You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
86 lines
4.1 KiB
Markdown
86 lines
4.1 KiB
Markdown
9 years ago
|
---
|
||
|
date: 2014-12-15T00:00:00+01:00
|
||
|
title: Froxlor + Nginx + WordPress iThemes Rules
|
||
|
author: pcdummy
|
||
|
|
||
|
---
|
||
|
A short howto on setting up Wordpress iThemes Security with Froxlor and nginx.
|
||
|
|
||
|
<!--more-->Assuming you have this directory layout:
|
||
|
|
||
|
/var/customers/webs/[customer-name]/[domain-name]/htdocs
|
||
|
|
||
|
This is what i did to make it work on my froxlor installation:
|
||
|
|
||
|
1. Login to Froxlor as Administrator
|
||
|
2. Impersonate your wordpress customer by clicking on Customers -> [his username]
|
||
|
3. As Customer click on Domain -> Settings -> [the small edit pensil to edit this domain]
|
||
|
4. Change "Openbasedir-Path" to "Homefolder" - this will **allow** PHP to **access** all files **from this customer**!
|
||
|
5. Wait for the froxlor crontask or run it manually
|
||
|
6. Login to your wordpress backend.
|
||
|
7. Goto Security->Settings and search for nginx, change the nginx config path to "/var/customers/webs**/[customer-name]**/**[domain-name]**/nginx.conf" and save, it should give a message about a sucessfull write of the nginx.conf!
|
||
|
8. Go back to the Froxlor Administrator Panel
|
||
|
9. Go to Domains -> [small edit pensil to edit your customers domain]
|
||
|
10. Insert "include /var/customers/webs/[customer-name]/[domain-name]/nginx.conf;" to his "Own vHost-Settings"
|
||
|
11. Wait for the froxlor contask again.
|
||
|
12. Voila, now you have improved yours/your customers wordpress installation even more.
|
||
|
|
||
|
### Deprecated Method:
|
||
|
|
||
|
Took me a while to convert the Nginx rules from iThemes to "plain" Text so i could past them into froxlor.
|
||
|
|
||
|
This is what came out.
|
||
|
|
||
|
<pre class="brush:plain;">
|
||
|
# BEGIN iThemes Security
|
||
|
# BEGIN Tweaks
|
||
|
# Rules to block access to WordPress specific files and wp-includes
|
||
|
location ~ /\.ht { deny all; }
|
||
|
location ~ wp-config.php { deny all; }
|
||
|
location ~ readme.html { deny all; }
|
||
|
location ~ readme.txt { deny all; }
|
||
|
location ~ /install.php { deny all; }
|
||
|
location ^wp-includes/(.*).php { deny all; }
|
||
|
location ^/wp-admin/includes(.*)$ { deny all; }
|
||
|
|
||
|
# Rules to prevent php execution in uploads
|
||
|
location ^(.*)/uploads/(.*).php(.?){ deny all; }
|
||
|
|
||
|
# Rules to block unneeded HTTP methods
|
||
|
if ($request_method ~* "^(TRACE|DELETE|TRACK)"){ return 403; }
|
||
|
|
||
|
# Rules to block suspicious URIs
|
||
|
set $susquery 0;
|
||
|
if ($args ~* "\.\./") { set $susquery 1; }
|
||
|
if ($args ~* "\.(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; }
|
||
|
if ($args ~* "etc/passwd") { set $susquery 1; }
|
||
|
if ($args ~* "boot.ini") { set $susquery 1; }
|
||
|
if ($args ~* "ftp:") { set $susquery 1; }
|
||
|
if ($args ~* "http:") { set $susquery 1; }
|
||
|
if ($args ~* "https:") { set $susquery 1; }
|
||
|
if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; }
|
||
|
if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; }
|
||
|
if ($args ~* "base64_encode") { set $susquery 1; }
|
||
|
if ($args ~* "(%24&x)") { set $susquery 1; }
|
||
|
if ($args ~* "(127.0)") { set $susquery 1; }
|
||
|
if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
|
||
|
if ($args ~* "(request|insert|concat|union|declare)") { set $susquery 1; }
|
||
|
if ($args !~ "^loggedout=true"){ set $susquery 0; }
|
||
|
if ($args !~ "^action=jetpack-sso"){ set $susquery 0; }
|
||
|
if ($args !~ "^action=rp"){ set $susquery 0; }
|
||
|
if ($http_cookie !~ "^.*wordpress_logged_in_.*$"){ set $susquery 0; }
|
||
|
if ($http_referer !~ "^http://maps.googleapis.com(.*)$"){ set $susquery 0; }
|
||
|
if ($susquery = 1) { return 403; }
|
||
|
|
||
|
# Rules to help reduce spam
|
||
|
location /wp-comments-post.php {
|
||
|
valid_referers jetpack.wordpress.com/jetpack-comment/ *.smile4.at;
|
||
|
set $rule_0 0;
|
||
|
if ($request_method ~ "POST"){ set $rule_0 1$rule_0; }
|
||
|
if ($invalid_referer) { set $rule_0 2$rule_0; }
|
||
|
if ($http_user_agent ~ "^$"){ set $rule_0 3$rule_0; }
|
||
|
if ($rule_0 = "3210") { return 403; }
|
||
|
}
|
||
|
# END Tweaks
|
||
|
# END iThemes Security</pre>
|