Re: httpd and Wordpress

2017-06-10 Thread R0me0 *** 
+1
Wordpress must be installed on the desired path, if you are moving from
previous scheme like site/wordpress to wordpress, you have a problem. Refer
to wordpress manual and you find how to fix. The best bet is like Todd
said: Deploy again.


2017-06-10 20:56 GMT-03:00 Todd <norr...@gmail.com>:

> What is in your httpd error log?
> My guess is that WP is trying to pull some content from /wordpress which no
> longer exists since you moved the docroot.
>
> My suggestion for having your WP site available without going to the
> /wordpress URL is to redeploy the WordPress files to /var/www/html instead
> of /var/www/html/wordpress.
> Or add a 301 redirect from / to /wordpress
>
> On Sat, Jun 10, 2017 at 2:32 PM, Jan Betlach <jbetl...@gmail.com> wrote:
>
> > Hi guys,
> >
> > I have a small problem with httpd and Wordpress.
> > When I go to https://myipaddress I get "Access denied". If I go to
> > https://myipaddress/wordpress, everything works as expected.
> > I have tried to change the appropriate line in the httpd.conf to:
> > root "/htdocs/wordpress". In that case the webpage is loaded, but in the
> > "broken" form.
> >
> > My current httpd.conf:
> >
> > # $OpenBSD: httpd.conf,v 1.16 2016/09/17 20:05:59 tj Exp $
> > # Macros
> > ext_addr="*"
> > # Global Options
> > # prefork 3
> > # Servers
> > # A minimal default server
> > server "default" {
> > listen on $ext_addr port 80
> > listen on $ext_addr tls port 443 block return 301 "https://
> > $SERVER_NAME$REQUEST_URI"
> > tls {
> > key "/etc/ssl/private/server.key"
> > certificate "/etc/ssl/server.crt"
> > }
> > directory {
> > no auto index, index "index.php"
> > }
> > location "*.php" {
> > fastcgi socket "/run/php-fpm.sock"
> > }
> > root "/htdocs"
> > }
> > # Include MIME types instead of the built-in ones
> > types {
> > include "/usr/share/misc/mime.types"
> > }
> >
> >
> > Any ideas where I am making a mistake?
> >
> > Thank you
> >
> > Jan
> >
>

Re: httpd and Wordpress

2017-06-10 Thread ilyes aiouaz - google mail 
Hi,

# Set a correct root path
root "/htdocs/wordpress"

# You can set max upload size to 513 M ( in bytes )
connection max request body 537919488

# You can protect files and dir
location "/.*" { block }
location "/ upload /*. php " { block }
location "/ files /*. php " { block }

# For any other PHP file
location "/*. php *" {
fastcgi socket "/ run / php - fpm . sock "}


Ilyes Aiouaz

Le 11/06/2017 à 00:56, Todd a écrit :
> What is in your httpd error log?
> My guess is that WP is trying to pull some content from /wordpress which no
> longer exists since you moved the docroot.
>
> My suggestion for having your WP site available without going to the
> /wordpress URL is to redeploy the WordPress files to /var/www/html instead
> of /var/www/html/wordpress.
> Or add a 301 redirect from / to /wordpress
>
> On Sat, Jun 10, 2017 at 2:32 PM, Jan Betlach <jbetl...@gmail.com> wrote:
>
>> Hi guys,
>>
>> I have a small problem with httpd and Wordpress.
>> When I go to https://myipaddress I get "Access denied". If I go to
>> https://myipaddress/wordpress, everything works as expected.
>> I have tried to change the appropriate line in the httpd.conf to:
>> root "/htdocs/wordpress". In that case the webpage is loaded, but in the
>> "broken" form.
>>
>> My current httpd.conf:
>>
>> # $OpenBSD: httpd.conf,v 1.16 2016/09/17 20:05:59 tj Exp $
>> # Macros
>> ext_addr="*"
>> # Global Options
>> # prefork 3
>> # Servers
>> # A minimal default server
>> server "default" {
>> listen on $ext_addr port 80
>> listen on $ext_addr tls port 443 block return 301 "https://
>> $SERVER_NAME$REQUEST_URI"
>> tls {
>> key "/etc/ssl/private/server.key"
>> certificate "/etc/ssl/server.crt"
>> }
>> directory {
>> no auto index, index "index.php"
>> }
>> location "*.php" {
>> fastcgi socket "/run/php-fpm.sock"
>> }
>> root "/htdocs"
>> }
>> # Include MIME types instead of the built-in ones
>> types {
>> include "/usr/share/misc/mime.types"
>> }
>>
>>
>> Any ideas where I am making a mistake?
>>
>> Thank you
>>
>> Jan
>>



