Difference between revisions of "Nginx Directory Access Restriction"
| (5 intermediate revisions by 3 users not shown) | |||
| Line 9: | Line 9: | ||
<div class="docs-alert-info">The following steps <strong>require root access</strong> to the server running NGINX. If you do not have root, you will need to contact your web hosting provider or server administrator.</div> | <div class="docs-alert-info">The following steps <strong>require root access</strong> to the server running NGINX. If you do not have root, you will need to contact your web hosting provider or server administrator.</div> | ||
| − | # | + | # Log in to the web server. |
| − | # Locate the Nginx configuration template (see "Locating the Nginx configuration | + | # Locate the Nginx configuration template (see "Locating the Nginx configuration file"). |
| − | # Add the deny directive ( | + | # Add the deny directive (see "The Deny Directive") to the server block of your site's configuration. |
| − | # Save your changes and restart Nginx | + | # Save your changes and restart Nginx. |
===For cPanel environments=== | ===For cPanel environments=== | ||
| − | You can use cPanel's Directory Privacy interface (Home >> cPanel >> Files >> Directory Privacy) to add protection to this directory. | + | You can use cPanel's '''Directory Privacy''' interface ('''Home >> cPanel >> Files >> Directory Privacy''') to add protection to this directory. |
| − | <div class="docs-alert-warning"> | + | <div class="docs-alert-warning"> |
| + | cPanel's '''Directory Privacy''' interface ('''Home >> cPanel >> Files >> Directory Privacy''') only supports this process in cPanel & WHM version 84 and later. On a server that runs cPanel & WHM version 82 and earlier, use the non-cPanel environment steps. | ||
| + | </div> | ||
To protect the directory, perform the following steps: | To protect the directory, perform the following steps: | ||
| − | #Select the /whmcs/vendor directory in cPanel's Directory Privacy interface (Home >> cPanel >> Files >> Directory Privacy). | + | # Select the <tt>/whmcs/vendor</tt> directory in cPanel's '''Directory Privacy''' interface ('''Home >> cPanel >> Files >> Directory Privacy'''). |
| − | #Select the Password protect this directory checkbox. | + | # Select the '''Password protect this directory''' checkbox. |
| − | #Enter a display label in the Enter a name for the protected directory text box. <div class="docs-alert-info"> | + | # Enter a display label in the '''Enter a name for the protected directory''' text box. <div class="docs-alert-info"> This name only functions as a label for the directory. Do not confuse it with the directory’s actual name.</div> |
| − | #Click | + | #Click '''Save'''. A confirmation message will appear. Click '''Go Back''' to return to the directory's configuration. |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
==The Deny Directive== | ==The Deny Directive== | ||
| Line 39: | Line 33: | ||
<pre> | <pre> | ||
server { | server { | ||
| − | location ~ /vendor/ { | + | location ^~ /vendor/ { |
deny all; | deny all; | ||
return 403; | return 403; | ||
| Line 47: | Line 41: | ||
</pre> | </pre> | ||
| − | <div class="docs-alert-danger"> | + | <div class="docs-alert-danger"> |
| + | You must add this location directive to the top of your server block configuration. | ||
| + | </div> | ||
==Locating the Nginx configuration file== | ==Locating the Nginx configuration file== | ||
| Line 55: | Line 51: | ||
===cPanel & WHM=== | ===cPanel & WHM=== | ||
The following path is the default location for the Nginx configuration file on cPanel & WHM servers: | The following path is the default location for the Nginx configuration file on cPanel & WHM servers: | ||
| + | |||
<div class="source-cli">/etc/nginx/conf.d/users/<username>.conf</div> | <div class="source-cli">/etc/nginx/conf.d/users/<username>.conf</div> | ||
===Debian & Ubuntu=== | ===Debian & Ubuntu=== | ||
| + | |||
The following path is the most common location: | The following path is the most common location: | ||
| + | |||
<div class="source-cli">/etc/nginx/sites-available/default</div> | <div class="source-cli">/etc/nginx/sites-available/default</div> | ||
| − | + | ||
| + | Administrators sometimes set up configuration files for each site individually. In this case, you can often find the configuration files for each domain in the /sites-available directory: | ||
| + | |||
<div class="source-cli">/etc/nginx/sites-available/example.com</div> | <div class="source-cli">/etc/nginx/sites-available/example.com</div> | ||
===None of the above=== | ===None of the above=== | ||
| + | |||
If the configuration file is not found in any of the above locations, at the command prompt, run the following command: | If the configuration file is not found in any of the above locations, at the command prompt, run the following command: | ||
| + | |||
<div class="source-cli">nginx -t</div> | <div class="source-cli">nginx -t</div> | ||
| + | |||
The output should display the current directory path to your server's Nginx configuration file. The output will should resemble the following example: | The output should display the current directory path to your server's Nginx configuration file. The output will should resemble the following example: | ||
| + | |||
<div class="source-cli"> | <div class="source-cli"> | ||
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok<br> | nginx: the configuration file /etc/nginx/nginx.conf syntax is ok<br> | ||
nginx: configuration file /etc/nginx/nginx.conf test is successful | nginx: configuration file /etc/nginx/nginx.conf test is successful | ||
</div> | </div> | ||
| + | |||
To check if the Nginx configuration file contains any include directives, run the following command: | To check if the Nginx configuration file contains any include directives, run the following command: | ||
| + | |||
<div class="source-cli">grep include /etc/nginx/nginx.conf</div> | <div class="source-cli">grep include /etc/nginx/nginx.conf</div> | ||
| + | |||
If the grep command does not return any output, then you can proceed with your changes to the configuration. If the grep command returns any includes, you must check each include file for the server directive. The following grep command output example displays an Nginx configuration file that contains includes: | If the grep command does not return any output, then you can proceed with your changes to the configuration. If the grep command returns any includes, you must check each include file for the server directive. The following grep command output example displays an Nginx configuration file that contains includes: | ||
| + | |||
<div class="source-cli"> | <div class="source-cli"> | ||
include /etc/nginx/modules-enabled/*.conf;<br> | include /etc/nginx/modules-enabled/*.conf;<br> | ||
| Line 86: | Line 95: | ||
==Restarting Nginx== | ==Restarting Nginx== | ||
| + | |||
After making any configuration changes to Nginx, it is necessary to reload the Nginx config. | After making any configuration changes to Nginx, it is necessary to reload the Nginx config. | ||
===cPanel & WHM=== | ===cPanel & WHM=== | ||
| + | |||
Run the following command: | Run the following command: | ||
| + | |||
<div class="source-cli">/usr/local/cpanel/scripts/restartsrv_nginx</div> | <div class="source-cli">/usr/local/cpanel/scripts/restartsrv_nginx</div> | ||
| + | |||
===Other Operating Systems=== | ===Other Operating Systems=== | ||
| + | |||
CentOS 6: | CentOS 6: | ||
<div class="source-cli">/etc/init.d/nginx reload</div> | <div class="source-cli">/etc/init.d/nginx reload</div> | ||
| + | |||
CentOS 7: | CentOS 7: | ||
<div class="source-cli">systemctl reload nginx.service</div> | <div class="source-cli">systemctl reload nginx.service</div> | ||
| + | |||
Debian/Ubuntu: | Debian/Ubuntu: | ||
<div class="source-cli">systemctl reload nginx</div> | <div class="source-cli">systemctl reload nginx</div> | ||
Latest revision as of 20:27, 26 April 2022
This document explains how to add protection for a directory on a server that runs NGINX.
NGINX does not read .htaccess files and any restrictions set with a .htaccess file will not apply. WHMCS uses a .htaccess file to protect the /vendor/ directory. This directory loses its protection on servers that runs NGINX. The below guide demonstrates how to restrict access to this directory.
Contents
Restricting Directory Access
For non-cPanel environments
- Log in to the web server.
- Locate the Nginx configuration template (see "Locating the Nginx configuration file").
- Add the deny directive (see "The Deny Directive") to the server block of your site's configuration.
- Save your changes and restart Nginx.
For cPanel environments
You can use cPanel's Directory Privacy interface (Home >> cPanel >> Files >> Directory Privacy) to add protection to this directory.
cPanel's Directory Privacy interface (Home >> cPanel >> Files >> Directory Privacy) only supports this process in cPanel & WHM version 84 and later. On a server that runs cPanel & WHM version 82 and earlier, use the non-cPanel environment steps.
To protect the directory, perform the following steps:
- Select the /whmcs/vendor directory in cPanel's Directory Privacy interface (Home >> cPanel >> Files >> Directory Privacy).
- Select the Password protect this directory checkbox.
- Enter a display label in the Enter a name for the protected directory text box. This name only functions as a label for the directory. Do not confuse it with the directory’s actual name.
- Click Save. A confirmation message will appear. Click Go Back to return to the directory's configuration.
The Deny Directive
server {
location ^~ /vendor/ {
deny all;
return 403;
}
...
}
You must add this location directive to the top of your server block configuration.
Locating the Nginx configuration file
Nginx has a very flexible configuration organization. Because of this, your configuration file may be in a number of different places.
cPanel & WHM
The following path is the default location for the Nginx configuration file on cPanel & WHM servers:
Debian & Ubuntu
The following path is the most common location:
Administrators sometimes set up configuration files for each site individually. In this case, you can often find the configuration files for each domain in the /sites-available directory:
None of the above
If the configuration file is not found in any of the above locations, at the command prompt, run the following command:
The output should display the current directory path to your server's Nginx configuration file. The output will should resemble the following example:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
To check if the Nginx configuration file contains any include directives, run the following command:
If the grep command does not return any output, then you can proceed with your changes to the configuration. If the grep command returns any includes, you must check each include file for the server directive. The following grep command output example displays an Nginx configuration file that contains includes:
include /etc/nginx/modules-enabled/*.conf;
include /etc/nginx/mime.types;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
If none are found, the `server` block should be found in the config file found with `nginx -t`.
If included configuration files are found, it will be necessary to check each of the included files for the `server` directive.
Restarting Nginx
After making any configuration changes to Nginx, it is necessary to reload the Nginx config.
cPanel & WHM
Run the following command:
Other Operating Systems
CentOS 6:
CentOS 7:
Debian/Ubuntu: