Applicable to:
- SolusVM
Question
With latest SolusVM Installer, Nginx web server is being shipped as a default instead of lighttpd. How to apply the same extra security features for svmstack-nginx service as for lighttpd?
Answer
IP Filtering
- Connect to the master server via SSH
- Create the additional configuration file in
/usr/local/svmstack/nginx/conf/services/
directory:CONFIG_TEXT: # touch /usr/local/svmstack/nginx/conf/services/blockip.conf
- Set up list of allowed/denied IP addresses, here is an example:
CONFIG_TEXT: deny 192.168.1.1;
allow 192.168.1.0/24;
allow 10.1.1.0/16;
allow 2001:0db8::/32;
deny all;Check for more information on Nginx documentation portal
- (Optional) Set up nginx config to allow Let's Encrypt certificate installation:
- Edit /usr/local/svmstack/nginx/conf/services/legacy-master.conf
- In the block server { listen 80; [...] }, add allow all; the following before the closing curly brace. The block for 80 port should look like this:
CONFIG_TEXT: server {
listen 80;
server_name localhost;
root /usr/local/solusvm/www/.verification;
index index.html;
error_page 404 /index.html;
allow all;
}
-
(Optional) In case of the WHMCS module or otherwise accessing SolusVM graphs via API /graphs directory should be excluded from IP restriction. Open the file
/usr/local/svmstack/nginx/conf/services/custom/legacy-master-after-php-location-443.conf
and add the following:CONFIG_TEXT: location /graphs{
allow all;
} - Restart the service to apply the changes:
# systemctl restart svmstack-nginx.service
OR
# /etc/init.d/svmstack-nginx restart
Additional authentication for AdminCP area
- Connect to the master server via SSH
- Create a file that will contain login/password pairs:
# touch /usr/local/svmstack/nginx/.htpasswd
- Add login and password pair. Replace solusvmadmin with required login name. Do not forget ":" delimiter sign at the end of the login name:
# sh -c "echo -n 'solusvmadmin:' >> /usr/local/svmstack/nginx/.htpasswd"
# sh -c "openssl passwd -apr1 >> /usr/local/svmstack/nginx/.htpasswd"
- Create a backup of the
/usr/local/svmstack/nginx/conf/services/legacy-master.conf
file:# cp -a /usr/local/svmstack/nginx/conf/services/legacy-master.conf /root/
- Customize the file and add the following directive to the end of "server" section fo 5656 and 443 ports:
CONFIG_TEXT: location ^~ /admincp/ {
auth_basic "Restricted Content";
auth_basic_user_file /usr/local/svmstack/nginx/.htpasswd;
location ~ \.php$ {
include services/custom/legacy-master-inside-php-location-443.conf;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_read_timeout 3600;
fastcgi_pass unix:/usr/local/svmstack/fpm/socket/web.sock;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_param HTTPS $https;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
} - After that restart the service to apply the changes:
# systemctl restart svmstack-nginx.service
OR
# /etc/init.d/svmstack-nginx restart
Comments
0 commentsPlease sign in to leave a comment.