Nginx Web folders permission "problem"

Discussion in 'ISPConfig 3 Priority Support' started by adrenalinic, Nov 11, 2014.

  1. adrenalinic

    adrenalinic Member

    Hi,
    I'm using an Nginx Debian server with ispconfig 3 and all websites running are a joomla cms.

    The problem is that all folders of all websites can't be written from the cms.
    All folders permission are 755 and files 644..
    There is a security setting in ispconfig that I need to modify?

    Thanks.
    Best regards.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you use any custom nginx directives? If yes, then it might be that you have a directive there that connects to the wrong php-fpm process (port) and therefor php runs as wrong user.
     
  3. adrenalinic

    adrenalinic Member

    Hi, I don't use custom configuration. The vps is a perfect copy of your howto.

    Another problem is with the email sending from a website, it doesn't send the email as setup in the software like [email protected] but are sent as [email protected] and for this most email are marked as spam from the destination mail server.

    I have done some screenshot of ispconfig setup.

    I see that the attached images here, are really compressed and the content can't be read, I paste here the link to originals images screenshot:
    https://gofile.me/6itQJ/2MmDetEr
    https://gofile.me/6itQJ/2MmDetEr
    https://gofile.me/6itQJ/P4dSYyme

    Code:
    user www-data;
    worker_processes 2;
    worker_rlimit_nofile 30000;
    # worker_priority 0;
    # worker_cpu_affinity 01 10;
    pid /var/run/nginx.pid;
    
    events {
    	worker_connections 128;
    	multi_accept off;
    }
    
    http {
    
    	##
    	# Basic Settings
    	##
    
    	sendfile off;
    	tcp_nopush on;
    	tcp_nodelay on;
    	keepalive_timeout 65;
    	types_hash_max_size 2048;
    
    fastcgi_buffers 8 16k;
    fastcgi_buffer_size 32k;
    
    # set client body size to 2M #
    client_max_body_size 8M;
    
    	# server_tokens off;
    
    	  server_names_hash_bucket_size 64;
    	# server_name_in_redirect off;
    
    	include /etc/nginx/mime.types;
    	default_type application/octet-stream;
    
    	##
    	# Logging Settings
    	##
    
    	access_log /var/log/nginx/access.log;
    	error_log /var/log/nginx/error.log;
    
    	##
    	# Gzip Settings
    	##
    
    	gzip on;
    	gzip_disable "msie6";
    
    	# gzip_vary on;
    	# gzip_proxied any;
    	 gzip_comp_level 6;
    	 gzip_buffers 16 8k;
    	 gzip_http_version 1.1;
    	 gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
    
    	##
    	# nginx-naxsi config
    	##
    	# Uncomment it if you installed nginx-naxsi
    	##
    
    	#include /etc/nginx/naxsi_core.rules;
    
    	##
    	# nginx-passenger config
    	##
    	# Uncomment it if you installed nginx-passenger
    	##
    	
    	#passenger_root /usr;
    	#passenger_ruby /usr/bin/ruby;
    
    	##
    	# Virtual Host Configs
    	##
    
    	include /etc/nginx/conf.d/*.conf;
    	include /etc/nginx/sites-enabled/*;
    }
    
    
    #mail {
    #	# See sample authentication script at:
    #	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
    # 
    #	# auth_http localhost/auth.php;
    #	# pop3_capabilities "TOP" "USER";
    #	# imap_capabilities "IMAP4rev1" "UIDPLUS";
    # 
    #	server {
    #		listen     localhost:110;
    #		protocol   pop3;
    #		proxy      on;
    #	}
    # 
    #	server {
    #		listen     localhost:143;
    #		protocol   imap;
    #		proxy      on;
    #	}
    #}
    
     

    Attached Files:

    Last edited: Nov 12, 2014
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Please post the output of:

    which php

    from that server.
     
  5. adrenalinic

    adrenalinic Member

    /usr/bin/php
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Please post the nginx vhost file of the affected website. You can find it in /etc/nginx/sites-available/

    and check if there is a copy of that file with .err ending.

    And check the jonqueue in the ispconfig monitor to see if there are any jobs in the list.
     
  7. adrenalinic

    adrenalinic Member

    The problem appear on all the 3 websites where I have worked on.

