Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NGINXConfig defaults break s2Member functions #1216

Open
B-Interactive opened this issue Jun 1, 2021 · 0 comments
Open

NGINXConfig defaults break s2Member functions #1216

B-Interactive opened this issue Jun 1, 2021 · 0 comments

Comments

@B-Interactive
Copy link

B-Interactive commented Jun 1, 2021
edited
Loading

EXPLANATION OF THE ISSUE

The NGINXConfig tool generates secure and performant config files for Nginx, based on standard best practice. It provides the following WordPress specific config for Nginx:

# WordPress: allow TinyMCE
location = /wp-includes/js/tinymce/wp-tinymce.php {
    include nginxconfig.io/php_fastcgi.conf;
}

# WordPress: deny wp-content, wp-includes php files (BREAKS S2 STYLES)
location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
    deny all;
}

# WordPress: deny wp-content/uploads nasty stuff
location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
    deny all;
}

# WordPress: SEO plugin
location ~* ^/wp-content/plugins/wordpress-seo(?:-premium)?/css/main-sitemap\.xsl$ {}

# WordPress: deny wp-content/plugins (except earlier rules) (BREAKS S2 STYLES)
location ~ ^/wp-content/plugins {
    deny all;
}

# WordPress: deny general stuff
location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|readme\.html|license\.txt)$ {
    deny all;
}

Two of these rulesets break s2Member's ability to execute functions. In my tests, it throws ERR ABORTED 403 on access to these and I would expect others:
/wp-content/plugins/s2member/s2member-o.php?ws_plugin__s2member_css...
/wp-content/plugins/s2member/s2member-o.php?ws_plugin__s2member_js_w_globals...

The end result is a janky looking payment page, with broken menu items and PayPal features. I'm still trying to figure out the extent of it.

STEPS TO REPRODUCE THE ISSUE

Gotta be using Nginx, and include either of these two rulesets in its config file:

# WordPress: deny wp-content/plugins (except earlier rules)
location ~ ^/wp-content/plugins {
    deny all;
}

# WordPress: deny wp-content, wp-includes php files
location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
    deny all;
}

Then, visit the sign-up page on a WordPress + s2Member based website and monitor the console output for errors.

BEHAVIOR THAT I EXPECTED

No conflict with standard best practice rulesets, and an unbroken membership page.

BEHAVIOR THAT I OBSERVED

Layout of our membership page appeared janky. PayPal icon missing, with strange features in its place. It's also asking for credit card details in a place it shouldn't (outside of PayPal).

image

WORKAROUND

Pretty obviously, the two rulesets causing the issue can be removed or commented out.
@B-Interactive B-Interactive changed the title NGINXConfig defaults break s2's CSS NGINXConfig defaults break s2Member functions Jun 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@B-Interactive