Hello all
I have a dedicated Debian server where I installed 2 independants dokuwikis. One is personal, no contributors, the other is read and written by authenticated contributors. They are both up-to-date to the latest version "Detritus" without any warning
I use nginx with php5-fpm
I followed security instructions for the public wiki, moving config dir outside the webserver directory and renaming the data one. Only on this wiki I have the security warning in admin panel.
I obviously miss a parameter but don't know where to search for this flaw anymore
I erroneously copied the sites-available public wiki's conf file to the private one (I should have done the opposite) but it didn't make the security warning appear on the private wiki. So now, the only differences between those files is "root path" "server_name" and access and error log paths (checked with diff)
Here is the sites-available conf file
server {
server_name ex.domain.com;
listen 80;
autoindex off;
client_max_body_size 15M;
client_body_buffer_size 128k;
index index.html index.htm index.php doku.php;
access_log /var/log/nginx/ex.domain.com/access.log;
error_log /var/log/nginx/ex.domain.com/error.log;
root /path/to/dokuwiki's/root;
location / {
try_files $uri $uri/ @dokuwiki;
}
location ~ ^/lib.*\.(gif|png|ico|jpg)$ {
expires max;
}
location ~ /(data|conf|bin|inc)/ {
deny all;
}
location = /robots.txt { access_log off; log_not_found off; }
location = /favicon.ico { access_log off; log_not_found off; }
location ~ /\. { access_log off; log_not_found off; deny all; }
location ~ ~$ { access_log off; log_not_found off; deny all; }
location @dokuwiki {
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1 last;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
}
location ~ /\.ht {
deny all;
}
}
I used the conf file from nginx wiki for dokuwiki
Edit: I may found a problem with the private wiki, it seems the security.png file has access error from nginx log file. So the security problem may be for both wikis :'(
Could you help me to find where could be the security flaw ? Or activate a debug mode for this security warning to know what triggers it ?
Thanks !