    Code:
    server {
            listen *:80;
    
    
            server_name mydomain.it www.mydomain.it;
    
            root   /var/www/mydomain.it/web;
    
    
    
            index index.html index.htm index.php index.cgi index.pl index.xhtml;
    
    
    
            error_page 400 /error/400.html;
            error_page 401 /error/401.html;
            error_page 403 /error/403.html;
            error_page 404 /error/404.html;
            error_page 405 /error/405.html;
            error_page 500 /error/500.html;
            error_page 502 /error/502.html;
            error_page 503 /error/503.html;
            recursive_error_pages on;
            location = /error/400.html {
    
                internal;
            }
            location = /error/401.html {
    
                internal;
            }
            location = /error/403.html {
    
                internal;
            }
            location = /error/404.html {
    
                internal;
            }
            location = /error/405.html {
    
                internal;
            }
            location = /error/500.html {
    
                internal;
            }
            location = /error/502.html {
    
                internal;
            }
            location = /error/503.html {
    
                internal;
            }
    
            error_log /var/log/ispconfig/httpd/mydomain.it/error.log;
            access_log /var/log/ispconfig/httpd/mydomain.it/access.log combined;
    
    
            location ~ /\. {
                deny all;
                access_log off;
                log_not_found off;
            }
    
            location = /favicon.ico {
                log_not_found off;
                access_log off;
            }
    
            location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
            }
    
            location /stats/ {
    
                index index.html index.php;
                auth_basic "Members Only";
                auth_basic_user_file /var/www/clients/client1/web4/web/stats/.htpasswd_stats;
            }
    
            location ^~ /awstats-icon {
                alias /usr/share/awstats/icon;
            }
    
          location ~ \.php$ {
                try_files /eea9208292f6dfa3de7854ba916eeda2.htm @php;
            }
    
            location @php {
                try_files $uri =404;
                include /etc/nginx/fastcgi_params;
                fastcgi_pass 127.0.0.1:9013;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_intercept_errors on;
            }
    
    
            include /var/www/clients/client1/web4/web/nginx.conf;
    
    
    

    CODE OF:
    include /var/www/clients/client1/web4/web/nginx.conf;
    Code:
    ### ===========================================================================
    ### Security Enhanced & Highly Optimized NginX Configuration File for Joomla!
    ### automatically generated by Admin Tools 3.3.1 on 2014-11-12 16:24:30 GMT
    ### ===========================================================================
    ###
    ### Admin Tools is Free Software, distributed under the terms of the GNU
    ### General Public License version 3 or, at your option, any later version
    ### published by the Free Software Foundation.
    ###
    ### !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! IMPORTANT !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    ### !!                                                                       !!
    ### !!  If you get an Internal Server Error 500 or a blank page when trying  !!
    ### !!  to access your site, remove this file and try tweaking its settings  !!
    ### !!  in the back-end of the Admin Tools component.                        !!
    ### !!                                                                       !!
    ### !!  Remember to include this file in your site's configuration file.     !!
    ### !!  Also remember to reload or restart NginX after making any change to  !!
    ### !!  this file.                                                           !!
    ### !!                                                                       !!
    ### !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    ###
    
    ### Prevent access to this file
    location = /nginx.conf {
    	log_not_found off;
    	access_log off;
    	return 404;
    	break;
    }
    
    location = /nginx.conf.admintools {
    	log_not_found off;
    	access_log off;
    	return 404;
    	break;
    }
    ######################################################################
    ## Protect against common file injection attacks
    ######################################################################
    set $file_injection 0;
    if ($query_string ~ "[a-zA-Z0-9_]=http://") {
    	set $file_injection 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
    	set $file_injection 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
    	set $file_injection 1;
    }
    if ($file_injection = 1) {
    	return 403;
    	break;
    }
    ######################################################################
    ## Disable PHP Easter Eggs
    ######################################################################
    if ($query_string ~ "\=PHP[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}") {
    	return 403;
    	break;
    }
    ######################################################################
    ## Block access to configuration.php-dist and htaccess.txt
    ######################################################################
    location = /configuration.php-dist {
    	log_not_found off;
    	access_log off;
    	return 404;
    	break;
    }
    
    location = /htaccess.txt {
    	log_not_found off;
    	access_log off;
    	return 404;
    	break;
    }
    
    location = /web.config {
    	log_not_found off;
    	access_log off;
    	return 404;
    	break;
    }
    
    location = /configuration.php {
    	log_not_found off;
    	access_log off;
    	return 404;
    	break;
    }
    
    location = /CONTRIBUTING.md {
    	log_not_found off;
    	access_log off;
    	return 404;
    	break;
    }
    
    location = /joomla.xml {
    	log_not_found off;
    	access_log off;
    	return 404;
    	break;
    }
    
