I'm not sure if this error is Nginx itself unable to read globalblacklist.conf, or if it is pagespeed unable to read globalblacklist.conf. Can you answer this? As a note, the pagesped module was turned off when this error was encountered. Also, it seems changing globalblacklist.conf with chmod to loosen permissions, reverts itself to stricter permissions after an update to bad bot blocker. Can you fix bad blocker so that it loosens permissions after each update so this issue is fixed? Are there any other workarounds you can suggest?
To Reproduce
Just install and run Nginx Bad Bot blocker.
Expected behavior
The Permission denied error shouldn't appear.
Screenshots
N/A
Copy of nginx.conf
#user www-data www-data;
user www-data;
worker_processes auto;
pid /run/nginx.pid;
load_module modules/ngx_http_modsecurity_module.so;
load_module modules/ngx_pagespeed.so;
#load_module modules/ngx_http_cache_purge_module.so;
load_module modules/ngx_http_brotli_filter_module.so;
load_module modules/ngx_http_brotli_static_module.so;
events {
worker_connections 1024;
# multi_accept on;
# epoll: This is an efficient method of processing connections available on Linux 2.6+.
# The method is similar to the FreeBSD kqueue. There is also the additional directive
# epoll_events. This specifies the number of events that NGINX will pass to the kernel.
# The default value for this is 512.
use epoll;
}
http {
##
# MOD SECURITY
##
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
##
# SSL
##
ssl_session_cache shared:SSL:10m; #SSL session cache
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
##
# UPLOADS
##
client_max_body_size 300M;
client_body_buffer_size 300M;
fastcgi_read_timeout 400;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 4096;
server_tokens off;
server_names_hash_bucket_size 256; # Change to 64 if you have long server names
server_name_in_redirect off;
##
# HARDENING:
##
# Pestmeester.nl # Change to 10 to really harden.
client_header_timeout 10;
client_body_timeout 10;
keepalive_timeout 70;
send_timeout 10;
##
# NGINX AMPLIFY: Fix Missing HTTP header definitions in proxy_pass
##
# Best practice is to configure a clear set of headers with proxy_pass.
# The Host header is always important. Add the following to your nginx configuration:
proxy_set_header Host $host;
proxy_headers_hash_max_size 4096;
proxy_headers_hash_bucket_size 4096;
# and optionally the following:
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Protocol $scheme;
##
# LOGGING
##
# Nginx default log paths
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log notice;
# Exclude Your Own IP Address in Nginx Access Log (for Amplify-agent)
map $remote_addr $log_ip {
"123.444.567.890" 0;
default 1;
}
# NETDATA:
# Create a custom Nginx log format called netdata that includes information about
# request_time, and upstream_response_time, measured in seconds with millisecond resolution.
log_format netdata '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'$request_length $request_time $upstream_response_time '
'"$http_referer" "$http_user_agent"';
# AMPLIFY:
# Create a custom Nginx log format called apm for nginx amplify
log_format apm '"$time_local" client=$remote_addr '
'method=$request_method request="$request" '
'request_length=$request_length '
'status=$status bytes_sent=$bytes_sent '
'body_bytes_sent=$body_bytes_sent '
'referer=$http_referer '
'user_agent="$http_user_agent" '
'upstream_addr=$upstream_addr '
'upstream_status=$upstream_status '
'request_time=$request_time '
'upstream_cache_status="$upstream_cache_status" '
'upstream_response_time=$upstream_response_time '
'upstream_connect_time=$upstream_connect_time '
'upstream_header_time=$upstream_header_time';
# Use Syslog for amplify metric collection
#access_log syslog:server=127.0.0.1:12000,tag=amplify,severity=info; main_ext;
# STUB STATUS (Netdata & Amplify)
server {
listen 127.0.0.1:80 default_server;
server_name 127.0.0.1;
location /nginx_status {
stub_status on;
allow 127.0.0.1;
deny all;
}
}
##
# INCLUDES
##
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# COMPRESSION
##
# BROTLI:
# The 'brotli off|on' value enables or disbles dynameic or on the fly compression of the content.
brotli on;
# The 'brotli_static on' value enables the Nginx server to check if the pre-compressed files with the .br extensions
# exists or not. The always value allows the server to send pre-compressed content without confirming if the browser
# supports it or not. Since Brotli is resource-intensive, this modules is best suited to reduse the bottleneck situations.
#brotli_static on;
brotli_static always;
# The brotli_comp_level directive sets the dynamic compression quality. It can range from 0 to 11.
brotli_comp_level 7;
#brotli_window 512k;
# Configure a minimum length in order to have the requst compressed, determined by the Content-Length field in the HTTP headers.
brotli_min_length 20; # or try 21
# Enable dynamic compression for specific MIME types, whereas text/html respnosese are always compressed.
brotli_types application/atom+xml application/javascript application/json application/rss+xml
application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
# G-ZIP
gzip off;
# Linuxbabe turns gzip_vary on, but we turn it off here because when enabling it, you may have problems clearing the cache.
