(dorf) Defender Hardener - Prevent Information Disclosure nginx cpanel

Hello,

in Hub I'm prompted to add a few lines of code to my nginx-config, but I can't find the appropriate config-file-location:

"For NGINX servers:

Copy the generated code into your site specific .conf file usually located in a subdirectory under /etc/nginx/... or /usr/local/nginx/conf/...
Add the code above inside the server section in the file, right before the php location block. Looks something like:
location ~ \.php$ {
Reload NGINX.
"

I have root-access to the server and use cpnginx.com. I found only this file:
/usr/local/nginx/conf/vhost.d/ledorf.de.conf

but with no such line:

location ~ \.php$ {

Where exactly can I find the config-files that your plugin wants me to manipulate?

Thank you and kind regards,
Sascha

    Rupok

    Hi Sascha,

    So sorry to hear the inconvenience you are having. cpnginx documentation says your configuration files will be found here: /usr/local/nginx/conf/
    Source: https://cpnginx.com/documentation/administration.php

    However, if you don't find the appropriate file there, we can try looking for it on your server. But for doing that, we will need the SSH root access to your server. Can you send me message with SSH access credentials through our secure contact form here: https://premium.wpmudev.org/contact/#i-have-a-different-question

    Subject: "Attn: Rupok"
    - SSH root Username
    - SSH root Password
    - Server IP
    - Link back to this thread for reference
    - Any other relevant URLs

    The subject line ensure that it gets assigned to me.

    We will jump in after you send us these credentials. I'm looking forward to hearing from you and resolving this issue as soon as possible.

    Have a nice day. Cheers!
    Rupok

    Rupok

    Hi Sascha,

    Thanks for sending me the SSH login credentials. I logged into your site and checked your current configuration files. Your configuration looks customized and I could not find the php location directive for your site in your nginx configuration files. But I've seen a line which made me think that probably your server is using both apache and nginx, I'm not sure, though.
    # Run Static file directly from nginx

    From the cpnginx documentation, I found that there are three modes:

    Cpnginx provide three modes of nginx service. This comes with the default nginx installation. You can choose the default nginx mode of operation from Preferences ? Settings tab. See below the meaning of these modes

    Hybrid = Static files will work from nginx and dynamic files work from apache. Some .htacces rules don't work
    Proxy = Nginx works as a proxy server in front of apache. .htaccess rules works
    Nginx = Nginx works as stand alone. All files will serve from nginx. Multi php fpm only works with this nginx mode unless you need to build a custom nginx template. .htaccess rules don't work

    I'm not sure if your setup is in Nginx mode or Hybrid mode.

    Can you please talk to your host regarding this and ask them about where you can find the php location directive? If they can't, can you please contact cpnginx support for this info? I believe, they can help you best.

    Please let us know what they say about this. If there is anything from our end, we will be glad to do that for you.

    Have a nice day. Cheers!
    Rupok

    Nithin

    Hey sushling,

    Hope you are doing good today.

    all sites are setup to use cpnginx in hybrid mode, so what exactly should I ask the cpnginx-support?

    You'll have to ask the cpnginx-support that where you can find the PHP location directive in your server.

    But before asking that, since you did mention that it's Hybrid, could you please try adding the following rules for Prevent Information Disclosure in your .htaccess file, and check whether it works. .htaccess file is located in your root directory, ie where /wp-content, /wp-includes, /wp-admin folders reside, if the file isn't present, please create a new file.

    ## WP Defender - Prevent information disclosure ##
    Options -Indexes
    <FilesMatch "\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$">
    Order allow,deny
    Deny from all
    </FilesMatch>
    <Files robots.txt>
    Allow from all
    </Files>
    ## WP Defender - End ##

    Since the support access is disabled, I didn't make the mentioned changes. Please do let us know whether adding the rules in .htaccess works, if not, please get in touch with cpnginx-support, and let us know how that goes, have a nice day.

    Best Regards,
    Nithin

    Nithin

    Hey sushling,

    Hope you are doing good today.

    Why don't you just implement it into Defender?

    Glad to know that it's working. It should work in Defender out of the box, however depending upon different server configuration, Defender might not able to recognize such setup in every use case, in that case, we'll have to manually apply such rules in .htaccess. Is your website running on Plesk?

    I'll definitely bring this in developers attention, so that he would be able to give a closer look, if possible implement this in future release.

    Kind Regards,
    Nithin