AdminCP Extra Security for nginx web server

Applicable to:

  • SolusVM

Question

With latest SolusVM Installer, Nginx web server is being shipped as a default instead of lighttpd. How to apply the same extra security features for svmstack-nginx service as for lighttpd? 

Answer

IP Filtering

  1. Connect to the master server via SSH
  2. Create the additional configuration file in /usr/local/svmstack/nginx/conf/services/ directory:

    CONFIG_TEXT: # touch /usr/local/svmstack/nginx/conf/services/blockip.conf

  3. Set up list of allowed/denied IP addresses, here is an example:

    CONFIG_TEXT: deny 192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny all; 

    Check for more information on Nginx documentation portal

  4. (Optional) Set up nginx config to allow Let's Encrypt certificate installation:
    • Edit /usr/local/svmstack/nginx/conf/services/legacy-master.conf
    • In the block server { listen 80; [...] }, add allow all; the following before the closing curly brace. The block for 80 port should look like this:

      CONFIG_TEXT: server {
      listen 80;
      server_name localhost;
      root /usr/local/solusvm/www/.verification;
      index index.html;
      error_page 404 /index.html;
      allow all;
      }

  5. (Optional) In case of the WHMCS module or otherwise accessing SolusVM graphs via API /graphs directory should be excluded from IP restriction. Open the file /usr/local/svmstack/nginx/conf/services/custom/legacy-master-after-php-location-443.conf and add the following:

    CONFIG_TEXT: location /graphs{
    allow all;
    }

  6. Restart the service to apply the changes:

    # systemctl restart svmstack-nginx.service

    OR

    # /etc/init.d/svmstack-nginx restart

Additional authentication for AdminCP area

  1. Connect to the master server via SSH
  2. Create a file that will contain login/password pairs:

    # touch /usr/local/svmstack/nginx/.htpasswd

  3. Add login and password pair. Replace solusvmadmin with required login name. Do not forget ":" delimiter sign at the end of the login name:

    # sh -c "echo -n 'solusvmadmin:' >> /usr/local/svmstack/nginx/.htpasswd"

    # sh -c "openssl passwd -apr1 >> /usr/local/svmstack/nginx/.htpasswd"

  4. Create a backup of the /usr/local/svmstack/nginx/conf/services/legacy-master.conf file:

    # cp -a /usr/local/svmstack/nginx/conf/services/legacy-master.conf /root/ 

  5. Customize the file and add the following directive to the end of "server" section fo 5656 and 443 ports:

    CONFIG_TEXT: location ^~ /admincp/ {
    auth_basic "Restricted Content";
    auth_basic_user_file /usr/local/svmstack/nginx/.htpasswd;
    location ~ \.php$ {
    include services/custom/legacy-master-inside-php-location-443.conf;
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_read_timeout 3600;
    fastcgi_pass unix:/usr/local/svmstack/fpm/socket/web.sock;
    fastcgi_index index.php;
    include fastcgi.conf;
    fastcgi_param HTTPS $https;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
    }

  6. After that restart the service to apply the changes:

    # systemctl restart svmstack-nginx.service

    OR

    # /etc/init.d/svmstack-nginx restart

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.