Unable to automatically hide file

  • spiros

    (@spiros)


    7 years ago

    I got a:

    Publicly accessible config, backup, or log file found: .user.ini
    Type: Publicly Accessible Config/Backup/Log

    When I click to hide I get:

    Unable to automatically hide file
    You are using an Nginx web server and using a FastCGI processor like PHP5-FPM. You will need to manually delete or hide those files.

    Not sure how to do that.

Viewing 8 replies - 1 through 8 (of 8 total)
  • ddach69

    (@ddach69)

    I just used this to hide my php.ini file, so I’m guessing it would work for user.ini or any file for that matter.

    I added this to my .htaccess file:

    <Files php.ini>
    Order allow,deny
    Deny from all
    </Files>

    Thread Starter spiros

    (@spiros)

    I use nginx server via cpnginx so it would not work.

    wfyann

    (@wfyann)

    Hi @spiros,

    Please see this article from our documentation explaining how to proceed in order to block access to specific files when a site uses the NGINX web server.

    Thread Starter spiros

    (@spiros)

    Hi,

    I have added

        location ~ \.user\.ini$ {
          deny all;
        }

    to my vhost template, restarted NGINX and PHP-FPM, but still the .user.ini file gets downloaded.

    Just above the template had

    # Disable direct access to .ht files and folders
    location ~ /\.ht {
          deny all;
        }

    The guys from cpnginx.com who provide the Cpanel plugin, when emphasized the security risk that this entails, responded:

    This is not an issue related to cpnginx. You may need to contact your server support to resolve the issue.
    […]
    Kindly note that we do not provide any customization support on cPnginx. We suggest you to contact your server support team to do the task or you can purchase our cPanel Proactive enterprise plan from the following link https://syslint.com/cpanel-server-management/ so that we can check it from our end whether it is possible or not.

    They do not sound like very security-proactive to me for their product.

    • This reply was modified 7 years ago by spiros.
    wfyann

    (@wfyann)

    Hi @spiros,

    It might also matter where in the file you place the directive; if there’s a location block before this one that also matches, NGINX will use that –as discussed here.

    Thread Starter spiros

    (@spiros)

    Here are some of the other blocks containing “location” above the place where I put it. I am at a loss really about this. I could forward the file if you want.

    server {
    listen    ${IP}:80;
    %if HAVE_DEDICATED_IP == '0':
    server_name  ${DOMAIN} www.${DOMAIN};
    % endif 
    %if HAVE_DEDICATED_IP == '1':
    server_name  ${DOMAIN} www.${DOMAIN} ${IP} www.${IP};
    % endif
    root ${DOCROOT};
    index index.php index.php5 index.php4 index.php3 index.perl index.pl  index.cgi  index.phtml index.shtml index.xhtml index.html index.htm index.wml Default.html Default.htm default.html default.htm home.html home.htm;
    location = /favicon.ico {
        log_not_found off;
    }

   % if TYPE == "main" and USERDIR_STATUS == "1":

    # userdir enabled
    location  ~ ^/~${USER}(/.*)?$ {
        alias   ${DOCROOT}/$2;
        autoindex on;
        try_files $uri $uri/ @userdirproxy;

    }

   location  @userdirproxy {
        proxy_pass   https://${IP}:${APACHE_HTTP_PORT};
        proxy_set_header   Host   $host;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_redirect     off;

    }
    % endif

    % if TYPE == "addon"  or TYPE == "parked":
    access_log /usr/local/apache/domlogs/${PARENT_DOMAIN} combined;
    access_log /usr/local/apache/domlogs/${PARENT_DOMAIN}-bytes_log bytes_log;
    %else:
    access_log /usr/local/apache/domlogs/${DOMAIN} combined;
    access_log /usr/local/apache/domlogs/${DOMAIN}-bytes_log bytes_log;
    % endif

    # Disable direct access to .php files in the following on a wordpress site
    location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
    }
    # Add trailing slash to */wp-admin requests.
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;

    referer_hash_bucket_size 512;
     # Run Staic  file directly from nginx
    location ~* ^.+.(${STATIC_FILES})$ {
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    }
    # Disable direct access to .ht files and folders
    location ~ /\.ht {
          deny all;
        }
    # Access all cpanel services 
    location ~* ^/(cpanel|webmail|whm|bandwidth|img-sys|java-sys|mailman/archives|pipermail|sys_cpanel|cgi-sys|mailman) {
        proxy_pass   https://${IP}:${APACHE_HTTP_PORT};
        proxy_set_header   Host   $host;
        proxy_set_header   X-Real-IP  $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    % if MOD_FLV == "1":
    # Enabled FLV streaming    
    location ~ .flv$ {
        flv;
    }
    % endif 
    %if MOD_MP4 == "1":
    # Enabled MP4 streaming
    location ~ .mp4$ {
        mp4;
        mp4_buffer_size 4M;
        mp4_max_buffer_size 10M;
    }

    Hi @spiros,

    Sorry about the delayed response.

    Have you tried moving the “.ini” rule up to the top?

    Thread Starter spiros

    (@spiros)

    This is what worked:

    # Disable direct access to .user.ini files and folders
    location ~ /\.us {
          deny all;
        }

    I added this in 2 locations below this (protects .htaccess files):

    # Disable direct access to .ht files and folders
    location ~ /\.ht {
          deny all;
        }
Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Unable to automatically hide file’ is closed to new replies.