Modify nginx to nginx+apache+phpfpm

Community Support Web
1

Hello,
I’ve been using hestia for 2 months and I really like it, but I’ve been having problems with wordpress and conf files that need to use .htaccess
My installation was nginx+php-fpm and I would like to change it to nginx+apache+php-fpm so I can use .htaccess
From what I read in other topics, it is always recommended to reinstall the entire system but I found a topic talking about using the migrate_ngnix_apache_nginx-php-fpm.sh file to convert from apache+nginx to nginx+php_fpm.
So I ask if I couldn’t use this file to do the reverse and change to nginx+apache+php_fpm

Could the parameters below be changed for this to happen?

Remove apache2 from config

sed -i “/^WEB_PORT/d” $HESTIA/conf/hestia.conf
sed -i “/^WEB_SSL/d” $HESTIA/conf/hestia.conf
sed -i “/^WEB_SSL_PORT/d” $HESTIA/conf/hestia.conf
sed -i “/^WEB_RGROUPS/d” $HESTIA/conf/hestia.conf
sed -i “/^WEB_SYSTEM/d” $HESTIA/conf/hestia.conf

Remove nginx(proxy) from config

sed -i “/^PROXY_PORT/d” $HESTIA/conf/hestia.conf
sed -i “/^PROXY_SSL_PORT/d” $HESTIA/conf/hestia.conf
sed -i “/^PROXY_SYSTEM/d” $HESTIA/conf/hestia.conf

Add Nginx settings to config

echo “WEB_PORT=‘80’” >> $HESTIA/conf/hestia.conf
echo “WEB_SSL=‘openssl’” >> $HESTIA/conf/hestia.conf
echo “WEB_SSL_PORT=‘443’” >> $HESTIA/conf/hestia.conf
echo “WEB_SYSTEM=‘nginx’” >> $HESTIA/conf/hestia.conf

2

Yes it will work you also need to install apache2 seperately and copy over the correct config

1 Like
3

That could be an amazing feature.

4

I checked the installation file hst-install-debian.sh and found the variables for hestia.conf

webstack

if [ “$apache” = ‘yes’ ]; then
write_config_value “WEB_SYSTEM” “apache2”
write_config_value “WEB_RGROUPS” “www-data”
write_config_value “WEB_PORT” “8080”
write_config_value “WEB_SSL_PORT” “8443”
write_config_value “WEB_SSL” “mod_ssl”
write_config_value “PROXY_SYSTEM” “nginx”
write_config_value “PROXY_PORT” “80”
write_config_value “PROXY_SSL_PORT” “443”
write_config_value “STATS_SYSTEM” “awstats”
fi

So in theory, if I set this information and manually follow the configuration steps that start at
#------------------------------------------------ ---------#

configure apache

#------------------------------------------------ ---------#

must work

5

.htaccess in 2023 in my personal opinion - extremely bad practice.
Can you please upload .htaccess to check what exactly required to be changed? Maybe we can help you with nginx template for the setting that you’re looking.

Switching from very fast nginx + php-fpm to very slow apache - bad move in my opinion.

1 Like
6

I totally agree. That’s why I installed the server only with nginx.
but I’m having some problems with two sites, which use a lot of plugins in wordpress. another bad practice, but we won’t waste time here. and users complain about the lack of .htaccess support
I already thought about setting up another server with just apache+nginx for these cases

an example of .htaccess is below, it seems to be something specific that the user wants to use or is just pointing this out as a problem. the site works normally. but the user says no. before the website was on cpanel hosting.

marker WEBP start

RewriteCond %{HTTP_ACCEPT} “image/webp”
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]
RewriteCond %{HTTP_USER_AGENT} iPhone.*Version/(\d{2}).Safari
RewriteCond %1 >13
RewriteRule . - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]

marker WEBP end

marker DROPQS start

CacheKeyModify -qs:fbclid
CacheKeyModify -qs:gclid
CacheKeyModify -qs:utm*
CacheKeyModify -qs:_ga

marker DROPQS end

the other settings that exist in .htaccess, are these below that nginx already fulfills the function:

