I am trying to get basic auth set up on an Nginx subdomain but its not working.
server {
listen 80 default;
listen 443 default ssl;
#ssl_certificate /etc/pki/tls/certs/localhost.crt;
#ssl_certificate_key /etc/pki/tls/private/localhost.key;
ssl_certificate /etc/pki/tls/certs/2019-wildcard.somserver.com.crt;
ssl_certificate_key /etc/pki/tls/private/2019-wildcard.somserver.com.key;
server_name www.somserver.com;
root /var/www/vhosts/somserver.com/httpdocs;
access_log /var/log/nginx/somserver.com-access.log main;
error_log /var/log/nginx/somserver.com-error.log warn;
index index.php index.html;
location / {
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
try_files $uri $uri/ #handler;
expires 30d;
}
location ~ ^/(app|includes|lib|media/customer|media/downloadable|pkginfo|var)/ { deny all; }
location ~ ^/RELEASE_NOTES.txt { return 404; }
location ~ ^/errors/.*\.(xml|phtml)$ { return 404; }
location ~ ^/media/.*\.(cfg|ini|xml)$ { return 404; }
location ~ ^/media/.*\.(php|pl|py|jsp|asp|htm|shtml|sh|cgi) { return 404; }
location ~ /\. { return 404; }
location /media/ {
location ~ /\. { return 404; }
location /media/ {
try_files $uri uri/ /get.php;
expires 30d;
}
location #handler {
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
rewrite / /index.php;
}
location ~ .php/ {
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
rewrite ^(.*.php)/ $1 last;
}
location ~ .php$ {
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
try_files $uri /index.php;
expires off;
fastcgi_pass unix:/var/run/php-fpm/somserver.com.sock;
fastcgi_buffers 256 4k;
fastcgi_buffer_size 32k;
fastcgi_busy_buffers_size 256k;
fastcgi_read_timeout 3600s;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param MAGE_RUN_CODE default;
fastcgi_param MAGE_RUN_TYPE store;
include fastcgi_params;
}
location ~ ^/(php-status|ping)$ {
access_log off;
allow 127.0.0.1;
allow 172.24.16.85;
deny all;
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm/somserver.com.sock;
include fastcgi_params;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name;
}
}
initially I assumed that I would just need to add it to the location / { but then even after trying to add it to all the php related locations it still seems to have no affect. Anything I can try to troubleshoot this further?
Its a Cent OS box running Nginx and FasstCGI. App is Magento, so I need to just add basic auth on php files.
Related
I installed a PHP script in /files/ subfolder on Nginx but when I access the page, it's not working. Just showing 404 not found. I also tried changing the root directly to the subfolder but still not working, like this: root /home/smart/web/example.com/public_html/files;
Also, I added this in the config but not working.
location ^~ /files {
if (!-e $request_filename) { rewrite ^/(.*) /files/index.php?_page_url=$1 last; }
location ~ \.php$ {
if (!-e $request_filename) { rewrite ^/(.*) /files/index.php?_page_url=$1 last; }
fastcgi_pass unix:/run/php/php8.0-fpm-example.com.sock;
index index.php;
include /etc/nginx/fastcgi_params;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
location /files/files/ {
internal;
}
# these locations would be hidden by .htaccess normally
location /files/logs/ {
deny all;
}
}
Here is my full nginx config:
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work #
#=========================================================================#
server
{
listen myip:443 ssl http2;
server_name example.com;
root /home/smart/web/example.com/public_html;
index index.php index.html index.htm;
access_log /var/log/nginx/domains/example.com.log combined;
access_log /var/log/nginx/domains/example.com.bytes bytes;
error_log /var/log/nginx/domains/example.com.error.log error;
client_max_body_size 5G;
ssl_certificate /home/smart/conf/web/example.com/ssl/example.com.pem;
ssl_certificate_key /home/smart/conf/web/example.com/ssl/example.com.key;
ssl_stapling on;
ssl_stapling_verify on;
include /home/smart/conf/web/example.com/nginx.hsts.conf*;
location /
{
location ~* ^.+\.(jpeg|jpg|png|webp|gif|bmp|ico|svg|css|js)$
{
expires max;
fastcgi_hide_header "Set-Cookie";
}
location ~ [^/]\.php(/|$)
{
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
if (!-f $document_root$fastcgi_script_name)
