP/CGI Protection
	location ~ ^(/datastore/).*(.php)$ {
		deny	all;
	}
	
	location ~ ^(/downloads/).*(.php)$ {
		deny	all;
	}

	location ~ ^(/plugins/).*(.php)$ {
		deny	all;
	}
	
	location ~ ^(/screenshots/).*(.php)$ {
		deny	all;
	}

	location ~ ^(/uploads/).*(.php)$ {
		deny	all;
	}

	# Prevent clients from accessing to backup/config/source files
	location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
		deny all;
	}
	
	location = /favicon.ico {
		log_not_found off;
		access_log off;
	}

	location = /robots.txt {
		allow all;
		log_not_found off;
		access_log off;
	}

	# Cache static files
	location ~ \.(css|htc|js|js2|js3|js4|asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|swf|tar|tif|tiff|ttf|woff|ttc|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip|CSS|HTC|JS|JS2|JS3|JS4|ASF|ASX|WAX|WMV|WMX|AVI|BMP|CLASS|DIVX|DOC|DOCX|EOT|EXE|GIF|GZ|GZIP|ICO|JPG|JPEG|JPE|JSON|MDB|MID|MIDI|MOV|QT|MP3|M4A|MP4|M4V|MPEG|MPG|MPE|MPP|OTF|ODB|ODC|ODF|ODG|ODP|ODS|ODT|OGG|PDF|PNG|POT|PPS|PPT|PPTX|RA|RAM|SWF|TAR|TIF|TIFF|TTF|TTC|WAV|WMA|WRI|XLA|XLS|XLSX|XLT|XLW|ZIP|WOFF)$ {
		expires max;
		add_header Pragma "public";
		add_header Cache-Control "public";
		access_log off;
		log_not_found	off;
		tcp_nodelay off;
	}

	location ~ \.(html|htm|rtf|rtx|svg|svgz|txt|xsd|xsl|HTML|HTM|RTF|RTX|SVG|SVGZ|TXT|XSD|XSL)$ {
		expires 1h;
		add_header Pragma "public";
		add_header Cache-Control "public";
		access_log off;
		log_not_found	off;
		tcp_nodelay off;
	}
	
	# Ensure requests for pagespeed optimized resources go to the pagespeed handler
	# and no extraneous headers get set.
#	location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
#		add_header "" 		
#	location ~ "^/pagespeed_static/" { }

#	location ~ "^/ngx_pagespeed_beacon$" { }

#	location /ngx_pagespeed_statistics { allow 175.43.189.136; deny all; }

#	location /ngx_pagespeed_global_statistics { allow 175.43.189.136; deny all; }

#	location /ngx_pagespeed_message { allow 175.43.189.136; deny all; }

#	location /pagespeed_console { allow 175.43.189.136; deny all; }

#	location /pagespeed_admin { allow 175.43.189.136; deny all; }
	
#	location /pagespeed_global_admin { allow 175.43.189.136; deny all; }

	# Pass PHP scripts to php-fpm
	location ~ \.php$ {
		try_files	$uri	=404;

		#limit_conn	conn_limit_per_ip 20;
		#limit_req	zone=req_limit_per_ip burst=50 nodelay;

		fastcgi_pass	unix:/var/run/php-fpm/mods.sock;
		fastcgi_index	index.php;
		fastcgi_buffers	256 4k;
		fastcgi_buffer_size	128k;
		fastcgi_busy_buffers_size	256k;
		fastcgi_temp_file_write_size	256k;
		fastcgi_read_timeout 14400;
		fastcgi_intercept_errors on;
		fastcgi_keep_conn on; # keep alive to the FCGI upstream
		#fastcgi_param	SCRIPT_FILENAME	$document_root$fastcgi_script_name;
		#include		/etc/nginx/fastcgi_params;
		include		/etc/nginx/fastcgi.conf;

		#fastcgi_cache_key		$cookie_IPS_language$cookie_IPS_ipsTimezone$host$request_uri;
		fastcgi_cache_key		"$host$request_uri $cookie_IPS_IPSSessionFront";
		fastcgi_cache	mods;
		fastcgi_cache_bypass		$no_cache;
		fastcgi_no_cache		$no_cache;
		fastcgi_cache_valid		200 302 15m;
		fastcgi_cache_valid		301 1d;
		fastcgi_cache_valid		404 5m;
		fastcgi_cache_valid		403 5m;
		fastcgi_cache_valid		any 15m;
		fastcgi_ignore_headers		Cache-Control Expires Set-Cookie;

		fastcgi_cache_revalidate	on;
		#fastcgi_cache_min_uses		3;
		fastcgi_cache_use_stale		error timeout invalid_header updating http_500;
		fastcgi_cache_lock		on;
		expires		epoch;
	}
}

I have also enable guest cache enabled, so the first time guests will get cached page by IPS, second time they can get cached page by nginx. 

