Blog Documentation Book a Demo
Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Dashboard has gone haywire after enabling RewriteUrls

errorioerrorio New
edited March 2015 in Vanilla 2.0 - 2.8

I've freshly installed Vanilla 2.1.9 and imported data from an SMF2 forum. Shortly after doing so, the dashboard has become almost unusable.

Parts of the dashboard are being rendered multiple times, and after a few seconds some items are no longer clickable and eventually Chrome gives up with an Aw, snap! page.

Before the page dies, it looks a lot like this:

http://i.imgur.com/OOYsmWl.png

Other changes I have made:

I created a User role as the imported data did not have such a role
I set Garden.RewriteUrls to TRUE

When I turned off RewriteUrls again, the dashboard went back to normal. So I'm pretty sure I've misconfigured something in my nginx configuration.

That is currently:

server {
    listen 80;
    listen [::]:80;
    server_name vanilla;

    access_log /var/log/nginx/vanilla-access.log main;
    error_log /var/log/nginx/vanilla-error.log;

    root /srv/www/vanilla;

    index index.php;

    try_files $uri $uri/ /index.php?p=$request_uri;

    error_page  404              /404.html;
    location = /404.html {
        root   /usr/share/nginx/html;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_buffers 8 16k;
        fastcgi_buffer_size 32k;
        include fastcgi_params;
    }
}
Tagged:

Answers

  • errorioerrorio New

    This seems to be fixed now, and it was a trivial change:

        try_files $uri $uri/ /index.php?p=$request_uri;

    to:

        try_files $uri $uri/ /index.php?p=$uri;
  • x00x00 MVP
    edited March 2015

    @errorio

    You should really put you try_files in a location. Also you can afford to be more discerning what php file are allowed to run.

    Some conversion use additional physical files for redirects, but vanilla only needs index.php to be requested directly. Single entry point, single dispatcher.

    I know now the trend is to not use physical redirecst, and there is a plugin which handles virtual locations for converted forums, in which case you can only allow the single entry point.

    put error_page declarations at the top of the config after server_name, leave their locations where they are.

    grep is your friend.

  • AnonymooseAnonymoose ✭✭
    edited March 2015

    @x00 said:
    Some conversion use additional physical files for redirects, but vanilla only needs index.php to be requested directly. Single entry point, single dispatcher.

    Wouldn't it make sense to put the 'backend' portion of Vanilla outside of front-facing directories, like currently? Or is this not possible because of the way php handles things?

  • x00x00 MVP

    @Anonymoose said:
    Wouldn't it make sense to put the 'backend' portion of Vanilla outside of front-facing directories, like currently? Or is this not possible because of the way php handles things?

    it is technically possible and there is are frameworks that sort of work like that. However vanilla is self contained/portable, and that idea a bit advanced for the average user, and makes updates more complicated.

    The same effect can be made with server rules, and more explicitly.

    grep is your friend.

  • errorioerrorio New

    After finding a few things in the dashboard that didn't work, I eventually wound up with:

    try_files $uri $uri/ /index.php?p=$uri&$args;

    I would love to see an actual debugged working secure nginx configuration for Vanilla that is current and supported. The Internet is full of crap and you can't trust most of what you read out there.

  • x00x00 MVP

    you should use

        # forum location
    location / {
        try_files $uri $uri/ @forum;
    }

    location @forum {
        rewrite ^(.+)$ /index.php?p=$1 last;
    }

    # protect uploads directory
    location ~* /uploads/.*\.(html|htm|shtml|php)$ {
        types { }
        default_type text/plain;
    }



    # Keep nosy people from deciphering categories by number
    location ~* /categories/([0-9]|[1-9][0-9]|[1-9][0-9][0-9])$ {
        return 404;
    }

    # Deny, drop, or internal locations
    location ~ /\. { access_log off; log_not_found off; deny all; }
    location ~ ~$ { access_log off; log_not_found off; deny all; }
    location = /robots.txt { access_log off; log_not_found off; }
    location ^~ favicon { access_log off; log_not_found off; }
    location ^~ /conf/ { internal; }


    # Taking advantage of browser caching
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|eot|woff|ttf|svg)$ {
        expires max;
        log_not_found off;
    }

    put the php handler before this.

    Are you using any other framework, did you convert from another forum? It is possible to make sure the handler only passes, to /index.php and any select scripts you need direct access to.

    grep is your friend.

Sign In or Register to comment.