{
return 404;
}
fastcgi_pass unix:/run/php/php8.0-fpm-example.com.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
include /home/smart/conf/web/example.com/nginx.fastcgi_cache.conf*;
}
}
location ^~ /files {
if (!-e $request_filename) { rewrite ^/(.*) /files/index.php?_page_url=$1 last; }
location ~ \.php$ {
if (!-e $request_filename) { rewrite ^/(.*) /files/index.php?_page_url=$1 last; }
fastcgi_pass unix:/run/php/php8.0-fpm-example.com.sock;
index
index.php;
include /etc/nginx/fastcgi_params;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
location /files/files/ {
internal;
}
# these locations would be hidden by .htaccess normally
location /files/logs/ {
deny all;
}
}
location /error/
{
alias /home/smart/web/example.com/document_errors/;
}
location ~ /\.(?!well-known\/)
{
deny all;
return 404;
}
location /vstats/
{
alias /home/smart/web/example.com/stats/;
include /home/smart/web/example.com/stats/auth.conf*;
}
include /etc/nginx/conf.d/phpmyadmin.inc*;
include /etc/nginx/conf.d/phppgadmin.inc*;
include /home/smart/conf/web/example.com/nginx.conf_*;
}
I'am going crazy to understand this nginx vhost config. My issue is with the /v2 location, it does not send php stuff to php-fpm while it works properly outside /v2. Can anyone point me the mistake ?
server {
listen 443 ssl;
include ssl.conf;
include hardening.conf;
server_name myapp.domain.com myapp;
ssl_certificate /etc/pki/tls/certs/myapp.domain.com.crt;
ssl_certificate_key /etc/pki/tls/private/myapp.domain.com.key;
access_log /var/log/nginx/myapp.domain.com-access.log main;
error_log /var/log/nginx/myapp.domain.com-error.log notice;
root /var/www/html/myapp.domain.com;
location ~ /\.ht {
deny all;
}
location ~ /v2 {
alias /var/www/html/myapp.domain.com/version-2/web;
try_files $uri index.php$is_args$args;
}
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_pass localhost:9000;
fastcgi_index index.php;
include fastcgi_params.conf;
}
}
According to comments, I'm trying the nested location solution but I receive now 404 when I try https://myapp.domain.com/v2/index.php while /var/www/html/myapp.domain.com/version-2/web/index.php is present on the filesystem. Also as explained on the link given, I modified my location from ^ to ^~. Any idea what's wrong?
server {
listen 443 ssl;
include ssl.conf;
include hardening.conf;
server_name myapp.domain.com myapp;
ssl_certificate /etc/pki/tls/certs/myapp.domain.com.crt;
ssl_certificate_key /etc/pki/tls/private/myapp.domain.com.key;
access_log /var/log/nginx/myapp.domain.com-access.log main;
error_log /var/log/nginx/myapp.domain.com-error.log notice;
root /var/www/html/myapp.domain.com;
location ~ /\.ht {
deny all;
}
location ^~ /v2 {
alias /var/www/html/myapp.domain.com/version-2/web;
try_files $uri index.php$is_args$args;
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_pass localhost:9000;
fastcgi_index index.php;
include fastcgi_params.conf;
}
}
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_pass localhost:9000;
fastcgi_index index.php;
include fastcgi_params.conf;
}
}
you have to point to the php5-fpm location. like this:
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
Take a look in a whole example:
server {
listen 8082;
listen [::]:8082;
server_name 192.168.2.60;
root /usr/share/nginx/html/phpmyadmin/;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?uri=$uri;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}
For posterity, I got working config:
server {
listen 443 ssl;
include ssl.conf;
include hardening.conf;
server_name myapp.domain.com myapp;
ssl_certificate /etc/pki/tls/certs/myapp.domain.com.crt;
ssl_certificate_key /etc/pki/tls/private/myapp.domain.com.key;
access_log /var/log/nginx/myapp.domain.com-access.log main;
error_log /var/log/nginx/myapp.domain.com-error.log notice;
root /var/www/html/myapp.domain.com;
location ^~ /v2/admin/web/index[_dev]*.php/command {
if (!-f $request_filename) {
rewrite ^ /v2/admin/web/index.php$is_args$args last;
}
}
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi_params.conf;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
}
}
How do I configure nginx to allow a slash between my /test_file.php/?param1=test ? Currently is only allowing /test_file.php?param1=test ...