    location = /LICENSE.txt {
    	log_not_found off;
    	access_log off;
    	return 404;
    	break;
    }
    
    location = /phpunit.xml {
    	log_not_found off;
    	access_log off;
    	return 404;
    	break;
    }
    
    location = /README.txt {
    	log_not_found off;
    	access_log off;
    	return 404;
    	break;
    }
    
    location = /web.config.txt {
    	log_not_found off;
    	access_log off;
    	return 404;
    	break;
    }
    ######################################################################
    ## Directory indices
    ## Forces index.php to be read before the index.htm(l) files
    ######################################################################
    index index.php index.html index.htm;
    ######################################################################
    ## Redirect non-www to www
    ######################################################################
    if ($host = 'mydomain.it' ) {
    	rewrite ^/(.*)$ $scheme://www.maydomain.it/$1 permanent;
    }
    ######################################################################
    ## CloudFlare support - see https://support.cloudflare.com/hc/en-us/articles/200170706-Does-CloudFlare-have-an-IP-module-for-Nginx-
    ######################################################################
    set_real_ip_from   199.27.128.0/21;
    set_real_ip_from   173.245.48.0/20;
    set_real_ip_from   103.21.244.0/22;
    set_real_ip_from   103.22.200.0/22;
    set_real_ip_from   103.31.4.0/22;
    set_real_ip_from   141.101.64.0/18;
    set_real_ip_from   108.162.192.0/18;
    set_real_ip_from   190.93.240.0/20;
    set_real_ip_from   188.114.96.0/20;
    set_real_ip_from   197.234.240.0/22;
    set_real_ip_from   198.41.128.0/17;
    set_real_ip_from   162.158.0.0/15;
    set_real_ip_from   104.16.0.0/12;
    set_real_ip_from   2400:cb00::/32;
    set_real_ip_from   2606:4700::/32;
    set_real_ip_from   2803:f800::/32;
    set_real_ip_from   2405:b500::/32;
    set_real_ip_from   2405:8100::/32;
    real_ip_header     X-Forwarded-For;
    # -- Security options, see http://wiki.nginx.org/HttpCoreModule
    server_name_in_redirect off;
    server_tokens off;
    ignore_invalid_headers on;
    # -- Maximum client body size set to 1 Gigabyte
    client_max_body_size 1G;
    set $common_exploit 0;
    if ($query_string ~ "proc/self/environ") {
    	set $common_exploit 1;
    }
    if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
    	set $common_exploit 1;
    }
    if ($query_string ~ "base64_(en|de)code\(.*\)") {
    	set $common_exploit 1;
    }
    if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
    	set $common_exploit 1;
    }
    if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
    	set $common_exploit 1;
    }
    if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
    	set $common_exploit 1;
    }
    if ($common_exploit = 1) {
    	return 403;
    }
    ## Enable SEF URLs
    location / {
    	try_files $uri $uri/ /index.php?$args;
    	## Disable directory listings
    	autoindex off;
    }
    location ~* /index.php$ {
    	fastcgi_pass unix:/var/run/php5-fpm.sock;;
    	break;
    }
    ######################################################################
    ## Advanced server protection rules exceptions
    ######################################################################
    location = /administrator\/components\/com_akeeba\/restore\.php {
    	fastcgi_pass unix:/var/run/php5-fpm.sock;;
    	break;
    }
    location = /administrator\/components\/com_admintools\/restore\.php {
    	fastcgi_pass unix:/var/run/php5-fpm.sock;;
    	break;
    }
    location = /administrator\/components\/com_joomlaupdate\/restore\.php {
    	fastcgi_pass unix:/var/run/php5-fpm.sock;;
    	break;
    }
    location ~* ^/administrator\/components\/com_akeeba/.*\.php$
    {
    	break;
    }
    location ~* ^/administrator\/components\/com_akeeba/.*$
    {
    	break;
    }
    location ~* ^/components\/com_akeeba/.*\.php$
    {
    	break;
    }
    location ~* ^/components\/com_akeeba/.*$
    {
    	break;
    }
    location ~* ^/administrator\/components\/com_akeeba\/backup/.*\.php$
    {
    	break;
    }
    location ~* ^/administrator\/components\/com_akeeba\/backup/.*$
    {
    	break;
    }
    location ~* ^/templates\/mytemplate2014v5/.*$
    {
    	break;
    }
    ######################################################################
    ## Advanced server protection
    ######################################################################
    # Allow media files in select front-end directories
    location ~* ^/(components|modules|templates|images|plugins|media|libraries|tmp)/.*.(jpe|jpg|jpeg|jp2|jpe2|png|gif|bmp|css|js|swf|html|mpg|mp3|mpeg|mp4|avi|wav|ogg|ogv|xls|xlsx|doc|docx|ppt|pptx|zip|rar|pdf|xps|txt|7z|svg|odt|ods|odp|flv|mov|ico|htm|ttf|woff|eot|jpa|JPG|JPEG|PNG|GIF|CSS|JS|TTF|WOFF|EOT)$ {
    	break;
    }
    
