Forum

Problem uploading media

Fred
19 March 2016, 01:04
Hi Hugo,

I am using 2 Hiawatha servers.
Server A is the proxy and server is wordpress site
On the wordpress admin, the users can do absolutly everything except uploading new media to the librarie.
I am unable to upload any type of file
 HTTP Error. 

I find out that if I whitelist the IPs then the problem go away....
Could you please help me solving this problem?
--- Proxy setting ---
hiawatha.conf
set LOCALHOST = 127.0.0.0/8
set MyIPv4 = 10.8.20.11
#set MyIPv6 = fde4:8dba:82e1:ffff::42
set TrustedIP_1 = 82.30.1xx.xxx # Office
set TrustedIP_2 = 10.8.20.11 # Proxy
set TrustedIP_3 = 86.8.xx.xxx # Headquater
set TrustedIP_4 = 193.253.xx.xxx # Bollenberg office

# GENERAL SETTINGS
#
#MonitorServer = 192.168.1.125
ServerString = Hiawatha
ServerId = www:www
ConnectionsTotal = 4096 # Maximum number of simultaneous connections. Default = 100
ConnectionsPerIP = 64 # Maximum number of simultaneous connections per IP address. Default = 10
ThreadPoolSize = 128 #
ThreadKillRate = 10
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
CacheSize = 512 # Size of Hiawatha's internal file cache. Maximum is 1024 (megabytes). Default = 10
CacheMaxFilesize = 512 # Maximum size of a file Hiawatha will store in its internal cache. Default = 256
CacheRProxyExtensions = css, eot, gif, html, htm, ico, jpg, jpeg, js, otf, png, svg, swf, ttf, txt, woff, woff2
MaxUrlLength = 1200
#MinSSLversion = TLS1.2
MinTLSversion = TLS1.2
DHsize = 4096 # Set the size of the Diffie-Hellman key. Default = 2048
SocketSendTimeout = 60
LogfileMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2, deny TrustedIP_3, deny TrustedIP_4
RequestLimitMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2, deny TrustedIP_3, deny TrustedIP_4


# BINDING SETTINGS
# A binding is where a client can connect to.
#
include bindings.conf

# BANNING SETTINGS
# Deny service to clients who misbehave.
#
BanOnGarbage = 300
BanOnInvalidURL = 60
BanOnMaxPerIP = 15
BanOnMaxReqSize = 300
BanOnWrongPassword = 4:900
BanOnSQLi = 3600
KickOnBan = yes
RebanDuringBan = yes
BanlistMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2, deny TrustedIP_3, deny TrustedIP_4
#ChallengeClient = 768, javascript, 15

# COMMON GATEWAY INTERFACE (CGI) SETTINGS
# These settings can be used to run CGI applications.
#
FastCGIserver {
FastCGIid = PHP5-FPM
ConnectTo = /var/run/php-fpm.sock
Extension = php
SessionTimeout = 30
}

# URL TOOLKIT
# This URL toolkit rule was made for the Banshee PHP framework, which
# can be downloaded from http://www.hiawatha-webserver.org/banshee
#
include toolkit.conf

# DEFAULT WEBSITE
# Use IP address as the hostname of the default website and give it a blank webpage.
# By doing so, automated webscanners won't find the possible vulnerable website.
#
Hostname = MyIPv4
WebsiteRoot = /usr/local/www/webs/default/httpdocs
StartFile = index.html
AccessLogfile = /var/log/hiawatha/default.access.log
ErrorLogfile = /var/log/hiawatha/default.error.log
#ErrorHandler = 404:/error.cgi

CustomHeader = X-Frame-Options: sameorigin
CustomHeader = Vary: Accept-Encoding
RandomHeader = 64

include domains.conf

toolkit.conf
UrlToolkit {
ToolkitID = monitor
RequestURI isfile Return
Match ^/(css|images|js)/ Return
Match ^/(favicon.ico|robots.txt)$ Return
Match .*\?(.*) Rewrite /index.php?$1
Match .* Rewrite /index.php
}

UrlToolkit {
ToolkitID = cache-control
Match ^/.*\.(css|eot|gif|htm|html|ico|jpeg|jpg|js|otf|pdf|png|ps|psd|svg|swf|ttf|txt|woff|woff2)(\?v=.*|\?ver=.*)?(/|$) Expire 1 weeks
}

UrlToolkit {
ToolkitID = wordpress
RequestURI exists Return
Match .*\?(.*) Rewrite /index.php?$1
Match .* Rewrite /index.php
}

UrlToolkit {
ToolkitID = wp-multi-subdir
Match ^/index\.php$ Return
Match ^/([_0-9a-zA-Z-]+/)?wp-admin$ Redirect /$1wp-admin/
RequestURI exists Return
Match ^/([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) Rewrite /$2
Match ^/([_0-9a-zA-Z-]+/)?(.*\.php)$ Rewrite /$2
Match ^/[_0-9a-zA-Z-]+(/wp-.*) Rewrite /$1 # if not present 404 - error is displayed
# Match ^/[_0-9a-zA-Z-]+(/.*\.php)$ Rewrite /$1 #test
Match .* Rewrite /index.php?$1
}

UrlToolkit {
ToolkitID = joomla
Match base64_encode[^(]*\([^)]*\) DenyAccess
Match (<|%3C)([^s]*s)+cript.*(>|%3E) DenyAccess
Match GLOBALS(=|\[|\%[0-9A-Z]{0,2}) DenyAccess
Match _REQUEST(=|\[|\%[0-9A-Z]{0,2}) DenyAccess
Match ^/index\.php Return
RequestURI exists Return
Match .* Rewrite /index.php
}

UrlToolkit {
ToolkitID = secure-wp
UseSSL Skip 2
Match ^/wp-login.php(.*) Redirect https://blog.example.tld/wp-login.php$1
Match /wp-admin/$ Redirect https://blog.example.tld/wp-admin/$1
}

UrlToolkit {
ToolkitID = block_bots
Header User-Agent Googlebot DenyAccess
Header User-Agent twiceler DenyAccess
Header User-Agent MSNBot DenyAccess
Header User-Agent yahoo DenyAccess
Header User-Agent BaiDuSpider DenyAccess
Header User-Agent Ask DenyAccess
# Header User-Agent Yahoo! Slurp DenyAccess
# Header User-Agent Sogou web spider DenyAccess
Header User-Agent Sogou-Test-Spider DenyAccess
Header User-Agent Baiduspider+ DenyAccess
Header User-Agent Yandex DenyAccess
Header User-Agent UniversalFeedParser DenyAccess
Header User-Agent Mediapartners-Google DenyAccess
Header User-Agent Sosospider+ DenyAccess
Header User-Agent YoudaoBot DenyAccess
Header User-Agent ParchBot DenyAccess
Header User-Agent Curl DenyAccess
Header User-Agent msnbot DenyAccess
Header User-Agent NaverBot DenyAccess
Header User-Agent taptubot DenyAccess
}

domain.conf
VirtualHost {
Hostname = www.mydomain.com, mydomain.com, *.mydomain.com
WebsiteRoot = /var/www/empty
StartFile = index.php
#RequireTLS = yes,31536000
ExecuteCGI = no
PreventXSS = yes
#PreventCSRF = yes
PreventSQLi = yes
RandomHeader = 512
ReverseProxy .* http://10.8.20.10:80 1300 keep-alive
#LoginMessage = scanner.example.tld
#PasswordFile = digest:/srv/www/digest/scanner.digest
AccessLogfile = /var/log/hiawatha/mydomain.access.log
ErrorLogfile = /var/log/hiawatha/mydomain.error.log
}

--- wordpress settings (after proxy) ---
hiawatha.conf
# Hiawatha main configuration file
#
# This is a hiawatha.conf for use with WordPress.
#

# VARIABLES
# With 'set', you can declare a variable. Make sure the name of the
# variable doesn't conflict with any of the configuration options. The
# variables are case-sensitive and cannot be re-declared.
#
set LOCALHOST = 127.0.0.0/8
set MyIPv4 = 10.8.20.10
#set MyIPv6 = fde4:8dba:82e1:ffff::42
set TrustedIP_1 = 82.30.1xx.xxx
set TrustedIP_2 = 86.8.xx.xxx
set TrustedIP_3 = 10.8.20.11
set TrustedIP_4 = 193.253.xx.xxx

# GENERAL SETTINGS
#
#MonitorServer = 192.168.1.125
ServerString = Hiawatha
ServerId = www:www
ConnectionsTotal = 4096 # Maximum number of simultaneous connections. Default = 100
ConnectionsPerIP = 32 # Maximum number of simultaneous connections per IP address. Default = 10
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ThreadKillRate = 10
CacheSize = 512 # Size of Hiawatha's internal file cache. Maximum is 1024 (megabytes). Default = 10
CacheMaxFilesize = 512 # Maximum size of a file Hiawatha will store in its internal cache. Default = 256
MaxUrlLength = 1200
MinSSLversion = TLS1.0
DHsize = 4096 # Set the size of the Diffie-Hellman key. Default = 2048
SocketSendTimeout = 30
LogfileMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2, deny TrustedIP_3, deny TrustedIP_4
RequestLimitMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2, deny TrustedIP_3, deny TrustedIP_4


# BINDING SETTINGS
# A binding is where a client can connect to.
#
include bindings.conf

# BANNING SETTINGS
# Deny service to clients who misbehave.
#
BanOnGarbage = 300
BanOnInvalidURL = 60
BanOnMaxPerIP = 15
BanOnMaxReqSize = 300
BanOnWrongPassword = 4:900
BanOnSQLi = 3600
KickOnBan = yes
RebanDuringBan = yes
BanlistMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2, deny TrustedIP_3, deny TrustedIP_4
ChallengeClient = 768, javascript, 15

# COMMON GATEWAY INTERFACE (CGI) SETTINGS
# These settings can be used to run CGI applications.
#
FastCGIserver {
FastCGIid = PHP5-FPM
ConnectTo = /var/run/php-fpm.sock
Extension = php
}

# URL TOOLKIT
# This URL toolkit rule was made for the Banshee PHP framework, which
# can be downloaded from http://www.hiawatha-webserver.org/banshee
#
include toolkit.conf

# DEFAULT WEBSITE
# Use IP address as the hostname of the default website and give it a blank webpage.
# By doing so, automated webscanners won't find the possible vulnerable website.
#
Hostname = MyIPv4
WebsiteRoot = /usr/local/www/webs/default/httpdocs
#WebsiteRoot = /usr/local/www/webs/production/httpdocs
#WebsiteRoot = /usr/local/www/hiawatha
#WebsiteRoot = /usr/local/www/webs/debug
StartFile = index.html
#StartFile = index.php
AccessLogfile = /usr/local/www/webs/default/logs/default.access.log
ErrorLogfile = /usr/local/www/webs/default/logs/default.error.log
#ErrorHandler = 404:/error.cgi


include siteconf

siteconf
VirtualHost {
Hostname = mydomain.com, www.mydomain.com
WebsiteRoot = /usr/local/www/webs/production/httpdocs
#WebsiteRoot = /usr/local/www/webs/debug
StartFile = index.php
AccessLogfile = /usr/local/www/webs/production/logs/mydomain.access.log
ErrorLogfile = /usr/local/www/webs/production/logs/mydomain.error.log
TimeForCGI = 21000
UseFastCGI = PHP5-FPM

CustomHeader = X-Frame-Options: sameorigin
#CustomHeader = Vary: Accept-Encoding
RandomHeader = 64
UseToolkit = wordpress #secure-wp
DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
ExecuteCGI = yes
PreventCSRF = yes
PreventSQLi = yes
PreventXSS = yes
WrapCGI = jail_mydomain
}


Thank you
Fred
20 March 2016, 15:03
Hugo,

What happened to the thread?
I'm sure you we had conversation here..
You sugested that I change the code but explained that installed it from FreeBSD prt tree
Hugo Leisink
20 March 2016, 19:50
The code change suggestion was for a different thread, sorry. I haven't had the time to take a look at your post.
Fred
20 March 2016, 22:55
OK, please let me know when you can
Fred
23 March 2016, 01:36
Hi Hugo,
Did you get a chance to look at my problem?

Thank you Fred
Hugo Leisink
23 March 2016, 10:13
My advice is to first make your Wordpress website work, including the uploading, without the reverse proxy. My guess is that the cause is the large request size, due to a large uploaded file. Use the MaxRequestSize setting to solve this.

After that, test via the reverse proxy. Also, look at the MaxRequestSize setting for this system.
This topic has been closed.