Bluto Posted December 5, 2015 Author Posted December 5, 2015 The one listed is the current version. I have updated the vhost file to limit the limit_conn limit_per_ip 16; for the entire site except for the admin area, but I haven't tested it yet. I had to add a section in the nginx.conf file to prohibit only that directory. Currently, my local Centminmod testing server is down. I expect to have it back up and running with PHP7 over the weekend. How is everything working with PHP7? Any issues?
sasiko Posted December 5, 2015 Posted December 5, 2015 what does this actually do since even without it, board can still access that js just fine Allow access to JS file location ~^/(applications/core/interface/js/js.php) { include /usr/local/nginx/conf/php.conf; allow all; }
Gary_J_Wright Posted December 5, 2015 Posted December 5, 2015 my php7.0.0 is just a test - but seems to work fine so far - but not actually able to check now till monday as got my kids this weekend
Bluto Posted December 6, 2015 Author Posted December 6, 2015 15 hours ago, maidos said: what does this actually do since even without it, board can still access that js just fine Allow access to JS file location ~^/(applications/core/interface/js/js.php) { include /usr/local/nginx/conf/php.conf; allow all; } I had an issue with the block manager in the front-end of the site. Without that location, the block manager wouldn't work for me. Also, that was changed to this: # Allow access to JS file location ^~ /applications/core/interface/js/js.php { include /usr/local/nginx/conf/php.conf; allow all; } and image proxy was added. Since I can't update the OP of this thread, the changes are posted farther down in the thread.
sasiko Posted December 8, 2015 Posted December 8, 2015 @Bluto would u consider using addheader config to improve the security overall? https://gist.github.com/plentz/6737338
Bluto Posted December 8, 2015 Author Posted December 8, 2015 2 minutes ago, maidos said: @Bluto would u consider using addheader config to improve the security overall? https://gist.github.com/plentz/6737338 You mean this, which is already included? # Mozilla Recommended ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; add_header X-Content-Type-Options "nosniff"; add_header X-Frame-Options DENY; ssl_buffer_size 1400; ssl_session_tickets on;
sasiko Posted December 8, 2015 Posted December 8, 2015 sorry i need to rephrase that, do I need to add it to improve security? i dont use centamin instead use directadmin would this still work for my server?
Bluto Posted December 8, 2015 Author Posted December 8, 2015 Just now, maidos said: sorry i need to rephrase that, do I need to add it to improve security? i dont use centamin instead use directadmin would this still work for my server? I have no idea what directadmin is doing and I wouldn't want to recommend you something and then have it break your site. This thread is specifically focused on Centminmod. Unless you need some sort of GUI to run your server, I would highly suggest you take a look at Centminmod... it's actually quite simple to use.
sasiko Posted December 8, 2015 Posted December 8, 2015 what about add_header X-XSS-Protection "1; mode=block"; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
Bluto Posted December 8, 2015 Author Posted December 8, 2015 1 minute ago, maidos said: what about add_header X-XSS-Protection "1; mode=block"; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'"; Are we talking about Centminmod or general Nginx? If it's not related to Centminmod, I would kindly ask you to start another thread for your specific setup.
RevengeFNF Posted December 12, 2015 Posted December 12, 2015 @Bluto have your tried using Nginx Microcache with IPS4?
Bluto Posted December 12, 2015 Author Posted December 12, 2015 2 hours ago, RevengeFNF said: @Bluto have your tried using Nginx Microcache with IPS4? I haven't specifically set it up for my local install, but it might be included in Centminmod. I'll have to check.
icedream Posted December 13, 2015 Posted December 13, 2015 I have configured microcache nginx.conf # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nobody; worker_processes 1; error_log /var/log/nginx/error.log; pid /run/nginx.pid; events { worker_connections 1024; use epoll; multi_accept on; } http { #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 30; reset_timedout_connection on; keepalive_requests 100000; types_hash_max_size 2048; # client_body_buffer_size 10K; # client_header_buffer_size 1k; client_max_body_size 500m; # large_client_header_buffers 2 1k; client_body_timeout 5s; client_header_timeout 5s; open_file_cache max=50000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; fastcgi_cache_path /datadrive/cache levels=1:2 keys_zone=mods:40m max_size=10m inactive=60m use_temp_path=off; fastcgi_temp_path /datadrive/tmp; #limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m; #limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=50r/s; map $http_cookie $no_cache_cookie { default 0; ~IPS_member_id 1; ~noCache 1; } map $request_method $no_cache_method { default 0; GET 0; HEAD 1; POST 1; } map $no_cache_cookie$no_cache_method $no_cache { default 1; 00 0; } include mime.types; include gzip.conf; # include pagespeed.conf; include blockip.conf; default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. index index.php index.htm index.html; include /etc/nginx/conf.d/*.conf; server_tokens off; } gzip.conf gzip on; gzip_http_version 1.1; gzip_disable msie6; gzip_comp_level 3; #gzip_static on; gzip_proxied expired no-cache no-store private auth; gzip_vary on; gzip_buffers 16 8k; gzip_min_length 1100; #gzip_types text/plain text/xml text/css application/xml application/xhtml+xml application/rss+xml application/atom_xml application/javascript application/x-javascript; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # text/html is always compressed by HttpGzipModule conf.d/mods.conf server { server_name ""; return 500; } server { server_name xxxxxxx.com www.xxxxxxx.com; return 301 https://xxxxxxx.com$request_uri; } server { listen 443 ssl http2; charset utf-8; root /datadrive/www/mods; ssl on; ssl_certificate /etc/nginx/conf.d/xxxxxxx.com.crt; ssl_certificate_key /etc/nginx/conf.d/xxxxxxx.com.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:30m; ssl_session_ticket_key /etc/nginx/conf.d/xxxxxxx.com.tls_session_ticket.key; ssl_session_tickets on; ssl_dhparam /etc/nginx/conf.d/xxxxxxx.com.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; # ssl_stapling on; # ssl_stapling_verify on; # ssl_trusted_certificate /etc/nginx/conf.d/sinomod.com-complete.crt; # resolver 8.8.4.4 8.8.8.8 valid=300s; add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"; add_header X-Content-Type-Options nosniff; # Limited by IPS as it adds X-XSS-Protection = 0: This is so when we post contents with scripts (which is possible in the editor, like when embedding a Twitter tweet) the broswer doesn't block it # add_header X-XSS-Protection '1; mode=block'; # add_header Content-Security-Policy "upgrade-insecure-requests" always; add_header X-Micro-Cache $upstream_cache_status; # Set up rewrite rules. location / { try_files $uri $uri/ /index.php; } # Deny access to hidden files location ~ /\. { access_log off; log_not_found off; deny all; } # Mask fake admin directory location ~ ^/admin/(.*)$ { deny all; } # IP.Board PHP/CGI Protection location ~ ^(/datastore/).*(.php)$ { deny all; } location ~ ^(/downloads/).*(.php)$ { deny all; } location ~ ^(/plugins/).*(.php)$ { deny all; } location ~ ^(/screenshots/).*(.php)$ { deny all; } location ~ ^(/uploads/).*(.php)$ { deny all; } # Prevent clients from accessing to backup/config/source files location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ { deny all; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } # Cache static files location ~ \.(css|htc|js|js2|js3|js4|asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|swf|tar|tif|tiff|ttf|woff|ttc|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip|CSS|HTC|JS|JS2|JS3|JS4|ASF|ASX|WAX|WMV|WMX|AVI|BMP|CLASS|DIVX|DOC|DOCX|EOT|EXE|GIF|GZ|GZIP|ICO|JPG|JPEG|JPE|JSON|MDB|MID|MIDI|MOV|QT|MP3|M4A|MP4|M4V|MPEG|MPG|MPE|MPP|OTF|ODB|ODC|ODF|ODG|ODP|ODS|ODT|OGG|PDF|PNG|POT|PPS|PPT|PPTX|RA|RAM|SWF|TAR|TIF|TIFF|TTF|TTC|WAV|WMA|WRI|XLA|XLS|XLSX|XLT|XLW|ZIP|WOFF)$ { expires max; add_header Pragma "public"; add_header Cache-Control "public"; access_log off; log_not_found off; tcp_nodelay off; } location ~ \.(html|htm|rtf|rtx|svg|svgz|txt|xsd|xsl|HTML|HTM|RTF|RTX|SVG|SVGZ|TXT|XSD|XSL)$ { expires 1h; add_header Pragma "public"; add_header Cache-Control "public"; access_log off; log_not_found off; tcp_nodelay off; } # Ensure requests for pagespeed optimized resources go to the pagespeed handler # and no extraneous headers get set. # location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { # add_header "" # location ~ "^/pagespeed_static/" { } # location ~ "^/ngx_pagespeed_beacon$" { } # location /ngx_pagespeed_statistics { allow 175.43.189.136; deny all; } # location /ngx_pagespeed_global_statistics { allow 175.43.189.136; deny all; } # location /ngx_pagespeed_message { allow 175.43.189.136; deny all; } # location /pagespeed_console { allow 175.43.189.136; deny all; } # location /pagespeed_admin { allow 175.43.189.136; deny all; } # location /pagespeed_global_admin { allow 175.43.189.136; deny all; } # Pass PHP scripts to php-fpm location ~ \.php$ { try_files $uri =404; #limit_conn conn_limit_per_ip 20; #limit_req zone=req_limit_per_ip burst=50 nodelay; fastcgi_pass unix:/var/run/php-fpm/mods.sock; fastcgi_index index.php; fastcgi_buffers 256 4k; fastcgi_buffer_size 128k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_read_timeout 14400; fastcgi_intercept_errors on; fastcgi_keep_conn on; # keep alive to the FCGI upstream #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; #include /etc/nginx/fastcgi_params; include /etc/nginx/fastcgi.conf; #fastcgi_cache_key $cookie_IPS_language$cookie_IPS_ipsTimezone$host$request_uri; fastcgi_cache_key "$host$request_uri $cookie_IPS_IPSSessionFront"; fastcgi_cache mods; fastcgi_cache_bypass $no_cache; fastcgi_no_cache $no_cache; fastcgi_cache_valid 200 302 15m; fastcgi_cache_valid 301 1d; fastcgi_cache_valid 404 5m; fastcgi_cache_valid 403 5m; fastcgi_cache_valid any 15m; fastcgi_ignore_headers Cache-Control Expires Set-Cookie; fastcgi_cache_revalidate on; #fastcgi_cache_min_uses 3; fastcgi_cache_use_stale error timeout invalid_header updating http_500; fastcgi_cache_lock on; expires epoch; } } I have also enable guest cache enabled, so the first time guests will get cached page by IPS, second time they can get cached page by nginx. I am a noob to nginx, so any advices are appreciated.
sasiko Posted December 13, 2015 Posted December 13, 2015 thanks for sharing the config, have you noticed less server load or will microcaching only benefit for busy board?
Bluto Posted December 13, 2015 Author Posted December 13, 2015 @icedream are you using CENTMINMOD for your setup? Guys, if you want to talk about customizing CENTMINMOD vhost file awesome! If you want to talk about general NON-CENTMINMOD Nginx configs, please create another thread. This thread is specifically for people who are using CENTMINMOD. Though, I'm a big supporter of Nginx in general, posting other configurations for a non-CENTMINMOD configs might confuse someone who is using CENTMINMOD. Your vhost file is completely different from the standard CENTMINMOD configuration files. I encourage you to START ANOTHER NGINX THREAD. There are far too few Nginx threads on this forum.
Tracy Perry Posted December 13, 2015 Posted December 13, 2015 On 12/5/2015 at 7:40 PM, Bluto said: The one listed is the current version. I have updated the vhost file to limit the limit_conn limit_per_ip 16; for the entire site except for the admin area, but I haven't tested it yet. I had to add a section in the nginx.conf file to prohibit only that directory. Currently, my local Centminmod testing server is down. I expect to have it back up and running with PHP7 over the weekend. How is everything working with PHP7? Any issues? Be aware, you may end up with some issues with graphics not displaying (especially if using the Gallery). I had mine set at 20, and kept noticing that not all the images would display. I'd have to refresh (sometimes twice) to get them all to display. Upon checking my error log for the vhost, I saw that I was getting two many concurrent connections from my home IP (and that IP is whitelisted in CSF so I know the issue wasn't there since I also throttle somewhat in it's config also). I finally disabled that function and do most of the throttling at the fire wall that I need to do.
Bluto Posted December 13, 2015 Author Posted December 13, 2015 4 hours ago, Tracy Perry said: Be aware, you may end up with some issues with graphics not displaying (especially if using the Gallery). I had mine set at 20, and kept noticing that not all the images would display. I'd have to refresh (sometimes twice) to get them all to display. Upon checking my error log for the vhost, I saw that I was getting two many concurrent connections from my home IP (and that IP is whitelisted in CSF so I know the issue wasn't there since I also throttle somewhat in it's config also). I finally disabled that function and do most of the throttling at the fire wall that I need to do. Good to know. I actually added some code in the nginx.conf file so that the limit wouldn't apply to the admin folder. Maybe I can adjust that for the gallery. I'll do some tests (I have gallery also) and post my results.
Bluto Posted December 15, 2015 Author Posted December 15, 2015 On 12/12/2015 at 8:00 AM, RevengeFNF said: @Bluto have your tried using Nginx Microcache with IPS4? Got a reply back from the CENTMINMOD developer: Quote no microcache for IPB https://community.centminmod.com/posts/22420/
Bluto Posted December 17, 2015 Author Posted December 17, 2015 LATEST UPDATE 12-17-2015 The code has been updated to the latest example. Added location block for /applications/*/interface/ Re-arranged some location blocks. # IPB4 Working NGINX site conf file # This file is for a FORCED SSL site. Non-SSL requests will be directed to SSL. # Information gathered from # Centminmod.com / Information pulled from multiple guides. Thx eva2000! # Makoto on IPB Forum via https://community.invisionpower.com/topic/384522-how-to-set-up-a-secure-ipboard-installation-with-nginx-and-php-fpm/ version 3.4.8 guide. # Ahmad on the Centminmod forum. # Base building forum thread: https://community.centminmod.com/threads/ipb-v4-1-x-files.4922/ # Redirect to HTTPS from port 80 # Redirect from www to non-www with forced SSL server { listen 80; server_name 10.0.0.121; return 301 https://10.0.0.121$request_uri; # Access and Error Logs access_log /home/nginx/domains/10.0.0.121/log/access_via80.log combined buffer=256k flush=60m; error_log /home/nginx/domains/10.0.0.121/log/error_via80.log; } server { listen 443 ssl http2; server_name 10.0.0.121; root /home/nginx/domains/10.0.0.121/public; ssl_dhparam /usr/local/nginx/conf/ssl/10.0.0.121/dhparam.pem; ssl_certificate /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/10.0.0.121/10.0.0.121.key; include /usr/local/nginx/conf/ssl_include.conf; # Mozilla Recommended ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; add_header X-Content-Type-Options "nosniff"; #add_header X-Frame-Options DENY; ssl_buffer_size 1400; ssl_session_tickets on; # ngx_pagespeed & ngx_pagespeed handler # include /usr/local/nginx/conf/pagespeed.conf; # include /usr/local/nginx/conf/pagespeedhandler.conf; # include /usr/local/nginx/conf/pagespeedstatslog.conf; # Limit Connections Per IP Address # Modified from default to allow Admin directory to have more connections # Modified in nginx.conf # limit_conn_zone $limitconn_map zone=limit_per_ip:16m; # ssi on; # Access and Error Logs access_log /home/nginx/domains/10.0.0.121/log/access_via443.log combined buffer=256k flush=60m; error_log /home/nginx/domains/10.0.0.121/log/error_via443.log; # Prevent access to ./directories and files location ~ (?:^|/)\. { deny all; } location / { # block common exploits, sql injections etc include /usr/local/nginx/conf/block.conf; # Enables directory listings when index file not found # autoindex on; # Shows file listing times as local time autoindex_localtime on; try_files $uri $uri/ /index.php; } location ~^(/page/).*(\.php)$ { try_files $uri $uri/ /index.php; } # Mask fake admin directory location ~^/admin/(.*)$ { deny all; } # Secure real admin directory location ~^(/spanky/).*(\.php) { include /usr/local/nginx/conf/php.conf; allow 10.0.0.245; deny all; #auth_basic "Restricted Area"; #auth_basic_user_file /usr/local/nginx/conf/htpasswd; } # IP.Board PHP/CGI Protection # Allow access location ~^(/applications/*/interface/).*(\.php)$ { allow all; } # Allow access to imageproxy location ^~ /applications/core/interface/imageproxy/imageproxy.php { include /usr/local/nginx/conf/php.conf; allow all; } # Allow access to JS file location ^~ /applications/core/interface/js/js.php { include /usr/local/nginx/conf/php.conf; allow all; } location ~^(/uploads/).*(\.php)$ { deny all; } location ~^(/system/).*(\.php)$ { deny all; } location ~^(/datastore/).*(\.php)$ { deny all; } location ~^(/plugins/).*(\.php)$ { deny all; } location ~^(/applications/blog/).*(\.php)$ { deny all; } location ~^(/applications/calendar/).*(\.php)$ { deny all; } location ~^(/applications/chat/).*(\.php)$ { deny all; } location ~^(/applications/cms/).*(\.php)$ { deny all; } location ~^(/applications/core/).*(\.php)$ { deny all; } location ~^(/applications/downloads/).*(\.php)$ { deny all; } location ~^(/applications/forums/).*(\.php)$ { deny all; } location ~^(/applications/gallery/).*(\.php)$ { deny all; } location ~^(/applications/nexus/).*(\.php)$ { deny all; } include /usr/local/nginx/conf/staticfiles.conf; include /usr/local/nginx/conf/php.conf; include /usr/local/nginx/conf/drop.conf; #include /usr/local/nginx/conf/errorpage.conf; include /usr/local/nginx/conf/vts_server.conf; }
IveLeft... Posted January 9, 2016 Posted January 9, 2016 Hi Bluto Are you just running a standard centminmod with that above config ? Any other things your running ?
Bluto Posted January 9, 2016 Author Posted January 9, 2016 3 hours ago, Cloud 9 said: Hi Bluto Are you just running a standard centminmod with that above config ? Any other things your running ? Yes, that is the base centminmod.
BomAle Posted February 6, 2016 Posted February 6, 2016 Hi, This guide is awesome, i use Centminmod but i have one problem. when i try to upgrade my board asked me FTP/FTP with ssl/SFTP login from Admin CP. with SFTP mode i reiceve this error "Your server does not support using SSL-FTP. Please contact your hosting provider to ask for PHP OpenSSL extension to be enabled or use a different protocol." instead, with FTP with SSL receive this error.. "Could not move into the directory specified. Check the directory is correct and the user provided has permission to access it." (the ftp with tls login works perfectly. tested on filezilla) How can fix it? i'd try work same procedure upgrade on shared hosting and the step "FTP details" was skip and upgrade works fine.
BomAle Posted February 6, 2016 Posted February 6, 2016 fixed the problem was php's ssh2 extension not installed https://community.centminmod.com/threads/install-php-extension-ssh2.980/
Bluto Posted February 14, 2016 Author Posted February 14, 2016 Updates to the Conf are now located here: https://gist.github.com/zeronug/a16b06fde32dbf0685a5
Recommended Posts
Archived
This topic is now archived and is closed to further replies.