Here is my current configuration:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
# rewrite ^/(.php*)/$ /$1 permanent;
root /var/www/example.com;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/example.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
Url working (undesirable):https://example.com/workouts.php?workout=206
Url I want: https://example.com/workouts.php/?workout=206
The block:
location ~ \.php$ { ... }
is responsible for processing any URI which ends with .php.
A simple solution would be to change the regular expression to accept URIs which include pathinfo. However, you should also make other changes within the block to mitigate known exploits. See this document for details.
For example:
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
My site keep showing phpinfo(); when I land on it
My root should be : /home/forge/aveniros/public
I'm not sure where to set it.
I decide to configure my settings in : ~/etc/nginx/sites-available/default
server {
listen 80 default_server;
server_name
default;
root / home / forge / aveniros / public;
index index.html index.htm index.php;
#
FORGE SSL(DO NOT REMOVE!)# ssl_certificate;#
ssl_certificate_key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
index index.html index.htm index.php;
charset utf - 8;
location / {
try_files $uri $uri / /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /
var / log / nginx /
default -error.log error;
error_page 404 / index.php;
location~\.php$ {
fastcgi_split_path_info ^ (. + \.php)(/.+)$;
fastcgi_pass unix: /var/run / php5 - fpm.sock; fastcgi_index index.php; include fastcgi_params;
}
location~/\.ht {
deny all;
}
}
Then, I run sudo service nginx restart after I saved.
Nothing seem to take effect.
Can someone please tell me what did I do wrong here ?
You need to set your server name to _, currently you are only listening to requests to the name default.
server_name _;
Use this virtual host
server {
listen 80;
server_name project.dev;
root /var/www/directory/project/public;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location / {
index index.php;
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php/?(.*)$ {
fastcgi_connect_timeout 3s; # default of 60s is just too long
fastcgi_read_timeout 10s; # default of 60s is just too long
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location /phpmyadmin {
root /usr/share/;
index index.php index.html index.htm;
location ~ ^/phpmyadmin/(.+\.php)$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
include fastcgi_params;
}
}
}
My Site is working now. Here are my settings :
File Path : ~/etc/nginx/sites-available/default
server {
listen 80 default_server;
server_name default;
root /home/forge/aveniros/public;
#HTTP Authentication Configuartion
auth_basic "Restricted";
auth_basic_user_file /home/forge/aveniros/.htpasswd;
# FORGE SSL (DO NOT REMOVE!)
# ssl_certificate;
# ssl_certificate_key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/default-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
When I try accessing: https://www.mysite.com, it downloads a php file, however when I access https://www.mysite.com/index.php, there is no problem.
server {
listen 443;
server_name www.mysite.com;
ssl on;
ssl_certificate /etc/nginx/ssl/public.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
root /var/www/mysite.com;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ^~ /app/ { deny all; }
location ^~ /includes/ { deny all; }
location ^~ /lib/ { deny all; }
location ^~ /media/downloadable/ { deny all; }
location ^~ /pkginfo/ { deny all; }
location ^~ /report/config.xml { deny all; }
location ^~ /var/ { deny all; }
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
deny all;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param HTTPS on;
}
}
So, php is not interpreted.
I've had similar problems before, where the page would just show the source code for index.php whenever a 404 error occurred.
try_files $uri $uri/ /index.php?$query_string;
Try this:
try_files $uri $uri/ =404;
error_page 404 = /index.php?$query_string;
If the problem still occurs, try this adding this:
location ~ ^/?$ {
try_files $uri $uri/ index.php =404;
}
This is an ugly hack, but it worked for me on my old server. Haven't needed it in my new setup for some reason.