signature.asc
Description: OpenPGP digital signature

Re: httpd and Wordpress

2017-06-10 Thread Todd 
What is in your httpd error log?
My guess is that WP is trying to pull some content from /wordpress which no
longer exists since you moved the docroot.

My suggestion for having your WP site available without going to the
/wordpress URL is to redeploy the WordPress files to /var/www/html instead
of /var/www/html/wordpress.
Or add a 301 redirect from / to /wordpress

On Sat, Jun 10, 2017 at 2:32 PM, Jan Betlach <jbetl...@gmail.com> wrote:

> Hi guys,
>
> I have a small problem with httpd and Wordpress.
> When I go to https://myipaddress I get "Access denied". If I go to
> https://myipaddress/wordpress, everything works as expected.
> I have tried to change the appropriate line in the httpd.conf to:
> root "/htdocs/wordpress". In that case the webpage is loaded, but in the
> "broken" form.
>
> My current httpd.conf:
>
> # $OpenBSD: httpd.conf,v 1.16 2016/09/17 20:05:59 tj Exp $
> # Macros
> ext_addr="*"
> # Global Options
> # prefork 3
> # Servers
> # A minimal default server
> server "default" {
> listen on $ext_addr port 80
> listen on $ext_addr tls port 443 block return 301 "https://
> $SERVER_NAME$REQUEST_URI"
> tls {
> key "/etc/ssl/private/server.key"
> certificate "/etc/ssl/server.crt"
> }
> directory {
> no auto index, index "index.php"
> }
> location "*.php" {
> fastcgi socket "/run/php-fpm.sock"
> }
> root "/htdocs"
> }
> # Include MIME types instead of the built-in ones
> types {
> include "/usr/share/misc/mime.types"
> }
>
>
> Any ideas where I am making a mistake?
>
> Thank you
>
> Jan
>

httpd and Wordpress

2017-06-10 Thread Jan Betlach 
Hi guys,

I have a small problem with httpd and Wordpress.
When I go to https://myipaddress I get "Access denied". If I go to
https://myipaddress/wordpress, everything works as expected.
I have tried to change the appropriate line in the httpd.conf to:
root "/htdocs/wordpress". In that case the webpage is loaded, but in the
"broken" form.

My current httpd.conf:

# $OpenBSD: httpd.conf,v 1.16 2016/09/17 20:05:59 tj Exp $
# Macros
ext_addr="*"
# Global Options
# prefork 3
# Servers
# A minimal default server
server "default" {
listen on $ext_addr port 80
listen on $ext_addr tls port 443 block return 301 "https://
$SERVER_NAME$REQUEST_URI"
tls {
key "/etc/ssl/private/server.key"
certificate "/etc/ssl/server.crt"
}
directory {
no auto index, index "index.php"
}
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
root "/htdocs"
}
# Include MIME types instead of the built-in ones
types {
include "/usr/share/misc/mime.types"
}


Any ideas where I am making a mistake?

Thank you

Jan

Re: httpd and wordpress

2017-06-04 Thread Ax0n 
A very select few security-focused plugins are worth keeping around, like
WordFence. Every plugin, theme and add-on is additional attack surface, and
some popular plugins and themes have a horrifying track record with regard
to security. WordPress core has gotten a lot better recently, but there are
still some whopper vulnerabilities disclosed on occasion.

