Hi forumers,
I'm trying to set a configuration up for DW but I'm going mad with the
regexps:(
My starter is the conf file found on the nginx wiki, but modified not to
point DW to the server root:
server {
server_name wiki.domain.tld;
### root /var/www/dokuwiki;
root /var/www;
location /dokuwiki {
index doku.php;
try_files $uri $uri/ @dokuwiki;
}
bla bla bla
And here I'm stuck.
Original dirs exclusion:
location ~ /(data|conf|bin|inc)/ {
deny all;
}
Of course, this won't work w/ my changes, and I'm totally unable to find
the right syntax to exclude these dirs from this conf (made many
unsuccessful tests:(
In my mind it _should_ be: "location ~/dokuwiki/(data|conf|bin|inc)/"
but it don't work, sniff.
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,228124,228124#msg-228124
on 2012-06-30 03:33
on 2012-06-30 14:13
On Fri, Jun 29, 2012 at 09:32:21PM -0400, Jiff wrote: Hi there, I don't know dokuwiki, so this is all untested, but... > Original dirs exclusion: > location ~ /(data|conf|bin|inc)/ { > deny all; > } > > Of course, this won't work w/ my changes, ...why "of course"? The original example wanted to block access to /data/ and /something/data/; you now want to block access to /dokuwiki/data/ and /dokuwiki/something/data/. This location block will match all of those (depending on what else is in your config file). > In my mind it _should_ be: "location ~/dokuwiki/(data|conf|bin|inc)/" That looks to me like it should also work... > but it don't work, sniff. ...so there is something else going on. What one url did you access to test this? What response did you see? What response did you expect to see? If you provide your config file, or at least the full list of top-level location definitions, someone may be able to point out why the second and third answers differ. http://nginx.org/r/location Does the example config in http://bugs.dokuwiki.org/index.php?do=details&task... provide any useful hints? Good luck with it, f -- Francis Daly francis@daoine.org
on 2012-06-30 16:26
Hi Francis, > > Original dirs exclusion: > > location ~ /(data|conf|bin|inc)/ { > > deny all; > > } > > > > Of course, this won't work w/ my changes, > > ....why "of course"? I'm cursed w/ IT & electronics: they hate me, I must have pissed off Murphy in another live:):( > > In my mind it _should_ be: "location > ~/dokuwiki/(data|conf|bin|inc)/" > > That looks to me like it should also work... Yep, I read the docs and found a useful link toward perl regexps, so I thought this would have worked (I must say I didn't understand it fully: eg: at this time I don't really know the difference between .* and (.*) ). > What one url did you access to test this? conf say: root mydyndnsdom.org (I've set an authoritative zone for it in the LAN, returning: 192.168.1.50) I access it by: http://mydyndnsdom.org > What response did you see? 192.168.1.50 - - [30/Jun/2012:07:37:40 +0200] "GET /dokuwiki/lib/tpl/default/images/button-dw.png HTTP/1.1" 444 0 "http://mydyndnsdom.org/install.php" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120603 Iceape/2.0.11" 444 is what I intend to use when stable; however, for tests my block is: location ~ /dokuwiki/(data|conf|bin|inc)/ { return 403; } > What response did you expect to see? a 200 one > If you provide your config file, or at least the > full list of top-level > location definitions, someone may be able to point > out why the second > and third answers differ. server_name mydyndnsdom.org; root /var/www; listen 80; index doku.php; location ~ \.php$ { if (!-f $request_filename) { return 403; } include fastcgi_params; fastcgi_index doku.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # PB: Sometimes a 400 is returned # SOLT: http://forum.dokuwiki.org/thread/4855 fastcgi_pass unix:/var/run/php5-fpm.socket; } # Common conf file between HTTP & HTTPS confs include /etc/nginx/sites-available/mydyndnsdom.org_DOKUWIKI_http_https_COMMON.conf; ======== in COMMON file: location ~ /dokuwiki/(data|conf|bin|inc)/ { return 403; } location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { expires 30d; access_log off; log_not_found off; } location /dokuwiki { location / { index doku.php; try_files $uri $uri/ @dokuwiki; } location @dokuwiki { rewrite ^/dokuwiki/_media/(.