ServerSignature Off
LimitRequestBody 104857600
Options -Indexes

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]


AddType text/css .css
AddType text/x-component .htc
AddType application/x-javascript .js
AddType application/javascript .js2
AddType text/javascript .js3
AddType text/x-js .js4
AddType text/html .html .htm
AddType text/richtext .rtf .rtx
AddType image/svg+xml .svg .svgz
AddType text/plain .txt
AddType text/xsd .xsd
AddType text/xsl .xsl
AddType text/xml .xml
AddType video/asf .asf .asx .wax .wmv .wmx
AddType video/avi .avi
AddType image/bmp .bmp
AddType application/java .class
AddType video/divx .divx
AddType application/msword .doc .docx
AddType application/vnd.ms-fontobject .eot
AddType application/x-msdownload .exe
AddType image/gif .gif
AddType application/x-gzip .gz .gzip
AddType image/x-icon .ico
AddType image/jpeg .jpg .jpeg .jpe
AddType application/json .json
AddType application/vnd.ms-access .mdb
AddType audio/midi .mid .midi
AddType video/quicktime .mov .qt
AddType audio/mpeg .mp3 .m4a
AddType video/mp4 .mp4 .m4v
AddType audio/ogg .ogg
AddType application/pdf .pdf
AddType image/png .png
AddType image/webp .webp
AddType application/x-tar .tar
AddType image/tiff .tif .tiff
AddType application/x-font-ttf .ttf .ttc
AddType application/vnd.ms-opentype .ttf .ttc
AddType audio/wav .wav
AddType audio/wma .wma
AddType application/vnd.ms-write .wri
AddType application/font-woff .woff
AddType application/font-woff2 .woff2
AddType application/vnd.ms-excel .xla .xls .xlsx .xlt .xlw
AddType application/zip .zip

and this one that calls a firewall plugin for wordpress, which was solved using the .user.ini to call the file

php_value auto_prepend_file '/home/grafipelcom/public_html/aios-bootstrap.php' php_value auto_prepend_file '/home/grafipelcom/public_html/aios-bootstrap.php' php_value auto_prepend_file '/home/grafipelcom/public_html/aios-bootstrap.php'

.user.ini file that calls the firewall plugin

Begin AIOWPSEC Firewall

auto_prepend_file=‘/home/grafipelcom/web/grafipel.com.br/public_html/aios-bootstrap.php’

End AIOWPSEC Firewall

in short, I think it’s more developer implication than actual problems.

7

This is my personal opinion.
Please do not use that crap. This is not about security. It’s obscurity.
That you can manually do with nginx, and location rules.

Changing logic to admin panel page.
Adding captcha on that page
Restriction maximum connections to this page location
Turning off completely comments via plugin for WP
Properly finding a good wordpress nginx config.

If you wanna protection against attacks/hacks do not use nulled or old unknown plugins/themes. Use in front of you website some kind of professional WAF. Naxsi/owasp waf for apache, or nginx, etc. Or purchase suciri WAF.

8

As I said, I think it’s more the developer’s implication with the nginx environment
On hestia I already created a template for wordpress that uses 7G Firewall 7G Firewall | Perishable Press

I’ll check Naxsi/owasp you commented.

1 Like
9

Nginx serves static files and cached pages.
Apache takes care of the rest.

I use 7g firewall for nginx + fail2ban rules for 403 errors or xmlrpc calls for example and I reduce plugins to the minimum.

I use the server to compress to webp all the images and I swap the files via Nginx.

For cached pages you won’t notice decrease in performance.

1 Like
10

You can add this in your htaccess to increase security for wordpress site :

I will suggest using crowdsec instead of fail2ban to secure the server (not supported by hestia atm).