For most people, I recommend giving it lenient enough file permissions that
it can automatically apply its own updates. The most severe WP
vulnerabilities are Remote Code [Inclusion|Execution]. Disallowing _www
write access to the document root isn't going to save you from those, but
allowing write access and enabling automatic updates means critical patches
are applied faster than you'd normally be able to do it yourself.

I have experimented in my development environment with a "split
installation" where two different virtual hosts entries serve WP from two
different document roots but are pointed to the same database: A full-blown
normal install on 127.0.0.1 that you access through something such as an
SSH dynamic proxy, then a copied, locked-down install on the public IP
address. The locked-down install doesn't even have wp-admin, and uses
database credentials that are limited to SELECT queries only. This took a
lot of extra work to keep maintained, and updates applied to, and obviously
things like user-login and comments won't work on the public-facing site.
I'm not convinced this experiment is worth the hassle, because if you're
that paranoid, you're likely already looking at static-site generators and
getting away from WP by any means possible.

On Sun, Jun 4, 2017 at 4:34 PM, flipchan  wrote:

> Delete ALL readme and don't install plugins
>
> On June 3, 2017 9:52:13 PM GMT+02:00, Markus Rosjat 
> wrote:
> >Hi there,
> >
> >
> >well if it would be up to me I would skip wordpress for good but well
> >it's not my decition.
> >
> >So I was wondering if there is some recommendations on what to block in
> >
> >the httpd.conf and what file permissions to use.
> >
> >For now I have:
> >
> >- like wordpress suggest 0755 on dirs and 0644 on files
> >
> >- wp-config.php setting to 0400 is not going to work at all I need at
> >least a 0644 or nothing shows up
> >
> >- in http.conf I blocked /wp_content , /wp-content /uploads/*.php,
> >/wp-includes, /wp-includes/*.php and /wp-admin
> >
> >
> >so if there is something I can do further to harden things just let me
> >know :)
> >
> >
> >advice is most apreciated
> >
> >
> >Regards
> >
> >
> >--
> >Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
> >
> >G+H Webservice GbR Gorzolla, Herrmann
> >Königsbrücker Str. 70, 01099 Dresden
> >
> >http://www.ghweb.de
> >fon: +49 351 8107220   fax: +49 351 8107227
> >
> >Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss!
> >Before you print it, think about your responsibility and commitment to
> >the ENVIRONMENT
>
> --
> Take Care Sincerely flipchan layerprox dev

Re: httpd and wordpress

2017-06-04 Thread flipchan 
Delete ALL readme and don't install plugins

On June 3, 2017 9:52:13 PM GMT+02:00, Markus Rosjat  wrote:
>Hi there,
>
>
>well if it would be up to me I would skip wordpress for good but well 
>it's not my decition.
>
>So I was wondering if there is some recommendations on what to block in
>
>the httpd.conf and what file permissions to use.
>
>For now I have:
>
>- like wordpress suggest 0755 on dirs and 0644 on files
>
>- wp-config.php setting to 0400 is not going to work at all I need at 
>least a 0644 or nothing shows up
>
>- in http.conf I blocked /wp_content , /wp-content /uploads/*.php, 
>/wp-includes, /wp-includes/*.php and /wp-admin
>
>
>so if there is something I can do further to harden things just let me 
>know :)
>
>
>advice is most apreciated
>
>
>Regards
>
>
>-- 
>Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
>G+H Webservice GbR Gorzolla, Herrmann
>Königsbrücker Str. 70, 01099 Dresden
>
>http://www.ghweb.de
>fon: +49 351 8107220   fax: +49 351 8107227
>
>Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss!
>Before you print it, think about your responsibility and commitment to
>the ENVIRONMENT

-- 
Take Care Sincerely flipchan layerprox dev

Re: httpd and wordpress

2017-06-03 Thread Fred 

On 06/03/17 20:52, Markus Rosjat wrote:

Hi there,


well if it would be up to me I would skip wordpress for good but well 
it's not my decition.


So I was wondering if there is some recommendations on what to block in 
the httpd.conf and what file permissions to use.