*) /lib/exe/fetch.php?media=$1 last; rewrite ^/dokuwiki/_detail/(.*) /lib/exe/detail.php?media=$1 last; rewrite ^/dokuwiki/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; rewrite ^/dokuwiki/(.*) /doku.php?id=$1&$args last; } > http://nginx.org/r/location This matches the link I read about regexps. > Does the example config in > http://bugs.dokuwiki.org/index.php?do=details&task > _id=2388 provide any > useful hints? Oh, I see; but there's something strange: he only modify one path; but others nest in the same place, so he logically should have split the original block in 4 blocks, no? (last post). > Good luck with it, Thanks. This night, I found that the unstable Debian pkg (last version) also fit into stable branch, so I flipped in it (easier maintenance). Now, I'm gonna restart and modify my nginx conf+DW according to all information you gave me. I'll keep you aware about the issue. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,228124,228145#msg-228145
on 2012-06-30 17:43
On Sat, Jun 30, 2012 at 10:25:41AM -0400, Jiff wrote: Hi there, > > > In my mind it _should_ be: "location > > ~/dokuwiki/(data|conf|bin|inc)/" > > > > That looks to me like it should also work... ...for /dokuwiki/data/, but not for /dokuwiki/something/data/ -- the difference may not matter here. > (I must say I didn't understand it fully: eg: at this time > I don't really know the difference between .* and (.*) ). "perldoc perlre". The short version is: capture. > > What one url did you access to test this? > > conf say: root mydyndnsdom.org > (I've set an authoritative zone for it in the LAN, > returning: 192.168.1.50) > I access it by: http://mydyndnsdom.org The specific url you tried was http://mydyndnsdom.org/dokuwiki/lib/tpl/default/im... > > What response did you see? > > 192.168.1.50 - - [30/Jun/2012:07:37:40 +0200] "GET > /dokuwiki/lib/tpl/default/images/button-dw.png HTTP/1.1" 444 0 > "http://mydyndnsdom.org/install.php" "Mozilla/5.0 (X11; U; Linux i686; > en-US; rv:1.9.1.16) Gecko/20120603 Iceape/2.0.11" HTTP 444 is not a standard return code. It is used within nginx as a "just close the connection" signal. The config you have shown does not include 444 anywhere that I can see. > 444 is what I intend to use when stable; however, for > tests my block is: > location ~ /dokuwiki/(data|conf|bin|inc)/ { > return 403; > } /dokuwiki/lib/tpl/default/images/button-dw.png does not match this location, and so this config will not be used. Also, it looks like you are using http://mydyndnsdom.org/install.php, not http://mydyndnsdom.org/dokuwiki/install.php, as the starting point. Is that expected? > > What response did you expect to see? > > a 200 one According to the config you posted, /dokuwiki/lib/tpl/default/images/button-dw.png should return the content of the file /var/www/dokuwiki/lib/tpl/default/images/button-dw.png or else 404. > location ~ \.php$ { > location ~ /dokuwiki/(data|conf|bin|inc)/ { > location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { That is the one that will match this one request. > location /dokuwiki { > location @dokuwiki { I don't see how the config you posted can lead to the access log you posted. Maybe someone else will have better luck. Maybe enabling the debug log will give more hints to where the problem it. > > Does the example config in > > http://bugs.dokuwiki.org/index.php?do=details&task > > _id=2388 provide any > > useful hints? > > Oh, I see; but there's something strange: he only modify one path; > but others nest in the same place, so he logically should have > split the original block in 4 blocks, no? (last post). Probably not. At that point it that report, they are talking about "xsendfile" and are learning that nginx is not the same as apache. It's not directly related to what you are reporting. All the best, f -- Francis Daly francis@daoine.org
on 2012-07-01 06:19
Hi Francis, Well, I shouldn't work that much ]:-) In fact there was so much tests, comments, etc that I missed the main problem: I use 2 files, the 2nd one being common to different servers in the 1st one; I just didn't saw I was refering to an old version:( Thanks anyway for you patience and hints that helped me to debug that. Jiff Posted at Nginx Forum: http://forum.nginx.org/read.php?2,228124,228150#msg-228150
on 2012-07-01 12:12
On Sun, Jul 01, 2012 at 12:01:19AM -0400, Jiff wrote: Hi there, > Thanks anyway for you patience and hints that helped me to > debug that. That sounds like you've found a working solution -- good work. All of the (current) search results I see for "nginx dokuwiki" seem to indicate to me that installing not in root is a problem for people. When you're happy that what you have does everything it is supposed to, could you post your config (mentioning version numbers) so that searchers in a year will be able to take advantage of your work? This mailing list / forum should be ok; the dokuwiki or nginx documentation wikis would also be good, if you have access. Thanks, f -- Francis Daly francis@daoine.org
on 2012-07-01 18:41
myserver.org_dokuwiki_http_https_main.conf
==================================
# DOKUWIKI NOT-ON-ROOT MAIN FILE: BROWSE HTTP + DANGEROUS AREAS HTTPS
#====================================================================
# 2012-07-01 - Author: Jean-Yves F. Barbier - lazyvirus<at]gmx{dot)com
# File: myserver.org_dokuwiki_http_https_main.conf
# MOD'OP: Just symlink this file into /etc/nginx/sites-enabled
# Works on Debian squeeze + backports:
# nginx-full 1.2.1-1~dotdeb.0
# php5 5.3.14-1~dotdeb.0
# php5-fpm 5.3.14-1~dotdeb.0
# Works under Debian sid.
# Solutions mostly coming from:
# http://wiki.nginx.org
# http://agentzh.org/misc/nginx/agentzh-nginx-tutori...
# http://blog.slucas.fr/en/oss/dokuwiki-nginx-config
# http://www.dokuwiki.org/install:nginx?s[]=nginx
# http://www.dokuwiki.org/tips:httpslogin#nginx
# With this conf, leave parm 'securecookie' enabled.
# No tested w/ clean URL (but who cares?)
# CAUTION: MANY TIME WASTED: DW DON'T SET 'useacl' to 1 WHEN
INSTALLING,
# WHICH ALLOW TO LOGIN BUT SEND A 'Permission denied' ASA YOU
# MAKE ANY MODIFICATION!
# SOLT: Install, then manually edit /conf/dokuwiki.php to set it to
1.
# NB: You can also redirect sensitive areas to localhost (unencrypted).
#=============================================================================
HTTP/HTTPS DISCRIMINATOR
# In case of redirection to localhost, comment this line
# (and the one using this VAR in the common file).
map $scheme $php_https { default off; https on; }
#=============================================================================
HTTP
server {
listen 80;
server_name myserver.org;
root /var/www;
index index.html index.php doku.php;
access_log /var/log/nginx/dokuwiki.http.access.log;
error_log /var/log/nginx/dokuwiki.http.error.log;
rewrite_log on; # TEST ONLY (logs all rewrites)
#-------------------------------------------------------------
# Enforce HTTPS for /log…, /admin…, & /profile…
if ($args ~ do=(log|admin|profile)) {
rewrite ^ https://$host$request_uri? redirect;
# locahost (unencrypted) version
### rewrite ^ http://localhost$request_uri? redirect;
}
# Common conf file
include
/etc/nginx/sites-available/myserver.org_dokuwiki_http_https_common.conf;
}
#=============================================================================
HTTPS
server {
listen 443 ssl;
server_name myserver.org;
root /var/www;
index index.html index.php doku.php;
ssl_certificate /etc/nginx/SSL/nginx.crt;
ssl_certificate_key /etc/nginx/SSL/nginx-insecure.key;
access_log /var/log/nginx/dokuwiki.https.access.log;
error_log /var/log/nginx/dokuwiki.https.error.log;
rewrite_log on; # TEST ONLY (log all rewrites)
