Following the other thread, the PHP script result is:
Starting session.
Checking “nfw_goodguy” session flag: ERROR: not found.
Also:
session.cache_expire 180 180
session.gc_maxlifetime 1440 1440
session.use_cookies on on
session.save_handler files files
session.save_path /srv/users/myuser/tmp/myapp idem
session.cookie_domain no value
I don’t have any caching plugin (Wordfence’s caching function is not enabled).
My Overview:
Firewall Enabled
PHP SAPI FPM-FCGI (7.0.1)
Version 1.8.3 (security rules: 2015-12-21.1)
Admin user cristian (you are whitelisted by the firewall)
User session It seems the user session was not set by the firewall script or may have been destroyed by another plugin. You may get blocked by the firewall while working from the WordPress administration dashboard.
Optional configuration file /srv/users/myuser/apps/myapp/.htninja
.htninja content:
<?php
/*
+===================================================================+
| NinjaFirewall optional configuration file |
| |
| See: http://nintechnet.com/ninjafirewall/wp-edition/help/?htninja |
+===================================================================+
*/
// To tell NinjaFirewall where you moved your WP config file,
// use the '$wp_config' variable :
$wp_config = '/srv/users/myuser/apps/myapp/wp-config.php';
// To change NinjaFirewall's log and cache folder
// use the 'NFW_LOG_DIR' constant (no trailing slash needed) :
define('NFW_LOG_DIR', '/srv/users/mysuer/apps/myapp/NFW');
$ip_array = array( 'MY IP' );
if ( in_array( $_SERVER["REMOTE_ADDR"], $ip_array ) ) {
return 'ALLOW'; // whitelist
}
if ( $_SERVER["REMOTE_ADDR"] == '91.200.12.139' ) {
return 'BLOCK'; // reject it
}
I have set to DENY the X-Frame-Options to protect against clickjacking attempts but I’m still able to load the pages into an iframe from a different server.
If I’m just editing the .htaccess and adding Header append X-FRAME-OPTIONS DENY is working fine.
Where are the Firewall Policies rules supposed to be registered?
Apache+PHP7 doesn’t work.
It does works.
See this discussion, and that one too (not resolved yet).
If you have Nginx as a reverse proxy, you need to make sure it will forward the correct headers.
PHP is very picky about session: if a session is started from ‘domain.tld’, it won’t work for ‘www.domain.tld’ or any other subdomain, But, in your case, it looks like you may have a different domain name used for the backend (‘localhost’ or whatever). You will probably need to check the ‘proxy_pass_header’, ‘proxy_cookie_domain’ or similar directives in your Nginx configuration.
Regarding, X-Frame-Options, simply telnet to your site and check if you see it in the HTTP headers:
$ telnet yourwebsite.com 80
Type:
HEAD / HTTP/1.1
Host: yourwebsite.com
Press twice the ‘Enter’ key.
You should get something similar to this:
HTTP/1.1 200 OK
Date: Tue, 22 Dec 2015 12:40:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: xxxxxxxxxxxxxxxx
X-Frame-Options: DENY
Here too, you must ensure your proxy will forward the HTTP headers.
Hi nintechnet, thanks for your reply. I’m gonna to read it later.
Just forgot to mention that I’m using HTTPS and redirect HTTP to it.
I’m not saying Ninja Firewall doesn’t work with PHP7, is just that in my case I cannot use Apache+PHP7 when installing NF.
The code is being added correctly to my .htaccess (Your configuration was saved.):
<IfModule mod_php7.c>
php_value auto_prepend_file /srv/users/myuser/apps/myapp/public/wp-content/plugins/ninjafirewall/lib/firewall.php
</IfModule>
But when testing, Error: the firewall is not loaded. and I cannot find any log about what the issue may be.
But I guess is because appears like ServerPilot is not using mod_php when configuring the server, https://www.digitalocean.com/community/questions/wordpress-one-click-or-server-pilot
This is why I mentioned ServerPilot.io , they are applying a specific configuration that is working only on Ubuntu 14.04 LTS, where I can even switch with one click from PHP 5.4 to 5.5, 5.6 or 7 and downgrade as well.
The phpinfo says that my Server API is FPM/FastCGI which is not listed in the Ninja Firewall install options.
They suggest “.user.ini”, which is normally the right choice since PHP 5.3: https://serverpilot.io/community/articles/how-to-change-php-settings.html
During the installation, you can select “Nginx + CGI/FastCGI”, and then .user.ini.
It may take a few minutes before PHP detects the .user.ini (up to 5 minutes by default).
Thank you, actually using “Nginx + CGI/FastCGI” doesn’t show any alert.
Still can’t figure out why the clickjacking protection doesn’t appear to work (and that’s something simple to test – even by using http://www.lookout.net/test/clickjack.html ).
If I’m using the .htaccess it does the job, but not using NF setting. Any idea?
I spoke too earlier, the “It seems the user session was not set by the firewall script or may have been destroyed by another plugin. You may get blocked by the firewall while working from the WordPress administration dashboard.” is back without any new action.
So, looks like using “Apache + CGI/FastCGI” and .user.ini is same as “Nginx + CGI/FastCGI” and .user.ini as doesn’t change anything related with my problem.
I have disabled Wordfence and disabled and deleted NinjaFirewall. With Wordfence disabled, I have installed back NinjaFirewall and activated. Even after that the issue is still there so is not related with Wordfence.
Also using either PHP 7.0.1, 5.6.16 or even 5.4.45, doesn’t change anything.
A plugin or theme could be wrongly altering/deleting the session.
You would need to scan your PHP scripts (at least plugins and themes) to see if one of them is using sessions. Search for “session_destroy”, “session_id”, “session_start”.
Regarding headers, go to “Firewall Policies” and enable “Set X-Content-Type-Options to protect against MIME type confusion attacks”, “Set X-Frame-Options to protect against clickjacking attempts”, and “Set X-XSS-Protection to enable browser’s built-in XSS filter” options.
Then go to http://headers.cloxy.net/, enter your website and check the returned HTTP headers if you see “X-Content-Type-Options”, “X-Frame-Options” and “X-XSS-Protection”.
In my case doesn’t work, I just enter any option and I stay in the same page, like a bucle.
