Urgent security issue in NGINX/php-fpm

My config was a bit different, but also needed patching anyways.
I made a backup of the old config and just replaced everything with the new one.

Just needed to adjust server_name , root , ssl_certificate and ssl_certificate_key, as advised on the documentation. Quick and easy.

As many have mentioned, the patched PHP version was not available for me until yesterday. It is available now though (I am using Sury’s repos on Debian 9, with php 7.3).

Gotta thank Sury for how fast he made that available!

Cheers!
Gus

Answered my question myself:

Replaced

location / {
  try_files                           $uri $uri/ index.php;
}

by

    location / {
                rewrite ^ /index.php;
            }

and everything works fine. Awaiting the PHP patch in Debian Buster repo…

I think Apache users should take a look at these two bugs, at least if their installations are not freshly installed lately:


I’m using the NextCloudPi image (have been for a long time), and for some reason I cannot find nginx or the nginx config file. It’s not in /etc/nginx/
I did sudo find / -name *nginx.conf but that didn’t help. Any ideas?

I assume, because of the nature of NextCloudPi, these installations will get an auto-update (if auto-update is turned on)? @nachoparker might inform us?

NextcloudPi uses Apache as webserver and not nginx.

Hello, I’m using this exemple.
Can you please tell me what I have to modify ?

I did
#apt update && apt install php7.3-fpm.
Was asked if I wanted to do some changes in some configuration files or keep the ones in place. decided to keep them and not change. The update was eventful.

Found that the lines needed to be edited was in fact located in /etc/nginx/conf.d/nextcloud.conf

Made the changes and saved.
Did
#service php7.3-fpm restart
#service nginx restart
#php -v
gives PHP 7.3.11-1+ubuntu18.04.1+deb.sury.org+1 (cli)

So far the site works as normal after the upgrade.

IMHO installing a sustainable and efficient server is not a simple endeavour. This may not matter most in small scaled service groups and for home users.

“Too many cooks spoil the broth.” & Beware of “quick and dirty.”
:smirk:

First, keep it small and keep it simple. Consider if your Nextcloud installation actualy needs the ‘php-fm’ module as this is the NC home user forum, if I may recall. Trust the true experts in the background and there is good reason for an advice like "Note that most Apache users probably want the libapache2-mod-php7.3 package. " on Debian. However, Nginx is an excellent workhorse for big scales and in addition may help on systems with narrow resources.

Second, don’t cross your bridges before you come to them. There will be an official update to the php7.3-fpm and rhe nginx package available in due time as should be appropriate for your system flavour. There should be an applicable security advisory like e.g., a DSA available too, I presume.

Naturally, you are free to use your NC install for trials and to load any software as you deem necessary. Many if not most of the comments in this thread may guide you and provide true help, hopefully.
:innocent:

Hope this helps.

Thanks for the headsup.

I am running nextcloudpi.

When i do php -v, I have the following:

"Cannot load Zend OPcache - it was already loaded
PHP 7.2.24-1+0~20191026.31+debian9~1.gbpbbacde (cli) (built: Oct 26 2019 14:18:28) ( NTS )
Copyright © 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright © 1998-2018 Zend Technologies
with Zend OPcache v7.2.24-1+0~20191026.31+debian9~1.gbpbbacde, Copyright © 1999-2018, by Zend Technologies"

I understand that the patest PHP version is v. 7.3.11

I cant find the nginx config files in /etc/nginx/

Can you help me with the steps to update the PHP to the latest version running NextcloutPI?

Nextcould version is : 16.0.5.1

Thank you.

Regards

Cattivello

7.2.24 is the latest in 7.2 branch.

Please be aware I have no expertise of my own with NextcloudPi, unfortunately. However, some general advice in the following.

Your system may be without the nginx server and happily away from the a.m. ‘NGINX/php-fpm’ issue. Check for your active webserver with:

sudo systemctl status apache2

This should show your Apache 2.4 on the job or some other info.

You may consult the below article for background information.
Why NextCloudPi uses Apache and not Nginx

Consult the NCP docs on the project website and the NCP release section at GitHub:

There is an article as of August 2019 available giving some overview and specific advice on NCP updates on:

Apparently, one should follow a three stages procedure for a more thorough NextcloudPi updates / system migration:

In order to upgrade issue the following commands
sudo ncp-update
sudo ncp-dist-upgrade

Should the upgrade fail at some Debian package, you can issue ncp-dist-upgrade again after fixing it to complete the process.

Your goal should be a PHP 7.3 install. Apparently, the NCP update procedure should ensure for everything in the right place.

However, please be aware to avoid the apt update command usual to other Linux flavours as NCP provides the a.m. special commands ncp-update and ncp-dist-upgrade specifically. Mixing NCP packages with standard packages would bring you some hassle and would destroy the good efforts of the NCP project on your install, I presume.

Furtherly, you may consult the NC 16 php.ini configuration notes in the Nextcloud docs.

Please be aware you currently are in the ‘news’ category. There may be some better place to ask for help on your issues in this NC forum available at:

Hope this helps.
:smile:

BTW a little ACK to my comment (i.e. click on the heart icon :heart:) would show you are satisfied. This could be a kind gesture and would motivate me like authors of other advice to continue in seeking to help…
:smiley:

2 Likes

Debian users may perform the procedure of:

sudo apt update
sudo apt upgrade

appropriately to make a security upgrade to php7.3 (7.3.11-1~deb10u1) security and some other packages. Same applies to 7.0.33-0+deb9u6 and 5.6.40+dfsg-0+deb8u7 apparently.

Please consult the DSA 4553 for the PHP 7.3 Debian Security Advisory.

Hope this helps.
:smiley:

Hello all,

I’m sorry but I read all your messages and I still not able to fix my configuration. I had a working configuration before and now it’s a blank page or an internal server error.

My configuration is a Debian and I don’t understand but I don’t have any error message.

My current configuration is this one:

upstream php-handler {
    server unix:/run/php/php7.3-fpm.sock;
}

server {
    listen 80;
    listen [::]:80;
    server_name cloud.xxxx.fr;
    # enforce https
    return 301 https://$server_name:443$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cloud.xxxx.fr;

    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # NOTE: some settings below might be redundant
    ssl_certificate /etc/ssl/nginx/fullchaincert.pem;
    ssl_certificate_key /etc/ssl/nginx/cloud.xxxx.fr.key;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Path to the root of your installation
    root /www/cloud.xxxx.fr;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

    # The following rule is only needed for the Social app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/webfinger /public.php?service=webfinger last;

    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php;
    }

    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js, css and map files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;

        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

May be I had a similar problem like yours.
After the updates of raspian on my pi I got error 502.
I figured out that the nginx service could not start because of a not startet php-fm service.
I had to enable the services again.
But that alone didn’t help because the services take too long to start an nginx again showed the error message. After adding this in nginx.service it seams to work.
[Service]

TimeoutStartSec=600

At least for me…

1 Like

Thanks, I only have to restart php with
systemctl restart php7.3-fpm.service

hi @TP75,
thanks for your answer. I think you right, I have apache2 running and active.
As you mentioned… can I assume I am out if troubles?
I will not run the debian update for voiding to breake nextcloudpi. (specially after reading others that have done it and got troubles).

1 Like

You are welcome.

BTW a little ACK to one or more of my comments (i.e. click on the heart icon :heart:) would show you are satisfied. This could be a kind gesture and would motivate me like authors of other advice to continue in lending a hand freely…
:smiley:

One should presume you are on the safe bank.

Good luck.
:four_leaf_clover:

1 Like

Hello,

after the update I was receiving some errors, can’t remember them now because I recopied the configuration for nginx. When I did that the index.php is not rendering and is now just trying to download. I believe this is because I am not pointing to where fpm is listening or something along those lines but I double checked the config and everything seems fine.
Not sure what to do here.

Please be aware this is the ‘news’ section and there are more appropriate categories like ‘support’ or ‘howto’ available in this user forum.

No offence. Hope this helps.
:smile: