Persistent configuration change with regen-conf hook

Support
,
1

What type of hardware are you using: Old laptop or computer
What YunoHost version are you running: 12.1.39
How are you able to access your server: SSH

Describe your issue

I intend to make persistent changes to a nginx configuration file in /etc/nginx/conf.d/website.com.conf. To this end I consulted the documentation of the hook system and made out two candidates: (1) conf-regen and (2) post_app_upgrade hooks. I settled for the former for no good reason and wrote the following script:

#!/bin/bash

action=$1
pending_dir=$4
nginx_dir=$pending_dir/../nginx/etc/nginx
nginx_webpage_conf=$(find /etc/nginx -name website.com.conf)
[[ $action == "pre" ]] || exit 0
[[ -d $nginx_dir ]] || exit 0
[[ -e $nginx_webpage_conf ]] || exit 0
sed -i '/^server\s*{/,/^}/ { /^}/i\
\
    # nginx block xmlrpc.php requests\
    location /xmlrpc.php {\
        deny all;\
        return 403;\
    }
}' $nginx_webpage_conf

which I placed int /etc/yunohost/hooks.d/conf_regen/80-nginx_xlmrpc. However, the file is now marked as manually modified:

  • yunohost tools regen-conf throws the following error
    Warning: The configuration file ‘/etc/nginx/conf.d/website.com.conf’ has been manually modified and will not be updated
  • After running yunohost tools regen-conf --force modifications are no longer present, yunohost tools regen-conf has to be run a second time, while modifications were written, the same warning was given again:
    Warning: The configuration file ‘/etc/nginx/conf.d/website.com.conf’ has been manually modified and will not be updated

How would you put the hook in place to guarantee re-addition of my modifications to the configuration file in question? Thank you in advance for your suggestions.

Share relevant logs or error messages

None

2

Are you sure about your hook?

nginx_webpage_conf=$(find /etc/nginx -name website.com.conf)

Wouldn’t it be more like

nginx_webpage_conf=$(find /etc/nginx/conf.d/ -name website.com.conf)

The order is important

1- Before you add the hook in /etc/yunohost/hooks.d/conf_regen/ , you must restore the default configuration with

yunohost tools regen-conf nginx --force

2 - Now, you can add your hook and do again :

yunohost tools regen-conf nginx --force

Now, your modification should be applied and yunohost tools regen-conf nginx should stop the warnings.

3

Why would you want to set up these Hooks?

4

Regarding the path

nginx_webpage_conf=$(find /etc/nginx -name website.com.conf)

It does not really matter, as find locates the unique file correctly, but yes it is in the sub-directory conf.d

Before you add the hook in /etc/yunohost/hooks.d/conf_regen/ , you must restore the default configuration with

I tried this (1 moving my hook, 2 executing regex-conf nginx --force, 3 executing regex-conf nginx --force), however, when executing the yunohost tools regen-conf nginx with the --force flag the second time, nothing happens an my hook does not get triggered, i.e. changes are not written to the file. Executing yunohost tools regen-conf nginx without the --force flag writes the changes but additionally generates the warning regarding file modification.

5

Why would you want to set up these Hooks?

Any hook (the broad concept) or the this script used with the regen-conf hook? Regarding the latter, I have a Wordpress site running, and wanted to block access to the xmlrpc.php file. However, now I find that /etc/nginx/conf.d/website.com.d/wordpress.conf does already contain the following which however has no effect

location / {
       # [...]

       # Deny public access to xmlrpc.php
       location ~* xmlrpc.php {
              deny all;
              return 403;
       }
}
6

And that little nginx rule to protect all PHPs.
Insert in:

nano /etc/nginx/sites-available/default

Just under the last lines

        #location ~ /\.ht {
        #       deny all;
        #}
}
        # Rule Nginx, Protect all PHPs.
        location ~* [^/]\.php(/|$) {
                deny all;
                return 403;
    }

Then verify:

sudo nginx -t

sudo systemctl reload nginx

Wouldn’t it be better?
That’s just an idea.

7

Yes, find is recursive.

You modify /etc/nginx/conf.d/website.com.conf directly without going through $nginx_dir

Whenever you modify a yunohost file, you can’t modify it directly but you must go through $nginx_dir. It’s why the regen-conf gives a warning and the --force don’t erase the default configuration.
For example, i use this in a hook :

nginx_security_conf=$nginx_dir/conf.d/security.conf.inc
8

Thank you, JfmbLinux, for your more general suggestion! Indeed, this could be beneficial. I will have to ensure that none of my installed apps requires direct exposure of php files before putting this into place and read more about Nginx’s directory structure.

9

Yes, find is recursive. […] Whenever you modify a yunohost file, you can’t modify it directly but you must go through $nginx_dir.

Sorry, metyun, for not grasping right away that you where referring to the direct change in /etc/nginx/

In the end I settled for

#!/bin/bash

action=$1
pending_dir=$4
nginx_dir=$pending_dir/../nginx/etc/nginx
nginx_conf_dir=$nginx_dir/conf.d
[[ $action == "pre" ]] || exit 0
[[ -d $pending_dir ]] || exit 0
[[ -d $nginx_dir ]] || exit 0
nginx_webpage_conf=$(find "$nginx_conf_dir" -name website.com.conf)
[[ -e $nginx_webpage_conf ]] || exit 0
sed -i '/^server\s*{/,/^}/ { /^}/i\
\
    # nginx block xmlrpc.php requests\
    location /xmlrpc.php {\
        deny all;\
        return 403;\
    }
}' $nginx_webpage_conf

Interestingly, yunohost’s default wordpress nginx configuration in /etc/nginx/conf.d/website.com.d/wordpress.conf already foresees the blocking of the xmlrpc.php, however these rules for some reason do not appear to be applied, see this post.

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.