For now I have:

- like wordpress suggest 0755 on dirs and 0644 on files

- wp-config.php setting to 0400 is not going to work at all I need at 
least a 0644 or nothing shows up


- in http.conf I blocked /wp_content , /wp-content /uploads/*.php, 
/wp-includes, /wp-includes/*.php and /wp-admin



so if there is something I can do further to harden things just let me 
know :)



advice is most apreciated


Regards




Running WPScan[1] against your WordPress installation can be useful to 
check that your WordPress install isn't too full of holes.


Cheers

Fred

[1]https://github.com/wpscanteam/wpscan

httpd and wordpress

2017-06-03 Thread Markus Rosjat 

Hi there,


well if it would be up to me I would skip wordpress for good but well 
it's not my decition.


So I was wondering if there is some recommendations on what to block in 
the httpd.conf and what file permissions to use.


For now I have:

- like wordpress suggest 0755 on dirs and 0644 on files

- wp-config.php setting to 0400 is not going to work at all I need at 
least a 0644 or nothing shows up


- in http.conf I blocked /wp_content , /wp-content /uploads/*.php, 
/wp-includes, /wp-includes/*.php and /wp-admin



so if there is something I can do further to harden things just let me 
know :)



advice is most apreciated


Regards


--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you 
print it, think about your responsibility and commitment to the ENVIRONMENT

Re: Using "Pretty" permalinks with httpd in wordpress

2017-01-09 Thread Gregory Edigarov 

On 06.01.17 15:42, Atanas Vladimirov wrote:

On 06.01.2017 13:35, Jiri B wrote:

On Fri, Jan 06, 2017 at 01:32:10PM +0200, Atanas Vladimirov wrote:

Hi,

I can't figure it out.
Is it possible to use Wordpress with OpenBSD httpd and configure both
for "Pretty" permalinks.
Does anyone have a working setup?
Thanks for your time,
Atanas


Help testing this diff 
http://marc.info/?l=openbsd-tech=148370177214134=2


j.

I know about the diff and I'm testing it right now.
The problem is that I really don't know what to put in
httpd.conf.
I try to "translate" Wordpress .htaccess with no luck:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
^^^ this rule doesn't rewrite index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
^^^ this rule rewrites any single character to /index.php
if %{REQUEST_FILENAME} is not a real file or directory

# END WordPress

Do I read/understand the .htaccess file correctly?
In my httpd.conf:
.
# art-katerina.com
server "art-katerina.com" {
listen on * tls port 443
alias www.art-katerina.com
directory index index.php
root "/domains/art-katerina.com/"
hsts
log {
access "art-katerina-access.log",
error "art-katerina-error.log",
style combined
}
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
tls {
certificate 
"/etc/ssl/acme/art-katerina.com/fullchain.pem"

key "/etc/ssl/acme/private/art-katerina.com/privkey.pem"
}
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location match "(.)" {
pass rewrite "/index.php"
fastcgi socket "/run/php-fpm.sock"
}
you seem to be wrong here.  location match "(.)"   mean exactly 
_ONE_ single character.  may be you mean location match "(.+)"

.

Re: Using "Pretty" permalinks with httpd in wordpress

2017-01-06 Thread Ax0n 
This was my hack.
http://www.h-i-r.net/2016/04/pretty-wordpress-permalinks-under.html

tl;dr:
1) ln -s index.php posts
2) null out "security.limit_extensions" in the php_fpm config, restart FPM.
Beware the potential abuses of this.
3) Set up an explicit location clause for "/posts*" that uses the fastcgi
socket for FPM.
4) Configure wordpress permalinks with a custom structure that includes
/posts


On Fri, Jan 6, 2017 at 7:42 AM, Atanas Vladimirov <vl...@bsdbg.net> wrote:

