• Resolved OviLiz

    (@ovib)


    Hi guys,
    I’m using a server managed through ServerPilot.io that is installing Apache + Nginx as reverse proxy, PHP-FPM and PHP7.

    What I should choose when proceeding with the Ninja Firewall installation?
    Apache+PHP7 doesn’t work.

    I have proceed with the Apache+CGI with .user.ini but then I’m going to have this alert “User session – It seems the user session was not set by the firewall script or may have been destroyed by another plugin. You may get blocked by the firewall while working from the WordPress administration dashboard.“, similar to what reported here https://www.ads-software.com/support/topic/user-session-1?replies=19

    PS. I’m using Wordfence too.

    https://www.ads-software.com/plugins/ninjafirewall/

Viewing 12 replies - 1 through 12 (of 12 total)
  • Thread Starter OviLiz

    (@ovib)

    Following the other thread, the PHP script result is:

    Starting session.
    Checking “nfw_goodguy” session flag: ERROR: not found.

    Also:

    session.cache_expire 180 180
    session.gc_maxlifetime 1440 1440
    session.use_cookies on on
    session.save_handler files files
    session.save_path /srv/users/myuser/tmp/myapp idem
    session.cookie_domain no value

    I don’t have any caching plugin (Wordfence’s caching function is not enabled).

    My Overview:

    Firewall Enabled
    PHP SAPI FPM-FCGI (7.0.1)
    Version 1.8.3 (security rules: 2015-12-21.1)
    Admin user cristian (you are whitelisted by the firewall)
    User session It seems the user session was not set by the firewall script or may have been destroyed by another plugin. You may get blocked by the firewall while working from the WordPress administration dashboard.
    Optional configuration file /srv/users/myuser/apps/myapp/.htninja

    .htninja content:

    <?php
    /*
     +===================================================================+
     | NinjaFirewall optional configuration file                         |
     |                                                                   |
     | See: https://nintechnet.com/ninjafirewall/wp-edition/help/?htninja |
     +===================================================================+
    */
    
    // To tell NinjaFirewall where you moved your WP config file,
    // use the '$wp_config' variable :
    $wp_config = '/srv/users/myuser/apps/myapp/wp-config.php';
    
    // To change NinjaFirewall's log and cache folder
    // use the 'NFW_LOG_DIR' constant (no trailing slash needed) :
    define('NFW_LOG_DIR', '/srv/users/mysuer/apps/myapp/NFW');
    
    $ip_array = array( 'MY IP' );
    if ( in_array( $_SERVER["REMOTE_ADDR"], $ip_array ) ) {
       return 'ALLOW'; // whitelist
    }
    
    if ( $_SERVER["REMOTE_ADDR"] == '91.200.12.139' ) {
       return 'BLOCK'; // reject it
    }

    Thread Starter OviLiz

    (@ovib)

    I have set to DENY the X-Frame-Options to protect against clickjacking attempts but I’m still able to load the pages into an iframe from a different server.

    If I’m just editing the .htaccess and adding Header append X-FRAME-OPTIONS DENY is working fine.

    Where are the Firewall Policies rules supposed to be registered?

    Plugin Author nintechnet

    (@nintechnet)

    Apache+PHP7 doesn’t work.

    It does works.
    See this discussion, and that one too (not resolved yet).

    If you have Nginx as a reverse proxy, you need to make sure it will forward the correct headers.
    PHP is very picky about session: if a session is started from ‘domain.tld’, it won’t work for ‘www.domain.tld’ or any other subdomain, But, in your case, it looks like you may have a different domain name used for the backend (‘localhost’ or whatever). You will probably need to check the ‘proxy_pass_header’, ‘proxy_cookie_domain’ or similar directives in your Nginx configuration.

    Regarding, X-Frame-Options, simply telnet to your site and check if you see it in the HTTP headers:

    $ telnet yourwebsite.com 80

    Type:

    HEAD / HTTP/1.1
    Host: yourwebsite.com

    Press twice the ‘Enter’ key.
    You should get something similar to this:

    HTTP/1.1 200 OK
    Date: Tue, 22 Dec 2015 12:40:33 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    Set-Cookie: xxxxxxxxxxxxxxxx
    X-Frame-Options: DENY

    Here too, you must ensure your proxy will forward the HTTP headers.

    Thread Starter OviLiz

    (@ovib)

    Hi nintechnet, thanks for your reply. I’m gonna to read it later.

    Just forgot to mention that I’m using HTTPS and redirect HTTP to it.

    Thread Starter OviLiz

    (@ovib)

    I’m not saying Ninja Firewall doesn’t work with PHP7, is just that in my case I cannot use Apache+PHP7 when installing NF.
    The code is being added correctly to my .htaccess (Your configuration was saved.):

    <IfModule mod_php7.c>
       php_value auto_prepend_file /srv/users/myuser/apps/myapp/public/wp-content/plugins/ninjafirewall/lib/firewall.php
    </IfModule>

    But when testing, Error: the firewall is not loaded. and I cannot find any log about what the issue may be.

    But I guess is because appears like ServerPilot is not using mod_php when configuring the server, https://www.digitalocean.com/community/questions/wordpress-one-click-or-server-pilot
    This is why I mentioned ServerPilot.io , they are applying a specific configuration that is working only on Ubuntu 14.04 LTS, where I can even switch with one click from PHP 5.4 to 5.5, 5.6 or 7 and downgrade as well.

    The phpinfo says that my Server API is FPM/FastCGI which is not listed in the Ninja Firewall install options.

    Plugin Author nintechnet

    (@nintechnet)

    They suggest “.user.ini”, which is normally the right choice since PHP 5.3: https://serverpilot.io/community/articles/how-to-change-php-settings.html

    During the installation, you can select “Nginx + CGI/FastCGI”, and then .user.ini.
    It may take a few minutes before PHP detects the .user.ini (up to 5 minutes by default).

    Thread Starter OviLiz

    (@ovib)

    Thank you, actually using “Nginx + CGI/FastCGI” doesn’t show any alert.

    Still can’t figure out why the clickjacking protection doesn’t appear to work (and that’s something simple to test – even by using https://www.lookout.net/test/clickjack.html ).

    If I’m using the .htaccess it does the job, but not using NF setting. Any idea?

    Thread Starter OviLiz

    (@ovib)

    I spoke too earlier, the “It seems the user session was not set by the firewall script or may have been destroyed by another plugin. You may get blocked by the firewall while working from the WordPress administration dashboard.” is back without any new action.

    So, looks like using “Apache + CGI/FastCGI” and .user.ini is same as “Nginx + CGI/FastCGI” and .user.ini as doesn’t change anything related with my problem.

    Thread Starter OviLiz

    (@ovib)

    I have disabled Wordfence and disabled and deleted NinjaFirewall. With Wordfence disabled, I have installed back NinjaFirewall and activated. Even after that the issue is still there so is not related with Wordfence.

    Also using either PHP 7.0.1, 5.6.16 or even 5.4.45, doesn’t change anything.

    Plugin Author nintechnet

    (@nintechnet)

    A plugin or theme could be wrongly altering/deleting the session.
    You would need to scan your PHP scripts (at least plugins and themes) to see if one of them is using sessions. Search for “session_destroy”, “session_id”, “session_start”.

    Regarding headers, go to “Firewall Policies” and enable “Set X-Content-Type-Options to protect against MIME type confusion attacks”, “Set X-Frame-Options to protect against clickjacking attempts”, and “Set X-XSS-Protection to enable browser’s built-in XSS filter” options.
    Then go to https://headers.cloxy.net/, enter your website and check the returned HTTP headers if you see “X-Content-Type-Options”, “X-Frame-Options” and “X-XSS-Protection”.

    In my case doesn’t work, I just enter any option and I stay in the same page, like a bucle.

    Plugin Author nintechnet

    (@nintechnet)

    @doublet: you would need to ask your host if you can you use the PHP “auto_prepend_file” directive in the “.user.ini” file.

    https://serverpilot.io/community/articles/how-to-change-php-settings.html
    https://serverpilot.io/community/articles/customize-php-settings.html

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘ServerPilot.io servers’ is closed to new replies.