2017-01-28, 11:45 PM
Hi there. So I've discovered an issue that occurs in MyBB when using the apache webserver in combination with the fastcgi module and php-fpm. It breaks profile status location and could confuse a user.
The issue
On user profiles where the user is online the status will say:
and the link will be:
This results in an invalid link. It's worth looking into. Below is more technical information which is probably important to know so the issue may be resolved.
Server Setup
nginx accepts all incoming requests and sets the real ip from the reverse proxies that mitigate DoS and forwards any php requests to apache which uses the rpaf module to set the real ip from nginx (apache runs on non standard port and cannot be called directly). Apache uses fastcgi to utilize php fpm. Apache also runs modsecurity in detectiononly mode to detect SQLi attempts so I can learn which files are attacked the most and audit them more frequently.
PHP Version is 7.0.13-0ubuntu0.16.04.1 and it's php fpm.
FastCGI.conf
The issue
On user profiles where the user is online the status will say:
Unknown Locationand the link will be:
[BoardURLHERE]/php7-fcgi?[WhateverQueryStringDataBelongsToTheRequest]This results in an invalid link. It's worth looking into. Below is more technical information which is probably important to know so the issue may be resolved.
Server Setup
nginx accepts all incoming requests and sets the real ip from the reverse proxies that mitigate DoS and forwards any php requests to apache which uses the rpaf module to set the real ip from nginx (apache runs on non standard port and cannot be called directly). Apache uses fastcgi to utilize php fpm. Apache also runs modsecurity in detectiononly mode to detect SQLi attempts so I can learn which files are attacked the most and audit them more frequently.
PHP Version is 7.0.13-0ubuntu0.16.04.1 and it's php fpm.
FastCGI.conf
<IfModule mod_fastcgi.c>
AddHandler fastcgi-script .fcgi
#FastCgiWrapper /usr/lib/apache2/suexec
FastCgiIpcDir /var/lib/apache2/fastcgi
AddHandler php7-fcgi .php
Action php7-fcgi /php7-fcgi virtual
Alias /php7-fcgi /usr/lib/cgi-bin/php7-fcgi
FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi -socket /var/run/php/php7.0-fpm.sock -pass-header WebDeflect-Real-IP
</IfModule>
<Directory /usr/lib/cgi-bin>
Require all granted
</Directory>