Page 1 of 2

web.config vs. web.config.txt file?

Posted: Fri Feb 22, 2019 3:16 pm
by iwecom
Hello,

I see on post-installation notes for joomla 3.9.3 that there is a recommendation to add code to the web.config file:

=====
Changes for web.config
Add the following lines right after "</rewrite>":

<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
=======


The only file I see related is /public_html/web.config.txt

Is this the file I should add the code to?

Thanks

Re: web.config vs. web.config.txt file?

Posted: Fri Feb 22, 2019 3:26 pm
by JAVesey
iwecom wrote:
Fri Feb 22, 2019 3:16 pm
The only file I see related is /public_html/web.config.txt

Is this the file I should add the code to?
This file is only used on a Microsoft IIS server. If your site is operating under this environment then yes, add the text to this file and then rename the web.config.txt to web.config

If your site is running under Apache then you only need to following the instructions for the .htaccess file, i.e. add the text to this file.

Re: web.config vs. web.config.txt file?

Posted: Fri Feb 22, 2019 3:57 pm
by iwecom
Thanks John!

My website is apparently on: Linux nginx/1.14.1 (bluehost)

so I understand your comment to ignore the "web.config" post-installation note?

The full post-installation note is:

=======
Changes for .htaccess
Add the following lines before "## Mod_rewrite in use.":

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>
Changes for web.config
Add the following lines right after "</rewrite>":

<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
========

I'm slightly unclear about about your last sentence, did you mean to completely ignore the web.config coding, or to put it in the .htaccess file?:

This part:
=======
Add the following lines right after "</rewrite>":

<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
=======

Thanks in advance,

Re: web.config vs. web.config.txt file?

Posted: Fri Feb 22, 2019 4:37 pm
by imanickam
As your operating environment is Nginx, review of the following document would be of help.

https://docs.joomla.org/J3.x:Joomla_3.9 ... _for_Nginx

Re: web.config vs. web.config.txt file?

Posted: Fri Feb 22, 2019 6:00 pm
by iwecom
Yes, I saw:
=====
Changes for Nginx
In case you are using Nginx webserver, add the following parameter under the server block in your Nginx configuration /etc/nginx/nginx.conf

http {
add_header X-Content-Type-Options nosniff;
}

=======
So I noticed that in the ROOT folder of the server, where the ETC folder is, that there is no /nginx folder so I called BlueHost and they said they DO run Apache server, but that they also run a Ngnix program.

They couldn't give me any more info than that and they didn't know what to say about the implied folder and file of /etc/nginx/nginx.conf

So does this mean I need to create a /ngnix folder and then create the ngnix.conf file and put that bit of code in there?

Thanks in advance,

Re: web.config vs. web.config.txt file?

Posted: Sat Feb 23, 2019 3:38 am
by imanickam
iwecom wrote:
Fri Feb 22, 2019 3:57 pm
I'm slightly unclear about about your last sentence, did you mean to completely ignore the web.config coding
As JAVesey mentioned, the file web.config is used in Microsoft's IIS server. If your hosting environment is Unix (or a flavor of it), the changes to the file web.config are not applicable and hence you can ignore those changes mentioned for the file web.config.

What could help others to offer help/guidance in this case is a screenshot of your site's backend page with the title "System Information" (System => System Information).

Do you see a file named .htaccess in the directory where Joomla is installed?

Re: web.config vs. web.config.txt file?

Posted: Sat Feb 23, 2019 6:00 pm
by iwecom
Ok thanks for the clarification, I will ignore the web.config notes in the post-installation then.

Attached is the screenshot you suggested.

The only reason I know Bluehost runs Ingnix on my Linux Apache server is because a third party scan caught it.

So I'm still unclear whether I should create the folder and file for Nginx or not, what do you think?

And yes I updated .htaccess as per other post-installation messages to help avoid sniffing by bad robots

Thanks in advance

Re: web.config vs. web.config.txt file?

Posted: Sat Feb 23, 2019 7:58 pm
by sozzled
it'sApache.jpg
See also viewtopic.php?f=9&t=969694#p3559509

Re: web.config vs. web.config.txt file?

Posted: Sat Feb 23, 2019 8:30 pm
by iwecom
Thanks Sozzled, yes I saw that but a third party scanner reveals that Bluehost runs the Ngnix program on top of their Apache, and Bluehost also confirmed it to me telephonically.

So should I should I create the aforementioned Ngnix folder and file?
Bluehost had no comment on the matter because they are not internally trained about Joomla.

Re: web.config vs. web.config.txt file?

Posted: Sat Feb 23, 2019 8:34 pm
by sozzled
I really don't know. The most reliable source of information that I use when responding to questions asked on this forum is the Forum Post Assistant report. If people don't want to use that facility then I'm only guessing.

Re: web.config vs. web.config.txt file?

Posted: Sun Feb 24, 2019 12:36 am
by iwecom
Sozzled, I wasn't aware of the tool you mentioned, Forum Post Assistant, I will check it out and post accordingly hopefully, many thanks. This Ngnix thing bugs me enough to persist. Sniffing is bull!!!

Re: web.config vs. web.config.txt file?

Posted: Sun Feb 24, 2019 12:56 am
by sozzled
I'm not going to have an argument by proxy with your webhosting provider. Bluehost may run some websites on Nginx. That may be true. By the same token, Bluehost technical staff don't need to be trained in Joomla but they need to understand what their customers need.

Joomla is a CMS. It needs three things: webhosting server software, a scripting language and a database engine. Bluehost needs to understand only that they have to provide those things that are needed for J!. I don't know what third-party scanning tool you may be using; some information may be useful to put this into context (but I don't think it really matters).

If you don't want to use the FPA reporting tool, that's your business. We can only guess what you need (and I don't like to guess).

Image

Re: web.config vs. web.config.txt file?

Posted: Sun Feb 24, 2019 6:19 pm
by iwecom
I will follow up once I get the FPA all set up, thank you

Re: web.config vs. web.config.txt file?

Posted: Sun Feb 24, 2019 6:41 pm
by iwecom
Forum Post Assistant (v1.4.8 (koine)) : 24th February 2019 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.9.3-Stable (Amani) 12-February-2019
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: --protected-- . (uid: 1/gid: 1) | Group: --protected-- (gid: 1) | Valid For: 3.9
Configuration Options :: Offline: false | SEF: true | SEF Suffix: false | SEF ReWrite: true | .htaccess/web.config: Yes | GZip: false | Cache: false | CacheTime: 15 | CacheHandler: file | CachePlatformPrefix: false | FTP Layer: false | Proxy: false | LiveSite: | Session lifetime: 90 | Session handler: database | Shared sessions: false | SSL: 2 | Error Reporting: default | Site Debug: false | Language Debug: false | Default Access: 1 | Unicode Slugs: false | dbConnection Type: mysqli | PHP Supports J! 3.9.3: Yes | Database Supports J! 3.9.3: Yes | Database Credentials Present: Yes |

Host Configuration :: OS: Linux | OS Version: 3.10.0-693.11.6.1.ELK.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: --protected-- | System TMP Writable: Yes | Free Disk Space : 1077.18 GiB |

PHP Configuration :: Version: 7.0.33 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 32759 | Log Errors To: error_log | Last Known Error: 21st February 2019 08:51:51. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 64M | Max. POST Size: 64M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 256M

Database Configuration :: Version: 5.6.41-84.1 (Client:5.6.41-84.1) | Host: --protected-- (--protected--) | default Collation: latin1_swedish_ci (default Character Set: latin1) | Database Size: 30.00 MiB | #of Tables:  113
Detailed Environment :: wrote:PHP Extensions :: Core (7.0.33) | date (7.0.33) | libxml (7.0.33) | openssl (7.0.33) | pcre (7.0.33) | sqlite3 (7.0.33) | zlib (7.0.33) | bcmath (7.0.33) | bz2 (7.0.33) | calendar (7.0.33) | ctype (7.0.33) | curl (7.0.33) | dom (20031129) | hash (1.0) | fileinfo (1.0.5) | filter (7.0.33) | ftp (7.0.33) | gd (7.0.33) | gettext (7.0.33) | gmp (7.0.33) | SPL (7.0.33) | iconv (7.0.33) | session (7.0.33) | intl (1.1.0) | json (1.4.0) | mbstring (7.0.33) | mcrypt (7.0.33) | mysqli (7.0.33) | odbc (7.0.33) | standard (7.0.33) | PDO (7.0.33) | pdo_mysql (7.0.33) | pdo_pgsql (7.0.33) | pdo_sqlite (7.0.33) | pgsql (7.0.33) | Phar (2.0.2) | posix (7.0.33) | pspell (7.0.33) | Reflection (7.0.33) | imap (7.0.33) | SimpleXML (7.0.33) | soap (7.0.33) | sockets (7.0.33) | exif (7.0.33) | tidy (7.0.33) | tokenizer (7.0.33) | wddx (7.0.33) | xml (7.0.33) | xmlreader (7.0.33) | xmlrpc (7.0.33) | xmlwriter (7.0.33) | xskl (7.0.33) | zip (1.13.5) | cgi-fcgi () | mailparse (3.0.0) | uploadprogress (1.0.3.1) | imagick (3.4.3) | magickwand (1.0.8) | OAuth (2.0.1) | ionCube Loader () | Zend Engine (3.0.0) |
Potential Missing Extensions ::
Disabled Functions :: dl |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) | administrator/logs/ (---) |

