From 370f528e43630b3e3c986e85047bb193567933d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ant=C3=B3nio=20P=2E=20P=2E=20Almeida?= Date: Fri, 12 Aug 2011 16:48:10 +0100 Subject: [PATCH] * Moved php-fpm status to a geo block setup. --- README.md | 4 ++++ nginx.conf | 14 +++++++++----- php_fpm_status_allowed_hosts.conf | 9 +++++++++ ...m_status.conf => php_fpm_status_vhost.conf | 19 ++++++++++--------- sites-available/example.com.conf | 15 ++++++++------- 5 files changed, 40 insertions(+), 21 deletions(-) create mode 100644 php_fpm_status_allowed_hosts.conf rename php_fpm_status.conf => php_fpm_status_vhost.conf (74%) diff --git a/README.md b/README.md index ef31754a..11b24e01 100644 --- a/README.md +++ b/README.md @@ -518,6 +518,10 @@ This is strictly a **drupal 6** issue. of IP addresses. In the suggested configuration only from localhost and non-routable IPs of the 192.168.1.0 network. + The allowed hosts are defined in a geo block in file + `php_fpm_status_allowed_hosts.conf`. You should edit the predefined + IP addresses to suit your setup. + To enable the status and ping pages uncomment the line in the `example.com.conf` virtual host configuration file. diff --git a/nginx.conf b/nginx.conf index 104cbf8d..ceba6101 100644 --- a/nginx.conf +++ b/nginx.conf @@ -42,14 +42,14 @@ http { limit_zone arbeit $binary_remote_addr 1m; ## Timeouts. - client_body_timeout 60; + client_body_timeout 60; client_header_timeout 60; keepalive_timeout 10 10; send_timeout 60; ## Reset lingering timed out connections. Deflect DDoS. reset_timedout_connection on; - + ## Body size. client_max_body_size 10m; @@ -84,7 +84,7 @@ http { ## http://nginx.org/pipermail/nginx/2010-November/023736.html. ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; - + ## For the filefield_nginx_progress module to work. From the ## README. Reserve 1MB under the name 'uploads' to track uploads. upload_progress uploads 1m; @@ -102,9 +102,13 @@ http { #include reverse_proxy.conf; #include upstream_phpapache.conf; + ## Include the php-fpm status allowed hosts configuration block. + ## Uncomment to enable if you're running php-fpm. + #include php_fpm_status_allowed_hosts.conf; + ## Include blacklist for bad bot and referer blocking. include blacklist.conf; - - ## Include all vhosts. + + ## Include all vhosts. include /etc/nginx/sites-enabled/*; } diff --git a/php_fpm_status_allowed_hosts.conf b/php_fpm_status_allowed_hosts.conf new file mode 100644 index 00000000..f9cbbc20 --- /dev/null +++ b/php_fpm_status_allowed_hosts.conf @@ -0,0 +1,9 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Configuration of php-fpm status and ping pages. Here we define the +### allowed hosts using the Geo Module. http://wiki.nginx.org/HttpGeoModule + +geo $dont_show_fpm_status { + default 1; + 127.0.0.1 0; # allow on the loopback + 192.168.1.0/24 0; # allow on an internal network +} diff --git a/php_fpm_status.conf b/php_fpm_status_vhost.conf similarity index 74% rename from php_fpm_status.conf rename to php_fpm_status_vhost.conf index 891d0118..44625d7d 100644 --- a/php_fpm_status.conf +++ b/php_fpm_status_vhost.conf @@ -1,6 +1,7 @@ # -*- mode: nginx; mode: flyspell-prog; ispell-current-dictionary: american -*- + ### The configuration for the status pages of php-fpm. As described in -### http://www.php.net/manual/en/install.fpm.configuration.php. +### http://www.php.net/manual/en/install.fpm.configuration.php. ### php-fpm provides a status and a heartbeat page that is served through the web server. ### Here's an example configuration for them. @@ -10,20 +11,20 @@ ## allowed. Non authorized access returns a 404 through the error_page ## directive. location = /fpm-status { + if ($dont_show_fpm_status) { + return 404; + } + fastcgi_pass phpcgi; - allow 127.0.0.1; - allow 192.168.1.0/24; - error_page 403 =404; - deny all; } ## The ping page is at /ping and returns the string configured at the php-fpm level. ## Also only local network connections (loopback and LAN) are permitted. location = /ping { + if ($dont_show_fpm_status) { + return 404; + } + fastcgi_pass phpcgi; - allow 127.0.0.1; - allow 192.168.1.0/24; - error_page 403 =404; - deny all; } diff --git a/sites-available/example.com.conf b/sites-available/example.com.conf index ae5add43..1420c57a 100644 --- a/sites-available/example.com.conf +++ b/sites-available/example.com.conf @@ -7,6 +7,7 @@ server { ## rewriting. See http://wiki.nginx.org/Pitfalls#Server_Name. server_name www.example.com; rewrite ^ $scheme://example.com$request_uri? permanent; + } # server domain rewrite. @@ -29,7 +30,7 @@ server { if ($bad_referer) { return 444; } - + ## Filesystem root of the site and index. root /var/www/sites/example.com; index index.php; @@ -80,8 +81,8 @@ server { ### the configuration below. ################################################################# #include sites-available/drupal_cron_update.conf; - - + + ## For upload progress to work. From the README of the ## filefield_nginx_progress module. location ~ (.*)/x-progress-id:(\w*) { @@ -94,7 +95,7 @@ server { ## Including the php-fpm status and ping pages config. ## Uncomment to enable if you're running php-fpm. - #include php_fpm_status.conf; + #include php_fpm_status_vhost.conf; } # HTTP server @@ -111,7 +112,7 @@ server { ## Keep alive timeout set to a greater value for SSL/TLS. keepalive_timeout 75 75; - + ## Disable all methods besides HEAD, GET and POST. if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; @@ -121,7 +122,7 @@ server { ## Server certificate and key. ssl_certificate /etc/ssl/certs/example-cert.pem; ssl_certificate_key /etc/ssl/private/example.key; - + ## Strict Transport Security header for enhanced security. See ## http://www.chromium.org/sts. I've set it to 2 hours; set it to ## whichever age you want. @@ -186,7 +187,7 @@ server { ### the configuration below. ################################################################# #include sites-available/drupal_cron_update.conf; - + ## For upload progress to work. From the README of the ## filefield_nginx_progress module. location ~ (.*)/x-progress-id:(\w*) {