Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Plesk Onyx Server Nginx setup

  • marcgold
  • marcgold's Avatar Topic Author
  • Offline
  • Premium Member
  • Premium Member
More
5 years 4 weeks ago #182251 by marcgold
Replied by marcgold on topic Plesk Onyx Server Nginx setup
Thanks everyone and support for all your help. I have now fixed the issue and am sharing the answers.

This is specifically to Servers running Plesk Onyx 17.8. It may work with other versions and below may help steer others incase they run into similar issues.

Plesk manages its nginx.conf configurations internally. If you attempt to change anything, Plesk will just rewrite the file back.

So firstly The correct place to put this is in the Advance Nginx Directive under the correct webspace in Plesk Onyx.

The syntax that I had in that file was incorrect - you can view it above.

The Correct syntax does not need the location / directive.
Then the important part that handles the rewrites site wide is.

try_files $uri $uri/ /index.php?q=$uri&$args;

But this alone does not fix the problem that the display response & display as PDF links in Show results gives a 404 error. To fix this add the following directly under the try_files directive.

if (!-e $request_filename){
rewrite ^(.*)$ /index.php;
}

So the full syntax adding the additional security elements / converted apache .htaccess reads:

try_files $uri $uri/ /index.php?q=$uri&$args;
if (!-e $request_filename){
rewrite ^(.*)$ /index.php;
}

location ~ ^/(protected|framework|themes/\w+/views) {
deny all;
}

location ~ 403 {
rewrite ^(.*)$ ^/(?!\.well-known/)(.*/)?\.+ redirect;
}

location ~ /\.well-known {
}

location ~ ^/(.*/)?\.+ {
return 403;
}


Marc
Limesurvey 3.16.1, Plesk Onyx 17.8, Nginx
The following user(s) said Thank You: DenisChenu
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 4 weeks ago - 5 years 4 weeks ago #182255 by DenisChenu
Replied by DenisChenu on topic Plesk Onyx Server Nginx setup
Great !

Need an improvment : github.com/LimeSurvey/LimeSurvey/blob/ma...ad/surveys/.htaccess ;)

I try with
Code:
location ~ ^/master/upload/surveys/.*/fu_[a-z0-9]*$ {
                deny all;
        }

Else : protected must be replaced by application for limesurvey.


Since i'm on local (no .well-know needed) in a subdirectory :
This seems to work
Code:
location /master/ {
        index index.html index.htm index.php;
        try_files $uri $uri/ /index.php?r=$uri&$args;
        if (!-e $request_filename){
                rewrite ^(.*)$ /master/index.php;
        }
        location ~ ^/master/(application|framework|themes/\w+/views) {
                deny all;
        }
        location ~ location ~ ^/master/upload/surveys/.*/fu_[a-z0-9]*$ {
                deny all;
        }
        location ~ ^/master/(.*/)?\.+ {
                return 403;
        }
    }
I use r for uri since the default route param is r. It work too with q, didn't know exactly why.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Last edit: 5 years 4 weeks ago by DenisChenu. Reason: Fix part for fu_ part
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 4 weeks ago - 5 years 4 weeks ago #182259 by DenisChenu
Replied by DenisChenu on topic Plesk Onyx Server Nginx setup
Another fix for autogenerated .htaccess in surveys/
Code:
location /master/ {
        index index.html index.htm index.php;
        try_files $uri $uri/ /index.php?r=$uri&$args;
        if (!-e $request_filename){
                rewrite ^(.*)$ /master/index.php;
        }
        location ~ ^/master/(application|docs|framework|themes/\w+/views) {
                deny all;
        }
        location ~ ^/master/upload/surveys/.*/fu_[a-z0-9]*$ {
                return 444;
        }
        location ~ ^/master/(.*/)?\.+ {
                return 403;
        }
        location ~* /master/upload/.*\.(pl|cgi|py|pyc|pyo|phtml|sh|lua|php|php3|php4|php5|php6|pcgi|pcgi3|pcgi4|pcgi5|pcgi6|icn)$
        {
                return 444;
        }
    }
Since i think it must be disable for all upload type : survey or theme or anything.

Throw a 444 : httpstatusdogs.com/444-no-response ? But can be a 403 too.

Edit : think we muist disable direct access to some third_party tools too
(and personnaly : i think direct acccess to plugins must be disable : plugins must use asset manager).
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Last edit: 5 years 4 weeks ago by DenisChenu.
The following user(s) said Thank You: marcgold
The topic has been locked.
More
5 years 4 weeks ago #182300 by jelo
Replied by jelo on topic Plesk Onyx Server Nginx setup
Is there a bugticket about this improvement? About redirections htaccess and .users and NGINX.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • marcgold
  • marcgold's Avatar Topic Author
  • Offline
  • Premium Member
  • Premium Member
More
5 years 4 weeks ago #182301 by marcgold
Replied by marcgold on topic Plesk Onyx Server Nginx setup

jelo wrote: Is there a bugticket about this improvement? About redirections htaccess and .users and NGINX.


Hi Jelo,
I didn't raise it in Bugtracker, but I did raise a support ticket. Its not really a Limesurvey bug, its more about the configuration of the specific server. hence why DenisChenu and I have documented it here as a pointer to others that have issues.

Mine is now working beautifully :)

Marc
The following user(s) said Thank You: DenisChenu
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 4 weeks ago #182304 by DenisChenu
Replied by DenisChenu on topic Plesk Onyx Server Nginx setup

jelo wrote: Is there a bugticket about this improvement? About redirections htaccess and .users and NGINX.

Can be only a "documentation" issue, since we can't fix it in LimeSurvey code.

If you find a good place ?
Unsure
manual.limesurvey.org/Not_categorized_and_advanced_features
manual.limesurvey.org/General_FAQ
manual.limesurvey.org/General_FAQ#How_ca...to_get_a_shorter_URL is outdated.

@marcgold : did you check with other part for security ? fu_ and (php|cgi…) ?
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • marcgold
  • marcgold's Avatar Topic Author
  • Offline
  • Premium Member
  • Premium Member
More
5 years 4 weeks ago #182305 by marcgold
Replied by marcgold on topic Plesk Onyx Server Nginx setup

DenisChenu wrote:

jelo wrote: Is there a bugticket about this improvement? About redirections htaccess and .users and NGINX.

Can be only a "documentation" issue, since we can't fix it in LimeSurvey code.

If you find a good place ?
Unsure
manual.limesurvey.org/Not_categorized_and_advanced_features
manual.limesurvey.org/General_FAQ
manual.limesurvey.org/General_FAQ#How_ca...to_get_a_shorter_URL is outdated.

@marcgold : did you check with other part for security ? fu_ and (php|cgi…) ?


Good idea @DenisChenu - I will add it to bugtracker and hope the team will add it to the documentation.

I have added in all the changes you suggested and all working well.
The topic has been locked.
More
5 years 4 weeks ago #182306 by jelo
Replied by jelo on topic Plesk Onyx Server Nginx setup

DenisChenu wrote: Can be only a "documentation" issue, since we can't fix it in LimeSurvey code.

The issue is about what is shipped as default htaccess and other help files (user and nginx to add) with the core distribution.

Later the installchecker / sitehealth checker could than inform about missing redirections too.
bugs.limesurvey.org/view.php?id=14643
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 4 weeks ago - 5 years 4 weeks ago #182351 by DenisChenu
Replied by DenisChenu on topic Plesk Onyx Server Nginx setup

jelo wrote:

DenisChenu wrote: Can be only a "documentation" issue, since we can't fix it in LimeSurvey code.

The issue is about what is shipped as default htaccess and other help files (user and nginx to add) with the core distribution.

htaccess are inside LimeSurvey directory.
nginx configuration is totally outside …

Adding some test for
1. Testing if fu_ files can be readed
2. Testing if a cgi/php file can be exexuted in upload seems to be a good idea.

Update bugs.limesurvey.org/view.php?id=14621#c51163
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Last edit: 5 years 4 weeks ago by DenisChenu.
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose

Pricing & Plans
Get started

Legal

About Us

Open Source