    ## Disallow front-end access for certain Joomla! system directories (unless access to their files is allowed above)
    location ~* ^/includes/js/ {
    	return 403;
    }
    location ~* ^/(cache|includes|language|logs|log|tmp)/ {
    	return 403;
    }
    # Allow access to /
    location ~* /$ {
    	return 301 /index.php;
    }
    
    # Disable access to everything else.
    location ~* /.*$ {
    	# If it is a file, directory or symlink and I haven't deliberately
    	# enabled access to it, forbid any access to it!
    	if (-e $request_filename) {
    		return 403;
    	}
    	# In any other case, just treat as a SEF URL
    	try_files $uri $uri/ /index.php?$args;
    }
    ##### Advanced server protection -- END
    
    
     
    Last edited: Nov 12, 2014
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so you use a customized nginx configuration. I asked you that above and you answered "I don't use custom configuration.".

    Your custom configuration overrides the configuration from ISPConfig and instrcts nginx to run all sites with the wrong php-fpm damen. This has also a huge security impact as your config above allows a hacker to infect all sites on a server if he is able to get into a single site.

    All occurrences of the following line in your include:

    fastcgi_pass unix:/var/run/php5-fpm.sock;;

    have to be replaced with this:

    fastcgi_pass 127.0.0.1:9013;

    for this website. The port differs for each site as each site runs under a different Linux user for security reasons on a ispconfig setup.
     
  9. adrenalinic

    adrenalinic Member

    Hi, ok for the fastcgi_pass unix:/var/run/php5-fpm.sock;;

    This inclusion of the external nginx.conf have impact on all other websites?!?!
    The inclusion is relative to one website and is added from the ispconfig options of the website... is the most used tool of the world for protect the joomla cms..

    Let me know.
    :confused:
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    This file has impact on all websites were you use it. The file is made for simple servers that run just one website and that use the default php of the webserver and not a custom php and not custom linux users. so its setup is less secure then the ispconfig default setup if you use it on servers that run more then one website.
     
  11. adrenalinic

    adrenalinic Member

    If I add the rules of this nginx.conf generated file directly in to the nginx Directives field of ispconfig?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats makes no difference. Wrong rules dont become correct rules by addong them somewhere else.

    The file you used is simply incompatible with the secure vhost setup of ispconfig as it overrides the php handlers from ispconfig. You can generallyuse the directives from that file, either as include or in ispconfig (the include is the less secure way in any case), but you have to modify it that it uses the php-fpm instance of the website. each website has its own php.fpm instance which runs under a different user, so it is important that you dont use a wrong php instance like in your case as a wrong instance which runs on a different user v´can not write into the website, which results in the error that you described in the first post.
     
  13. adrenalinic

    adrenalinic Member

    Ok yes. Thanks.
    Therefore the ispconfig rules already protect a joomla "like" system from many types of attack?

    I will use only the parts of rules to deny access to the administrative page..?
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    The ispconfig setup isolates websites from each other by running them under different users and your script removes that isolation and runs php under a wrong user which results in your errors. I explained already which parts you have to change in the script if you want to use that.
     
  15. adrenalinic

    adrenalinic Member

    Yes I have already changed to the fastcgi_pass 127.0.0.1:9013;


    But from your words, I understand that all this rules are less secure than the ispconfig setup.

    Changing to the fastcgi_pass 127.0.0.1:9013; all thi rules can be used?


    Thanks for the support.
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    I said that including that file makes the setup less ecure as it disables the website isolation from ispconfig. if you fixed your file that the isolation of the sites is intact, then you can use that.
     
  17. adrenalinic

    adrenalinic Member

    Thanks you very much.
     
  18. adrenalinic

    adrenalinic Member

    A latest question:

    How can find easy the correct port to use for each website in the fastcgi_pass ?

    Thanks.
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    fpm start port (from system > server config settings) + website ID - 1
     

Share This Page