I am a noob to nginx, so any advices are appreciated.

[sasiko]

thanks for sharing the config, have you noticed less server load or will microcaching only benefit for busy board?

[Bluto]

@icedream are you using CENTMINMOD for your setup?

Guys, if you want to talk about customizing CENTMINMOD vhost file awesome!

If you want to talk about general NON-CENTMINMOD Nginx configs, please create another thread.

This thread is specifically for people who are using CENTMINMOD.  Though, I'm a big supporter of Nginx in general, posting other configurations for a non-CENTMINMOD configs might confuse someone who is using CENTMINMOD.  Your vhost file is completely different from the standard CENTMINMOD configuration files.

I encourage you to START ANOTHER NGINX THREAD.  There are far too few Nginx threads on this forum.

[Tracy Perry]

On 12/5/2015 at 7:40 PM, Bluto said:

The one listed is the current version.  I have updated the vhost file to limit the

limit_conn limit_per_ip 16;

for the entire site except for the admin area, but I haven't tested it yet.  I had to add a section in the nginx.conf file to prohibit only that directory.

Currently, my local Centminmod testing server is down.  I expect to have it back up and running with PHP7 over the weekend.

How is everything working with PHP7?  Any issues?

Be aware, you may end up with some issues with graphics not displaying (especially if using the Gallery).  I had mine set at 20, and kept noticing that not all the images would display.  I'd have to refresh (sometimes twice) to get them all to display.  Upon checking my error log for the vhost, I saw that I was getting two many concurrent connections from my home IP (and that IP is whitelisted in CSF so I know the issue wasn't there since I also throttle somewhat in it's config also).  I finally disabled that function and do most of the throttling at the fire wall that I need to do.

 

[Bluto]

4 hours ago, Tracy Perry said:

Be aware, you may end up with some issues with graphics not displaying (especially if using the Gallery).  I had mine set at 20, and kept noticing that not all the images would display.  I'd have to refresh (sometimes twice) to get them all to display.  Upon checking my error log for the vhost, I saw that I was getting two many concurrent connections from my home IP (and that IP is whitelisted in CSF so I know the issue wasn't there since I also throttle somewhat in it's config also).  I finally disabled that function and do most of the throttling at the fire wall that I need to do.

 

Good to know.  I actually added some code in the nginx.conf file so that the limit wouldn't apply to the admin folder.  Maybe I can adjust that for the gallery.  I'll do some tests (I have gallery also) and post my results.

[icedream]

@Bluto I am so sorry about this.

[Bluto]

On 12/12/2015 at 8:00 AM, RevengeFNF said:

@Bluto have your tried using Nginx Microcache with IPS4?

Got a reply back from the CENTMINMOD developer:

Quote

no microcache for IPB

https://community.centminmod.com/posts/22420/

[Bluto]

LATEST UPDATE 12-17-2015

The code has been updated to the latest example.
Added location block for /applications/*/interface/
Re-arranged some location blocks.

# IPB4 Working NGINX site conf file
# This file is for a FORCED SSL site.  Non-SSL requests will be directed to SSL.

# Information gathered from
# Centminmod.com / Information pulled from multiple guides.  Thx eva2000!
# Makoto on IPB Forum via https://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/ version 3.4.8 guide.
# Ahmad on the Centminmod forum.
# Base building forum thread:  https://community.centminmod.com/threads/ipb-v4-1-x-files.4922/

# Redirect to HTTPS from port 80
# Redirect from www to non-www with forced SSL
server {
    listen  80;
    server_name 10.0.0.121;
    return 301 https://10.0.0.121$request_uri;
    
    # Access and Error Logs
    access_log /home/nginx/domains/10.0.0.121/log/access_via80.log combined buffer=256k flush=60m;
    error_log /home/nginx/domains/10.0.0.121/log/error_via80.log;
}

server {
    listen 443 ssl http2;
    server_name  10.0.0.121;
    root /home/nginx/domains/10.0.0.121/public;
    
    ssl_dhparam /usr/local/nginx/conf/ssl/10.0.0.121/dhparam.pem;
    ssl_certificate      /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.crt;
    ssl_certificate_key  /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.key;
    include /usr/local/nginx/conf/ssl_include.conf;
    
