Hi,
I'm trying to secure GetSimple CMS, but I'm not able to disallow the download of files in the /admin/ folder, when using tools like curl or wget.
---------------------------
The server runs archlinux with php-fpm.
server configuration block in nginx.conf:
server {
index index.php index.html index.htm;
server_name example.com;
listen 80;
root /path/to/getsimplecms;
include php.conf;
# Stop deep linking or hot linking (except for own hosts)
location /uploads/ {
valid_referers none blocked <some hosts ...>
if ($invalid_referer) {
return 403;
}
}
location ~ \.(xml|xml\.bak)$ {
deny all;
}
location ~ /\. {
deny all;
}
location /admin/ {
auth_basic "Restricted";
auth_basic_user_file /path/to/some/htpasswd;
}
location = /sitemap.xml {
allow all;
}
}
php.conf:
location ~ \.php$ {
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
include fastcgi.conf;
}
fastcgi.conf:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
---------------------------
auth_basic is working as expected for the /admin/ location ..but I still can download files from that folder.
i.e.
$ wget http://example.com/admin/settings.php
--2014-12-06 21:56:06-- http://example.com/admin/settings.php
Resolving example.com (example.com)... XX.XX.XX.XX
Connecting to example.com (example.com)|XX.XX.XX.XX|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: index.php?redirect=/admin/settings.php? [following]
--2014-12-06 21:56:06-- http://example.com/admin/index.php?redirect=/admin/settings.php?
Reusing existing connection to example.com:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘settings.php’
0K .. 308K=0.009s
2014-12-06 21:56:06 (308 KB/s) - ‘settings.php’ saved [2234]
----
I'm really new to nginx and already tried different things to avoid that "index.php?redirect=/admin/.*\.php" can be processed... but nothing worked so far, please help!
I'm trying to secure GetSimple CMS, but I'm not able to disallow the download of files in the /admin/ folder, when using tools like curl or wget.
---------------------------
The server runs archlinux with php-fpm.
server configuration block in nginx.conf:
server {
index index.php index.html index.htm;
server_name example.com;
listen 80;
root /path/to/getsimplecms;
include php.conf;
# Stop deep linking or hot linking (except for own hosts)
location /uploads/ {
valid_referers none blocked <some hosts ...>
if ($invalid_referer) {
return 403;
}
}
location ~ \.(xml|xml\.bak)$ {
deny all;
}
location ~ /\. {
deny all;
}
location /admin/ {
auth_basic "Restricted";
auth_basic_user_file /path/to/some/htpasswd;
}
location = /sitemap.xml {
allow all;
}
}
php.conf:
location ~ \.php$ {
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
include fastcgi.conf;
}
fastcgi.conf:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
---------------------------
auth_basic is working as expected for the /admin/ location ..but I still can download files from that folder.
i.e.
$ wget http://example.com/admin/settings.php
--2014-12-06 21:56:06-- http://example.com/admin/settings.php
Resolving example.com (example.com)... XX.XX.XX.XX
Connecting to example.com (example.com)|XX.XX.XX.XX|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: index.php?redirect=/admin/settings.php? [following]
--2014-12-06 21:56:06-- http://example.com/admin/index.php?redirect=/admin/settings.php?
Reusing existing connection to example.com:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘settings.php’
0K .. 308K=0.009s
2014-12-06 21:56:06 (308 KB/s) - ‘settings.php’ saved [2234]
----
I'm really new to nginx and already tried different things to avoid that "index.php?redirect=/admin/.*\.php" can be processed... but nothing worked so far, please help!