11

I have a cloudlinux server with wp-toolkit applied on some clients.
The security settings, which are used in nginx and apache and I adapted in a new template for wordpress that are in hestia

nginx

# "Block access to wp-config.php"
# To remove this rule, revert this security measure on each WordPress installation on this domain
location ~* wp-config.php { deny all; }

# "Block access to xmlrpc.php"
# To remove this rule, revert this security measure on each WordPress installation on this domain
location ~* xmlrpc.php { deny all; }

        # "Forbid execution of PHP scripts in the wp-content/uploads directory"
    # To remove this rule, revert this security measure for WordPress installation #110
    location ~* "^(?:/)wp-content/uploads/.*\.php" { deny all; }

            # "Forbid execution of PHP scripts in the wp-includes directory"
    # To remove this rule, revert this security measure for WordPress installation #110
    location ~* "^(?:/)wp-includes/(?!js/tinymce/wp\-tinymce\.php$).*\.php" {
        deny all;
    }

                    # "Block author scans"
    # To remove this rule, revert this security measure for WordPress installation #110
    if ($query_string ~ "author=\d+") {
        rewrite "^/(?!wp-admin/)" "/fake-author-scan" last;
    }

    # "Disable PHP execution in cache directories"
# To remove this rule, revert this security measure on each WordPress installation on this domain
location ~* ".*/cache/.*\.ph(?:p[345]?|t|tml)" {
    access_log off;
    log_not_found off;
    deny all;
}

# "Block author scans"
# To remove this rule, revert this security measure on each WordPress installation on this domain
location = /fake-author-scan {
    internal;
    deny all;
}

# "Block access to sensitive files"
# To remove this rule, revert this security measure on each WordPress installation on this domain
location ~* "(?:wp-config\.bak|\.wp-config\.php\.swp|(?:readme|license|changelog|-config|-sample)\.(?:php|md|txt|htm|html))" {
    return 403;
}

# "Block access to potentially sensitive files"
# To remove this rule, revert this security measure on each WordPress installation on this domain
location ~* ".*\.(?:psd|log|cmd|exe|bat|csh|ini|sh)$" {
    return 403;
}

# "Block access to .htaccess and .htpasswd"
# To remove this rule, revert this security measure on each WordPress installation on this domain
location ~* /\.ht {
    deny all;
}

# "Enable bot protection"
# To remove this rule, revert this security measure on each WordPress installation on this domain
if ($http_user_agent ~* "(?:acunetix|BLEXBot|domaincrawler\.com|LinkpadBot|MJ12bot/v|majestic12\.co\.uk|AhrefsBot|TwengaBot|SemrushBot|nikto|winhttp|Xenu\s+Link\s+Sleuth|Baiduspider|HTTrack|clshttp|harvest|extract|grab|miner|python-requests)") {
    return 403;
}

# WordPress permalink
# To remove this rule, add "wordpressPermalinkHandlingFeature = false" in the [ext-wp-toolkit] section of panel.ini
# then reconfigure the current domain
set $sef_entry_point /;
        if ($uri ~* "^/") {
        set $sef_entry_point "/index.php?$args";
    }
    location @wpt_permalinks_fallback {
    try_files $uri $sef_entry_point;
}
error_page 404 = @wpt_permalinks_fallback;
error_page 405 = @wpt_permalinks_fallback;

apache

# "Block access to wp-config.php"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<Files wp-config.php>
                Require all denied
        </Files>

# "Block access to xmlrpc.php"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<Files xmlrpc.php>
                Require all denied
        </Files>

<Directory “/home/client/public_html”>
Options -Indexes

        # "Forbid execution of PHP scripts in the wp-content/uploads directory"
    # To remove this rule, revert this security measure for WordPress installation #110
    <Directory "/home/client/public_html/wp-content/uploads">
        <FilesMatch \.php$>
                        Require all denied
                    </FilesMatch>
    </Directory>

                # "Forbid execution of PHP scripts in the wp-includes directory"
    # To remove this rule, revert this security measure for WordPress installation #110
    <IfModule mod_rewrite.c>
        <Directory "/home/client/public_html/wp-includes">
            <FilesMatch \.php$>
                RewriteEngine on
                RewriteCond %{REQUEST_FILENAME} !^/home/client/public_html/wp\-includes/js/tinymce/wp\-tinymce\.php$ [NC]
                RewriteRule .* - [NC,F,L]
            </FilesMatch>
        </Directory>
    </IfModule>