#gzip_vary off;
#gzip_vary on;
#gzip_proxied any;
#gzip_min_length 1000;
#gzip_comp_level 6;
#gzip_buffers 16 8k;
#gzip_http_version 1.1;
#gzip_types application/json application/x-javascript application/javascript application/atom+xml
#application/rss+xml application/vnd.ms-fontobject application/x-font-ttf
#application/x-web-app-manifest+json application/xhtml+xml application/xml;
##
# FASTCGI CACHE
##
# LINUXBABE
# If you installed multiple instances of WordPress site on the same server, then you can create a separate FastCGI cache for each WordPress site.
# Cached data that are not accessed during the time specified by the inactive parameter get removed from the cache regardless of their freshness.
# In addition, all active keys and information about data are stored in a shared memory zone, whose name and size are configured by the keys_zone
# parameter. One megabyte zone can store about 8 thousand keys.
# By default, inactive is set to 10 minutes.
#fastcgi_cache_path /usr/share/nginx/fastcgi_cache levels=1:2 keys_zone=phpcache:100m max_size=15g inactive=12h use_temp_path=off;
#
#fastcgi_cache_path /var/www/fastcgi_cache/danran.rocks levels=1:2 keys_zone=danran.rocks:100m max_size=150m inactive=12h use_temp_path=off; # On Disk
fastcgi_cache_path /var/www/cache/fastcgi_cache/danran.rocks levels=1:2 keys_zone=danran.rocks:100m max_size=150m inactive=24h use_temp_path=off; # In Memory (ramdisk)
#
#fastcgi_cache_path /var/www/fastcgi_cache/oddcake.net levels=1:2 keys_zone=oddcake.net:100m max_size=150m inactive=12h use_temp_path=off; # On Disk
fastcgi_cache_path /var/www/cache/fastcgi_cache/oddcake.net levels=1:2 keys_zone=oddcake.net:100m max_size=150m inactive=24h use_temp_path=off; # In Memory (ramdisk)
#
#fastcgi_cache_path /var/www/fastcgi_cache/mcmo.is levels=1:2 keys_zone=mcmo.is:100m max_size=700m inactive=12h use_temp_path=off; # On Disk
fastcgi_cache_path /var/www/cache/fastcgi_cache/mcmo.is levels=1:2 keys_zone=mcmo.is:100m max_size=700m inactive=24h use_temp_path=off; # In Memory (ramdisk)
#
fastcgi_cache_key "$scheme$request_method$host$request_uri";
##
# Virtual Hosts
##
#include /etc/nginx/botblocker.d/*.conf;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Copy of vhost / website / host .conf file
N/A
Server (please complete the following information):
Operating System:
[x] Ubuntu
[ ] Alpine
[ ] Arch Linux
[ ] Debian
[ ] CentOS
[ ] Fedora
[ ] Deepin
[ ] Windows
[ ] Other
Specify Exact Version of OS: Ubuntu 22.04 for Raspberry Pi (aarch64)
5.15.0-1050-raspi #53-Ubuntu SMP PREEMPT Thu Mar 21 10:02:47 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux
Nginx Version [post output of sudo nginx -v]
nginx/1.25.4
Other Environments [include Version information]
[ ] Plesk
[ ] CPanel
[ ] Synology NAS
[ ] Other
[x] pagespeed nginx module (currently turned off in vhosts)
[x] modsecurlyt nginx module
Specify Other / Specific Version Information Here:
Any other applicable log / error messages that may help us to help you.
Describe the bug
I am successfully running Nginx Ultimate Bad bot blocker, but am looking at an error in my Nginx logs. Here is the error:
I'm not sure if this error is Nginx itself unable to read globalblacklist.conf, or if it is pagespeed unable to read globalblacklist.conf. Can you answer this? As a note, the pagesped module was turned off when this error was encountered. Also, it seems changing globalblacklist.conf with chmod to loosen permissions, reverts itself to stricter permissions after an update to bad bot blocker. Can you fix bad blocker so that it loosens permissions after each update so this issue is fixed? Are there any other workarounds you can suggest?
To Reproduce
Just install and run Nginx Bad Bot blocker.
Expected behavior
The Permission denied error shouldn't appear.
Screenshots
N/A
Copy of nginx.conf
Copy of vhost / website / host .conf file
N/A
Server (please complete the following information):
Operating System:
[x] Ubuntu
[ ] Alpine
[ ] Arch Linux
[ ] Debian
[ ] CentOS
[ ] Fedora
[ ] Deepin
[ ] Windows
[ ] Other
Other Environments [include Version information]
[ ] Plesk
[ ] CPanel
[ ] Synology NAS
[ ] Other
[x] pagespeed nginx module (currently turned off in vhosts)
[x] modsecurlyt nginx module
Specify Other / Specific Version Information Here:
Any other applicable log / error messages that may help us to help you.
Additional information
N/A