#-------------------------------------------------------------
# CAUTION: DON'T enforce HTTP for normal requests (do=show|^$),
this
# renders any modification in DW worthless!
# Common conf file
include
/etc/nginx/sites-available/myserver.org_dokuwiki_http_https_common.conf;
}
#=============================================================================
EOF
myserver.org_dokuwiki_http_https_common.conf
====================================
# DOKUWIKI NOT-ON-ROOT COMMON FILE: BROWSE HTTP + DANGEROUS AREAS
HTTPS
#======================================================================
# 2012-07-01 - Author: Jean-Yves F. Barbier -
lazyvirus<at]gmx{dot)com
# File: myserver.org_dokuwiki_http_https_common.conf
# As DW is not on the HTTP/S svr root, redirect any root query
toward it
# from: http://myserver.org/ to: http://myserver.org/dokuwiki
# (until other services being available).
location = / {
error_page 403 = http://$host/dokuwiki;
}
#-------------------------------------------------------------
location /dokuwiki {
try_files $uri $uri/ @dw;
}
location @dw {
rewrite ^/dokuwiki/_media/(.*)
/lib/exe/fetch.php?media=$1 last;
rewrite ^/dokuwiki/_detail/(.*)
/lib/exe/detail.php?media=$1 last;
rewrite ^/dokuwiki/_export/([^/]+)/(.*)
/doku.php?do=export_$1&id=$2 last;
rewrite ^/dokuwiki/(.*)
/doku.php?id=$1&$args last;
}
#-------------------------------------------------------------
location ~ \.php$ {
if (!-f $request_filename) {
return 404;
}
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
# Comment the line below if redirecting to localhost
(unencrypted)
fastcgi_param HTTPS $php_https; # DW checks
$_SERVER['HTTPS']
# Gain the TCP/IP overhead: use socket instead
fastcgi_pass unix:/var/run/php5-fpm.socket;
}
#-------------------------------------------------------------
# For security reasons (http://www.dokuwiki.org/security) some
# directories must not be reachable from the outside. But a
# 'deny all' isn't a good solution, as it returns a 403 which
# is visible by the client. The solution comes from a nginx
# special extension: the 444 error that returns no information
# to the client and closes its connection. Useful as a deterrent
# for malware as it is silent:)
location ~ ^/dokuwiki/(bin|conf|data|inc)/ {
return 444;
}
#-------------------------------------------------------------
# Force a long expiration delay on static files
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires 30d;
access_log off;
log_not_found off;
}
# This location serves static files
location ~ ^/dokuwiki/lib/ {
expires 30d;
}
#-------------------------------------------------------------
# As of nginx wiki this should go to /etc/nginx/conf.d/drop.conf,
# but I like to have everything on sight.
# NTS: It is normal not to see the pink icon about
# "data directory not properly secured": this is
# when I can see it that there's something wrong:)
location = /dokuwiki/robots.txt {
access_log off;
log_not_found off;
}
location = /dokuwiki/favicon.ico {
access_log off;
log_not_found off;
}
# Silently protect all Linux hidden files (but log get attempts)
location ~ /\. {
return 444;
}
# I spent some time to understand what this block was meant for:
# http://kbeezie.com/view/nginx-configuration-examples/
# This block is mainly for people who use vim, or any other command
line
# editor that creates a backup copy of a file being worked on with a
file
# name ending in ~.
# Hiding this prevents someone from accessing a backup copy of a
file you
# have been working on.
location ~ ~$ {
access_log off;
log_not_found off;
return 444;
}
#=============================================================================
EOF
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,228124,228155#msg-228155
Enable email notification
Enable multi-page view
Please log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.