> On 06.01.2017 13:35, Jiri B wrote:
>
>> On Fri, Jan 06, 2017 at 01:32:10PM +0200, Atanas Vladimirov wrote:
>>
>>> Hi,
>>>
>>> I can't figure it out.
>>> Is it possible to use Wordpress with OpenBSD httpd and configure both
>>> for "Pretty" permalinks.
>>> Does anyone have a working setup?
>>> Thanks for your time,
>>> Atanas
>>>
>>
>> Help testing this diff http://marc.info/?l=openbsd-te
>> ch=148370177214134=2
>>
>> j.
>>
> I know about the diff and I'm testing it right now.
> The problem is that I really don't know what to put in
> httpd.conf.
> I try to "translate" Wordpress .htaccess with no luck:
>
> # BEGIN WordPress
> 
> RewriteEngine On
> RewriteBase /
> RewriteRule ^index\.php$ - [L]
> ^^^ this rule doesn't rewrite index.php
> RewriteCond %{REQUEST_FILENAME} !-f
> RewriteCond %{REQUEST_FILENAME} !-d
> RewriteRule . /index.php [L]
> ^^^ this rule rewrites any single character to /index.php
> if %{REQUEST_FILENAME} is not a real file or directory
> 
> # END WordPress
>
> Do I read/understand the .htaccess file correctly?
> In my httpd.conf:
> .
> # art-katerina.com
> server "art-katerina.com" {
> listen on * tls port 443
> alias www.art-katerina.com
> directory index index.php
> root "/domains/art-katerina.com/"
> hsts
> log {
> access "art-katerina-access.log",
> error "art-katerina-error.log",
> style combined
> }
> location "/.well-known/acme-challenge/*" {
> root "/acme"
> root strip 2
> }
> tls {
> certificate "/etc/ssl/acme/art-katerina.com/fullchain.pem"
> key "/etc/ssl/acme/private/art-katerina.com/privkey.pem"
> }
> location "*.php" {
> fastcgi socket "/run/php-fpm.sock"
> }
> location match "(.)" {
> pass rewrite "/index.php"
> fastcgi socket "/run/php-fpm.sock"
> }
> .

Re: Using "Pretty" permalinks with httpd in wordpress

2017-01-06 Thread Atanas Vladimirov 

On 06.01.2017 13:35, Jiri B wrote:

On Fri, Jan 06, 2017 at 01:32:10PM +0200, Atanas Vladimirov wrote:

Hi,

I can't figure it out.
Is it possible to use Wordpress with OpenBSD httpd and configure both
for "Pretty" permalinks.
Does anyone have a working setup?
Thanks for your time,
Atanas


Help testing this diff 
http://marc.info/?l=openbsd-tech=148370177214134=2


j.

I know about the diff and I'm testing it right now.
The problem is that I really don't know what to put in
httpd.conf.
I try to "translate" Wordpress .htaccess with no luck:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
^^^ this rule doesn't rewrite index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
^^^ this rule rewrites any single character to /index.php
if %{REQUEST_FILENAME} is not a real file or directory

# END WordPress

Do I read/understand the .htaccess file correctly?
In my httpd.conf:
.
# art-katerina.com
server "art-katerina.com" {
listen on * tls port 443
alias www.art-katerina.com
directory index index.php
root "/domains/art-katerina.com/"
hsts
log {
access "art-katerina-access.log",
error "art-katerina-error.log",
style combined
}
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
tls {
certificate 
"/etc/ssl/acme/art-katerina.com/fullchain.pem"

key "/etc/ssl/acme/private/art-katerina.com/privkey.pem"
}
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location match "(.)" {
pass rewrite "/index.php"
fastcgi socket "/run/php-fpm.sock"
}
.

Re: Using "Pretty" permalinks with httpd in wordpress

2017-01-06 Thread Jiri B 
On Fri, Jan 06, 2017 at 01:32:10PM +0200, Atanas Vladimirov wrote:
> Hi,
> 
> I can't figure it out.
> Is it possible to use Wordpress with OpenBSD httpd and configure both
> for "Pretty" permalinks.
> Does anyone have a working setup?
> Thanks for your time,
> Atanas

Help testing this diff http://marc.info/?l=openbsd-tech=148370177214134=2

j.

Using "Pretty" permalinks with httpd in wordpress

2017-01-06 Thread Atanas Vladimirov 

Hi,

I can't figure it out.
Is it possible to use Wordpress with OpenBSD httpd and configure both
for "Pretty" permalinks.
Does anyone have a working setup?
Thanks for your time,
Atanas