                # "Block author scans"
    # To remove this rule, revert this security measure for WordPress installation #110
    <IfModule mod_rewrite.c>
        <Directory "/home/client/public_html">
            RewriteEngine on
            RewriteCond %{QUERY_STRING} author=\d+
            RewriteCond %{REQUEST_FILENAME} !^/home/client/public_html/wp\-admin/ [NC]
            RewriteRule .* - [F,L]
        </Directory>
    </IfModule>

    # "Block access to sensitive files"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<LocationMatch "(?i:(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html)))">
                Require all denied
        </LocationMatch>

# "Block access to potentially sensitive files"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<LocationMatch ".+\\.(?i:psd|log|cmd|exe|bat|csh|ini|sh)$">
                Require all denied
        </LocationMatch>

# "Disable PHP execution in cache directories"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<LocationMatch "(?i:.*/cache/.*\\.ph(?:p[345]?|t|tml))">
                Require all denied
        </LocationMatch>

# "Block access to .htaccess and .htpasswd"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<FilesMatch ^(?i:\.ht.*)$>
                Require all denied
        </FilesMatch>

# "Enable bot protection"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<IfModule mod_rewrite.c>
    <Directory "/home/client/public_html">
        RewriteEngine on
        RewriteCond %{HTTP_USER_AGENT} "(?:acunetix|BLEXBot|domaincrawler\\.com|LinkpadBot|MJ12bot/v|majestic12\\.co\\.uk|AhrefsBot|TwengaBot|SemrushBot|nikto|winhttp|Xenu\\s+Link\\s+Sleuth|Baiduspider|HTTrack|clshttp|harvest|extract|grab|miner|python-requests)" [NC]
        RewriteRule .* - [F,L]
    </Directory>
</IfModule>
2 Likes
12

Thats cool. Why not? At least something.

as a guy from mmorpg/online games scene, where all my games targets of ddos/hacks/etc I wish to add few cents and recommendations, you can follow or ignore them.

Your best friend: goaccess & instant notificaiton & debug/profiler tools.

Usually this is more than enough to identify & prevent any hacks attempts. Most of them (i do talk about 99%) has the same scenario and idea in background.

Some big slice of hacks - auto-scans for plugins list with pre-defined URI paths.
If you have your own website, just a few websites that must long-run try to switch wp-content to something neutral. But make sure that all your plugins compatible with this switch.

Such stupid, very stupid method - totally breaks auto-scanners.
Because they getting 404/403 errors while scanning in auto-mode, and do not launch any other queries to your server.

The most dangerous queries that you can filter to your web-server related to sql commands.

SELECT, INSERT, UPDATE, INTO OUTFILE, etc.
But this is some kind of paranoia stuff.

Just an example.

Another problem is https://medium.com/purple-team/exploiting-remote-file-inclusion-vulnerabilities-f9503b1ebafa

Also check this:
https://medium.com/@wiktorderda/file-inclusion-tryhackme-walkthrough-123b0103602f

Why all of that crap happening?
I can write very big wall of text, but usually and much easier to point to this link:

Also good starting point is: Security Controls | NGINX Documentation

In short almost all related to chroot & users:
https://www.php.net/manual/en/install.fpm.configuration.php
And few php options restrictions per user. (like above)

Also very important thing is: PHP: Configuration - Manual

and:
https://www.php.net/manual/en/ini.core.php#ini.disable-functions

expose_php => off too

And also: PHP: Security - Manual

But there a cool topic to read, very interesting to be honest too: GitHub - guardrailsio/awesome-php-security: Awesome PHP Security Resources 🕶🐘🔐

Summary:

php-fpm pools per website with correct user & chrooted folder of the PATH where website stored with proper user ACL.
Disable several most dangerous php functions
Use goaccess to analyze what is going on
sometimes obscurity works, especially for big things like WP.

notifications for what is going on (related to logs) can solve & prevent tons of attemts to hack your website. Time to time just compress logs, remove duplicates, and try to analyze methods how your app tried to be hacked.

But all of that works only on a single website. For single website. This is my personal experience. My own, i do not advice to do like me. Just try to build your own strategy. It’s hard, but once you done - you done it for a long time.

I dunno how organize/scale all of that for all types of apps… Really. Each app individual.