SSL Redirection and EasyEngine Nginx security settings


#1

Hi! I’m loving the EasyEngine installation, really. I found it so easy to set up, and the security settings so much better than my previous configuration, that I’ve set up my entire blog with it.

However, I did find a strange conflict between my standard Nginx settings and the EasyEngine default settings. I got around them, but I wanted to know if there were any implications or a better way to deal with it.

Here’s the problem:

I’ve set up my Nginx config for my site to force SSL on the wp-admin and wp-login.php pages. I was able to do this pretty easily with the following code in my /etc/nginx/sites-available/avivroth.com file:

location ~ /wp-(admin|login) {  
    return 301 https://$host$request_uri;  
}

The problem is that the SSL redirect was not working on wp-login.php, just wp-admin. After playing around, I realized that the problem was that it was being overridden in the /etc/nginx/common/wpcommon.conf that is installed by EasyEngine, specifically the following code to protect agains brute force attacks:

location = /wp-login.php {  
        limit_req zone=one burst=1 nodelay;  
        include fastcgi_params;  
        fastcgi_pass php;  
}

This override happens because = has precedence over any ~ declarations. So my redirect code is ignored for wp-login.php.

To get around this, I created a second wpcommon.conf file, which I called wpcommon-fixed.conf, which was identical except that the brute force attack protection on wp-login.php is commented out. Then in my “server” section for port 80, wpcommon-fixed.conf is included, while in the section for port 443, the standard wpcommon.conf is included (I want the actual login page served over SSL to be protected from brute force attacks after all).

Is this the right approach? I’m asking because there is a big fat warning at the top of wpcommon.conf that reads # DO NOT MODIFIED ALL CHNAGES LOST AFTER UPDATE EasyEngine. So I’m wondering if there is something that is going to be a problem after any future updates to EasyEngine. Is there? Or am I safe?

You can see my original Nginx config file here, and my modified Nginx config file here, so that you can compare. Let me know if you need any more information.

Thanks!


#2

@avivroth

Glad to know you liked EasyEngine :slight_smile:

You can easily force ssl to wp-admin and wp-login.php without touching EasyEngine
Just open the wp-config.php file

vim /var/www/example.com/wp-config.php
and add following lines
define(‘FORCE_SSL_ADMIN’, true);

So you don’t need to change anything in EasyEngine
Also its not good to modify the EasyEngine common files, in future we/someone discover bug/security holes in EasyEngine then next release we fix it by overwrite EasyEngine common files in that case all your custom changes lost


#3

Thank you Mitesh.

Unfortunately, define(‘FORCE_SSL_ADMIN’, true); doesn’t seem to force SSL at all with the default config files. This is why I built those fancy nginx config files in the first place. Am I missing something? That is, how should I set up /etc/nginx/sites-available/.com to support SSL forcing?

Thanks!
-Aviv


#4

Hi Mitesh,

I think I figured out how to make it work without messing with any of the EasyEngine config files. It does take a few steps though, and does not involve directly setting define(‘FORCE_SSL_ADMIN’, true); in wp-config.php. It does require the installation of a plugin and some editing of the nginx config file. Here are the steps:

  1. Install EasyEngine, LEMP, and WordPress with EasyEngine default settings
  2. Open /etc/nginx/sites-available/.com in a text editor
  3. Copy the ENTIRE server block and paste at the end of the file, so that you have two identical server blocks.
  4. Inside the *first* server block, add the following line: listen 80;
  5. Inside the *second* server block, add the following 4 lines:
    listen 443;  
    ssl on;  
    ssl_certificate /etc/ssl/certs/.com.crt; #this should be the path to *your* certificate  
    ssl_certificate_key /etc/ssl/private/.com.key; #this should be the path to *your* private key  
    
  6. Save the file and exit the text editor
  7. Restart nginx and PHP: sudo service nginx restart && sudo service php5-fpm restart
  8. Install and activate the WordPress SSL plugin.
  9. Go to wp-admin
  10. At the bottom of the settings choices on the left, under "Settings", there should be "HTTPS". Click on that.
  11. Check "Force SSL Administration"
  12. Click the "Save Changes" button
  13. Navigating to wp-admin or wp-login should now force SSL. If it doesn't, try rebooting.

This causes the desired behavior (force SSL on wp-admin and wp-login, and regular HTTP on everything else), without touching the EasyEngine config files.

Hope that this helps!
-Aviv


#5

I’ve updated my blog post on this here.


#6

Hi @avivroth,

Glad to know you have figured out solution and thanks for the posting article.

I am closing this support ticket for now. Feel free to create a new support ticket if you have any queries further. :slight_smile:


#7