    # Mozilla Recommended
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
    ssl_prefer_server_ciphers   on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    add_header  X-Content-Type-Options "nosniff";
    #add_header X-Frame-Options DENY;
    ssl_buffer_size 1400;
    ssl_session_tickets on;

    # ngx_pagespeed & ngx_pagespeed handler
    # include /usr/local/nginx/conf/pagespeed.conf;
    # include /usr/local/nginx/conf/pagespeedhandler.conf;
    # include /usr/local/nginx/conf/pagespeedstatslog.conf;

    # Limit Connections Per IP Address
    # Modified from default to allow Admin directory to have more connections
    # Modified in nginx.conf
    # limit_conn_zone $limitconn_map zone=limit_per_ip:16m;
    
    # ssi  on;

    # Access and Error Logs
    access_log /home/nginx/domains/10.0.0.121/log/access_via443.log combined buffer=256k flush=60m;
    error_log /home/nginx/domains/10.0.0.121/log/error_via443.log;

    # Prevent access to ./directories and files
    location ~ (?:^|/)\. {
        deny all;
    }

    location / {

        # block common exploits, sql injections etc
        include /usr/local/nginx/conf/block.conf;

        # Enables directory listings when index file not found
        # autoindex  on;

        # Shows file listing times as local time
        autoindex_localtime on;

        try_files    $uri $uri/ /index.php;

    }
    
    location ~^(/page/).*(\.php)$ {
        try_files  $uri $uri/ /index.php;
    }
    
    # Mask fake admin directory
    location ~^/admin/(.*)$ {
        deny all;
    }
    
    # Secure real admin directory
    location ~^(/spanky/).*(\.php) {
        include /usr/local/nginx/conf/php.conf;
        allow           10.0.0.245;
        deny            all;
        #auth_basic     "Restricted Area";
        #auth_basic_user_file /usr/local/nginx/conf/htpasswd;       
    }
    
    # IP.Board PHP/CGI Protection
    
    # Allow access
    location ~^(/applications/*/interface/).*(\.php)$ {
        allow all;
    }
    
    # Allow access to imageproxy
    location ^~ /applications/core/interface/imageproxy/imageproxy.php {
        include /usr/local/nginx/conf/php.conf;
        allow  all;
    }

    # Allow access to JS file
    location ^~ /applications/core/interface/js/js.php {
        include /usr/local/nginx/conf/php.conf;
        allow  all;
    }
    
    location ~^(/uploads/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/system/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/datastore/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/plugins/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/blog/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/calendar/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/chat/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/cms/).*(\.php)$ {
        deny     all;
    }  

    location ~^(/applications/core/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/downloads/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/forums/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/gallery/).*(\.php)$ {
        deny     all;
    }
    
    location ~^(/applications/nexus/).*(\.php)$ {
        deny     all;
    }   

    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    include /usr/local/nginx/conf/vts_server.conf;
}

 

[IveLeft...]

Hi Bluto

Are you just running a standard centminmod with that above config ? Any other things your running ?

 

[Bluto]

3 hours ago, Cloud 9 said:

Hi Bluto

Are you just running a standard centminmod with that above config ? Any other things your running ?

 

Yes, that is the base centminmod.

[BomAle]

Hi, This guide is awesome, i use Centminmod but i have one problem. when i try to upgrade my board asked me FTP/FTP with ssl/SFTP login
from Admin CP.

with SFTP mode i reiceve this error

"Your server does not support using SSL-FTP. Please contact your hosting provider to ask for PHP OpenSSL extension to be enabled or use a different protocol."

instead, with FTP with SSL receive this error..

"Could not move into the directory specified. Check the directory is correct and the user provided has permission to access it." (the ftp with tls login works perfectly. tested on filezilla)

How can fix it?

i'd try work same procedure upgrade on shared hosting and the step "FTP details" was skip and upgrade works fine.

 

[BomAle]

fixed the problem was php's ssh2 extension not installed

https://community.centminmod.com/threads/install-php-extension-ssh2.980/

[Bluto]

Updates to the Conf are now located here:

https://gist.github.com/zeronug/a16b06fde32dbf0685a5