GetSimple Support Forum GetSimple General Questions and Problems v
Get Simple on NGINX Security

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Thread Modes
Get Simple on NGINX Security
tested0002 Offline
Junior Member
**
Posts: 3
Threads: 1
Joined: Mar 2012
#1
2012-03-19, 11:18:17
Hi,

I'm new here but I'm using GetSimple a year ago. Migrating from apache to NGINX would be a nice idea but it seems Get Simple is not really secure on NGINX server. Get Simple relies on .htaccess to protect a folder. But .htaccess is not NGINX friendly and it will not work.

On the folder "/data/users/admin.xml" which is the top secret of your website will be able to access by other users.

I hope there will be a solution on this problem and you will take this seriously in order to others will benefit on this opensource project.
Find
Reply
yojoe Offline
GS Freak
*****
Posts: 1,204
Threads: 30
Joined: Jun 2010
#2
2012-03-19, 12:48:16
Nginx has its own rewrite rules.
You can try to block the directory, by adding to nginx.conf file
Code:
location /data/users/ {
  deny all;
}

There are also methods to do a link rewrites, instead of apache's rewrite nginx uses try_files directive.

I can't guarantee this will work. I've never touched nginx.
Somebody posted long time ago some rewrite rules for nginx.
Maybe they will be still working.
Addons: blue business theme, Online Visitors, Notepad
Website Find
Reply
Zegnåt Offline
Posting Freak
*****
Posts: 972
Threads: 27
Joined: Aug 2009
#3
2012-03-19, 15:08:45
tested0002 Wrote:[I]t seems GetSimple is not really secure on nginx server. GetSimple relies on .htaccess to protect a folder. But .htaccess is not nginx friendly and it will not work.
Let me first say that it isn’t that GetSimple is insecure on nginx server software, it was just never made for it or tested to run on it. There is a difference there. It is like saying a program is a virus because it can mess up your Windows computer, even when the program was made to be run on Mac computers only.

With that out of the way, different users have been trying to get it to work on nginx. marrco has even published his configuration file which includes URL rewrites, and caching. It also includes XML access blocking:
Code:
location ~* \.xml$           { deny all; }
“Don’t forget the important ˚ (not °) on the a,” says the Unicode lover.
Help us test a key change for the core! ¶ Problems with GetSimple? Be sure to enable debug mode!
Website Find
Reply
tested0002 Offline
Junior Member
**
Posts: 3
Threads: 1
Joined: Mar 2012
#4
2012-03-19, 18:33:21
Thank you for all your reply guys

this codes

Code:
location /data/users/ {
  deny all;
}

does its jobs perfectly.
Find
Reply
Zegnåt Offline
Posting Freak
*****
Posts: 972
Threads: 27
Joined: Aug 2009
#5
2012-03-19, 18:53:23 (This post was last modified: 2012-03-19, 18:53:41 by vsky.)
tested0002 Wrote:
Code:
location /data/users/ {
  deny all;
}

does its job perfectly.
Do note that this will only protect your user files. All other XML data will still be available.
“Don’t forget the important ˚ (not °) on the a,” says the Unicode lover.
Help us test a key change for the core! ¶ Problems with GetSimple? Be sure to enable debug mode!
Website Find
Reply
marrco Offline
Member
***
Posts: 149
Threads: 12
Joined: Dec 2009
#6
2012-03-19, 18:53:38 (This post was last modified: 2012-03-19, 19:24:37 by alex.drag.)
@tested0002 sample config updated to:

Code:
# this blocks direct access to XML files (but sitemap.xml) - they hold all the data
        location ~* \.xml$           { deny all; }
        location = /sitemap.xml { allow all; }

since in original apache .htaccess there is a deny for all xml files i think it's better to stick with that rule.
Find
Reply




Users browsing this thread: 1 Guest(s)