Persistent custom nginx configuration
-
I would find it very useful if i could enter custom nginx rules (generally or per application), that would survive updates. Is this possible at the time beeing?
-
Generally we try to not expose such internals to the users, as they are inherently hard to test with regards to updates. Often though we can add a feature to "manage" such thing explicitly. What is the use-case for you and what would you like to add?
-
Generally we try to not expose such internals to the users, as they are inherently hard to test with regards to updates. Often though we can add a feature to "manage" such thing explicitly. What is the use-case for you and what would you like to add?
@nebulon See that point. Two use cases are:
WordPress exposes the example.com/xmlrpc.php API per default. We already had several issues where attackers used those APIs to send spam mails from our applications. To fix this issue, either you need to install a plugin that disables the API (however, dose plugins which are available for free are crapy and I dont trust them), or you just disable those requests in the nginx.conf of the application. This is what I did, but through updates those custom lines were deleted.
I would like to restrict the Synapse Admin API to certain IPs.
-
@nebulon See that point. Two use cases are:
WordPress exposes the example.com/xmlrpc.php API per default. We already had several issues where attackers used those APIs to send spam mails from our applications. To fix this issue, either you need to install a plugin that disables the API (however, dose plugins which are available for free are crapy and I dont trust them), or you just disable those requests in the nginx.conf of the application. This is what I did, but through updates those custom lines were deleted.
I would like to restrict the Synapse Admin API to certain IPs.
@opensourced I think the WordPress issue can be solved with a htaccess file instead of doing this on a reverse proxy level https://docs.cloudron.io/apps/wordpress-developer/#htaccess
-
Generally we try to not expose such internals to the users, as they are inherently hard to test with regards to updates. Often though we can add a feature to "manage" such thing explicitly. What is the use-case for you and what would you like to add?
@nebulon Hello, I edited the nginx config manually on the server... to restrict access to chatwoot's super_admin url... but when I change the config in the app, everything added disappears
location ^~ /super_admin { allow 1.2.3.4; deny all; proxy_pass http://CHATWOOT_INTERNAL_INSTANCE_IP:3000; } -
@nebulon Hello, I edited the nginx config manually on the server... to restrict access to chatwoot's super_admin url... but when I change the config in the app, everything added disappears
location ^~ /super_admin { allow 1.2.3.4; deny all; proxy_pass http://CHATWOOT_INTERNAL_INSTANCE_IP:3000; } -
@nebulon See that point. Two use cases are:
WordPress exposes the example.com/xmlrpc.php API per default. We already had several issues where attackers used those APIs to send spam mails from our applications. To fix this issue, either you need to install a plugin that disables the API (however, dose plugins which are available for free are crapy and I dont trust them), or you just disable those requests in the nginx.conf of the application. This is what I did, but through updates those custom lines were deleted.
I would like to restrict the Synapse Admin API to certain IPs.
@opensourced said in Persistent custom nginx configuration:
plugins which are available for free are crapy and I dont trust them
fyi Wordfence is not crappy (imho everyone running WordPress should install it) and would easily sort this for you