Elevated Permissions (First 10) ::
Database Information :: wrote:Database statistics :: Uptime: 6475229 | Threads: 16 | Questions: 2144338714 | Slow queries: 274488 | Opens: 26638444 | Flush tables: 1 | Open tables: 4096 | Queries per second avg: 331.160 |
Extensions Discovered :: wrote:Components :: SITE ::
Core :: com_wrapper (3.0.0) 1 | com_mailto (3.0.0) 1 |
3rd Party::

Components :: ADMIN ::
Core :: com_messages (3.0.0) 1 | com_languages (3.0.0) 1 | com_media (3.0.0) 1 | com_privacy (3.9.0) 1 | com_postinstall (3.2.0) 1 | com_admin (3.0.0) 1 | com_templates (3.0.0) 1 | com_ajax (3.2.0) 1 | com_redirect (3.0.0) 1 | com_installer (3.0.0) 1 | com_checkin (3.0.0) 1 | com_menus (3.0.0) 1 | com_cache (3.0.0) 1 | com_login (3.0.0) 1 | com_search (3.0.0) 1 | com_fields (3.7.0) 1 | com_tags (3.1.0) 1 | com_users (3.0.0) 1 | com_finder (3.0.0) 1 | com_actionlogs (3.9.0) 1 | com_config (3.0.0) 1 | com_contenthistory (3.2.0) 1 | com_categories (3.0.0) 1 | com_content (3.0.0) 1 | com_cpanel (3.0.0) 1 | com_associations (3.7.0) 1 | com_joomlaupdate (3.6.2) 1 | com_plugins (3.0.0) 1 | com_banners (3.0.0) 1 | com_newsfeeds (3.0.0) 1 | com_modules (3.0.0) 1 |
3rd Party:: Akeeba (6.4.0) 1 | com_jaextmanager (2.5.3) 1 | com_jaextmanager (2.6.5) 1 | COM_EASYFRONTENDSEO (3.4.0) 1 | Multicats (3.9.3.1) 1 |

Modules :: SITE ::
Core :: mod_search (3.0.0) 1 | mod_wrapper (3.0.0) 1 | mod_languages (3.5.0) 1 | mod_tags_popular (3.1.0) 1 | mod_syndicate (3.0.0) 1 | mod_menu (3.0.0) 1 | mod_breadcrumbs (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_articles_latest (3.0.0) 1 | mod_finder (3.0.0) 1 | mod_users_latest (3.0.0) 1 | mod_banners (3.0.0) 1 | mod_whosonline (3.0.0) 1 | mod_articles_category (3.0.0) 1 | mod_articles_popular (3.0.0) 1 | mod_random_image (3.0.0) 1 | mod_articles_news (3.0.0) 1 | mod_feed (3.0.0) i 1 | mod_stats (3.0.0) 1 | mod_tags_similar (3.1.0) 1 | mod_articles_categories (3.0.0) 1 | mod_articles_archive (3.0.0) 1 | mod_related_items (3.0.0) 1 | mod_footer (3.0.0) 1 | mod_login (3.0.0) 1 |
3rd Party:: Module - JA Yahoo Finance (1.0.0) 1 | MOD_DATETIME (2.3.2) 1 | Advanced Twitter Display (1.1) 1 | Module - JA Yahoo Weather (1.0.2) 1 | MOD_JA_ACM (2.1.4) 1 | JA Facebook Like Box Module (2.6.2) 1 |

Modules :: ADMIN ::
Core :: mod_latest (3.0.0) 1 | mod_version (3.0.0) 1 | mod_sampledata (3.8.0) 1 | mod_menu (3.0.0) 1 | mod_stats_admin (3.0.0) 1 | mod_logged (3.0.0) 1 | mod_toolbar (3.0.0) 1 | mod_multilangstatus (3.0.0) 1 | mod_status (3.0.0) 1 | mod_custom (3.0.0) 1 | mod_title (3.0.0) 1 | mod_latestactions (3.9.0) 1 | mod_quickicon (3.0.0) 1 | mod_privacy_dashboard (3.9.0) 1 | mod_feed (3.0.0) 1 | mod_popular (3.0.0) 1 | mod_login (3.0.0) 1 | mod_submenu (3.0.0) 1 |
3rd Party:: mod_quickcachecleaning (3-5) 1 |

Libraries :: SITE ::
Core ::
3rd Party::

Plugins :: SITE ::
Core :: plg_quickicon_joomlaupdate (3.0.0) 1 | plg_quickicon_privacycheck (3.9.0) 1 | plg_quickicon_phpversioncheck (3.7.0) 1 | plg_quickicon_extensionupdate (3.0.0) 1 | plg_installer_packageinstaller (3.6.0) 1 | plg_installer_webinstaller (1.1.1) 1 | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) 1 | PLG_INSTALLER_URLINSTALLER (3.6.0) 1 | plg_authentication_cookie (3.0.0) 1 | plg_authentication_ldap (3.0.0) 0 | plg_authentication_joomla (3.0.0) 1 | plg_authentication_gmail (3.0.0) 0 | plg_content_pagenavigation (3.0.0) 0 | plg_content_vote (3.0.0) 0 | plg_content_confirmconsent (3.9.0) 0 | plg_content_fields (3.7.0) 1 | plg_content_pagebreak (3.0.0) 1 | plg_content_joomla (3.0.0) 1 | plg_content_finder (3.0.0) 0 | plg_content_loadmodule (3.0.0) 1 | plg_content_emailcloak (3.0.0) 1 | plg_editors-xtd_module (3.5.0) 1 | plg_editors-xtd_readmore (3.0.0) 1 | plg_editors-xtd_image (3.0.0) 1 | plg_editors-xtd_menu (3.7.0) 1 | plg_editors-xtd_fields (3.7.0) 1 | plg_editors-xtd_pagebreak (3.0.0) 1 | plg_editors-xtd_article (3.0.0) 1 | plg_captcha_recaptcha (3.4.0) 0 | plg_captcha_recaptcha_invisible (3.8) 0 | plg_fields_imagelist (3.7.0) 1 | plg_fields_radio (3.7.0) 1 | plg_fields_editor (3.7.0) 1 | plg_fields_checkboxes (3.7.0) 1 | plg_fields_textarea (3.7.0) 1 | plg_fields_media (3.7.0) 1 | plg_fields_color (3.7.0) 1 | plg_fields_integer (3.7.0) 1 | plg_fields_sql (3.7.0) 1 | plg_fields_usergrouplist (3.7.0) 1 | plg_fields_repeatable (3.9.0) 1 | plg_fields_calendar (3.7.0) 1 | plg_fields_list (3.7.0) 1 | plg_fields_text (3.7.0) 1 | plg_fields_url (3.7.0) 1 | plg_fields_user (3.7.0) 1 | plg_search_newsfeeds (3.0.0) 1 | plg_search_content (3.0.0) 1 | plg_search_contacts (3.0.0) 1 | plg_search_categories (3.0.0) 1 | plg_search_tags (3.0.0) 1 | plg_twofactorauth_yubikey (3.2.0) 0 | plg_twofactorauth_totp (3.2.0) 0 | plg_extension_joomla (3.0.0) 1 | plg_finder_newsfeeds (3.0.0) 1 | plg_finder_content (3.0.0) 1 | plg_finder_contacts (3.0.0) 1 | plg_finder_categories (3.0.0) 1 | plg_finder_tags (3.0.0) 1 | PLG_ACTIONLOG_JOOMLA (3.9.0) 1 | plg_privacy_actionlogs (3.9.0) 1 | plg_privacy_consents (3.9.0) 1 | plg_privacy_content (3.9.0) 1 | plg_privacy_message (3.9.0) 1 | plg_privacy_user (3.9.0) 1 | plg_user_profile (3.0.0) 1 | plg_user_contactcreator (3.0.0) 1 | plg_user_terms (3.9.0) 1 | plg_user_joomla (3.0.0) 1 | PLG_SYSTEM_ACTIONLOGS (3.9.0) 1 | plg_system_updatenotification (3.5.0) 1 | plg_system_debug (3.0.0) 1 | plg_system_privacyconsent (3.9.0) 0 | plg_system_log (3.0.0) 1 | plg_system_highlight (3.0.0) 1 | plg_system_cache (3.0.0) 0 | plg_system_remember (3.0.0) 1 | plg_system_redirect (3.0.0) 0 | plg_system_fields (3.7.0) 1 | plg_system_p3p (3.0.0) 1 | plg_system_logrotation (3.9.0) 1 | plg_system_languagefilter (3.0.0) 0 | plg_system_logout (3.0.0) 1 | plg_system_stats (3.5.0) 1 | plg_system_sessiongc (3.8.6) 1 | plg_system_languagecode (3.0.0) 0 | plg_system_sef (3.0.0) 1 |
3rd Party:: plg_editors_codemirror (5.40.0) 1 | plg_editors_tinymce (4.5.9) 1 | plg_quickicon_akeebabackup (1.0) 1 | Quick Icon - CW Multicats Updates N (3.9.2.1) ? | PLG_CONTENT_EXTRAVOTE (2.5.8) 1 | Content - JA Disqus Debate Echo (2.6.2) 0 | Content CW Multicats -Page Navigati (3.9.2.1) ? | PLG_AJAX_EXTRAVOTE (1.0) 1 | Ajax - JA Content Type (1.0.2) 1 | Ajax - CW Multicats* (3.9.0.4) 1 | PLG_EASYFRONTENDSEO (3.4.0) 1 | PLG_SYSTEM_AKEEBAACTIONLOG (1.0) 1 | PLG_SYSTEM_WEB357FRAMEWORK (1.7.5) 1 | T3 Framework (2.7.4) 1 | System - JA Content Type (1.1.3) 1 | PLG_SYSTEM_AKEEBAUPDATECHECK (1.1) 0 | System - MVC Override for CW Multic (3.9.2.1) ? | PLG_SYSTEM_BACKUPONUPDATE (3.7) 0 | plg_quickcachecleaning (3-5) 1 | System - CW Multicats Plugin (3.9.2.1) 1 |
Templates Discovered :: wrote:Templates :: SITE :: protostar (1.0) 1 | beez3 (3.1.0) 1 | ja_teline_v (1.1.6) 1 |
Templates :: ADMIN :: hathor (3.0.0) 1 | isis (1.0) 1 |

Re: web.config vs. web.config.txt file?

Posted: Sun Feb 24, 2019 8:17 pm
by sozzled
Thank you for your Forum Post Assistant [FPA] report. Your FPA report shows that your website is operating with Apache webserver. There is no indication that your website uses Nginx webserver software. This means that you only need to use .htaccess.

Your version of PHP (v7.0.3) is no longer supported: (see table below)

Image

Suggest that you change the Session Handler setting from "Database" to "PHP".

The database collation / character encoding is not recommended for J! websites after J! 3.5; suggest that you change to UTF8 multibyte. See other discussions on this matter (for example viewtopic.php?f=710&t=968910#p3557058)

The JA Extensions Manager component is unnecessary, in my opinion. This component is not listed on the JED. Your FPA report shows that you have two instances of this component installed on your website and they both can be uninstalled. Please make a backup of your website before making any changes. Cheers.

Re: web.config vs. web.config.txt file?

Posted: Sun Feb 24, 2019 9:02 pm
by ehoward
thanks, I learned a lot from your post, sozzled

Re: web.config vs. web.config.txt file?

Posted: Mon Feb 25, 2019 8:20 pm
by iwecom
Thanks Sozzled for the extra suggestions about session handler and UTF8 multibyte

The JA Extensions Manager is being encouraged for me to use by Joomlart.com , because I use a template of theirs plus some plugins too. Are you implying that because it is not in JED, that it is a potential structural risk or something?

Yes even though the FPA shows no NGNIX, when I called last week to ask them about it because a third party website scanner picked up on it, Bluehost said they indeed did run NGNIX also, "as an additional program".
This morning I have asked them to confirm to me what version of NGNIX it is, and a triple check, from their server department that they are actually running it on "my server", they opened a ticket should get back to me tomorrow or Wednesday at the latest, will advise.

So just to reconfirm, taking into account the NGNIX mystery, the only htacess file change I will make i:
Changes for .htaccess
Add the following lines before "## Mod_rewrite in use.":

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>

Re: web.config vs. web.config.txt file?

Posted: Mon Feb 25, 2019 9:08 pm
by sozzled
iwecom wrote:
Mon Feb 25, 2019 8:20 pm
The JA Extensions Manager is being encouraged for me to use by Joomlart.com ...
Of course they're "encouraging" you to use their products. Why wouldn't they? The only comment I can make is that I've use JA Templates (and they came with this additional component). I removed the component and I haven't had any troubles because I removed it. It's entirely your business whether you keep it or not. But, the FPA report shows that you have two instances of this component installed on your site. ???

iwecom wrote:
Mon Feb 25, 2019 8:20 pm
Are you implying that because it is not in JED, that it is a potential structural risk or something?
I'm not stating anything as a fact but the implication is, because that extension is not listed on the JED, the extension has not undergone the usual JED assessment process. Use it or not at your own discretion.

iwecom wrote:
Mon Feb 25, 2019 8:20 pm
Yes even though the FPA shows no [Nginx] ...
Exactly! The FPA shows that you are not using Nginx. It's as simple as that.

iwecom wrote:
Mon Feb 25, 2019 8:20 pm
... a third party website scanner [detected Nginx]
I asked before if you could put some context around this "third party scanner"; you have not done that. I have no clue about (a) what "third party scanner" you may be using or (b) how reliable that software may be.

iwecom wrote:
Mon Feb 25, 2019 8:20 pm
Bluehost said they indeed did run [Nginx] also, "as an additional program".
Exactly! Your webhosting provider may offer a range of webhosting solutions to their customers. Some customers may choose to use Apache, some customers may choose to use Nginx and (possibly) some customers may choose to run IIS. I have no idea about the various hosting packages offered by your webhosting provider. That's something you might want to research.

iwecom wrote:
Mon Feb 25, 2019 8:20 pm
So just to reconfirm, taking into account the [Nginx] mystery, the only ... change I will make is:
Changes for .htaccess
Add the following lines before "## Mod_rewrite in use.":

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>
Yes.

Re: web.config vs. web.config.txt file?

Posted: Mon Feb 25, 2019 9:20 pm
by iwecom
Thanks @sozzled for all the responses, awesome, and also for the observation of a dual instance of JA Extension Manager, I had not caught that. I will follow up properly with Joomlart.

I was cringing/waiting if you were going to ask which scanner found the NGNIX on my server and would you believe I cant find that scanner now, I looked for it again for about an hour this weekend to no avail.

Anyway, I called Bluehost this morning poker faced and asked them which version of NGNIX they are running on my server (as an additional program on top of the Linux Apache - this is what they told me last Friday), so that's when they opened the ticket and will get back to me.

I hate being hung up on this NGNIX issue but I have worked so hard over the last two weeks to clear up years of various troubles on this particular website, including sniffing galore resulting in dastardly acts by various bad robots from all over the planet, so now I'm stuck on this NGNIX discrepancy and cant get it out of my mind.. I'll report back here what Bluehost says. Cheers.

Re: web.config vs. web.config.txt file?

Posted: Mon Feb 25, 2019 9:43 pm
by sozzled
I don't know how many different ways I can write to you about Nginx. (Please learn that there is a correct spelling for this) I suggest that you read https://www.nginx.com/faq/what-is-nginx ... -g-apache/ or do your own research.

If you want an analogy, most motor vehicles run on gasonline, diesel, hydrogen or battery-powered electricity. You can't run a motor vehicle on diesel and on gasoline. Apache is like diesel; Nginx is like gasonline. Your webhost provides "diesel" or "gasoline"; it depends on what you want.

Re: web.config vs. web.config.txt file?

Posted: Tue Feb 26, 2019 12:01 am
by iwecom
Ah, so it is either/or , ok no further explanation needed and thank you.

I just recently heard of nginx by reading the Joomla 3.9.3 Post-Installation messages last week, and since I'm not that versed on server and related issues (I'm a marketer) , it sounded to me like some new plugin for Linux or Apache as some kind of add-on top layer or something. I'll check out your link, thanks!

That third party scanner did show Linux nginx/1.14.1 "offered" on my BH server, and I now see nginx is currently publicly running 1.7.1, in a time span of 3 months between those two versions. I'll post here the version that BH responds to me on, for the heck of it.

BH is not offering my server anything past PHP 7.0.33 yet, so far

Re: web.config vs. web.config.txt file?

Posted: Wed Feb 27, 2019 4:54 am
by iwecom
Bh reconfirmed nginx 1.14.1 is the version of the instance on my server, and an hour later I was notified that server work is scheduled for wee hours this coming Sunday, hopefully thy will take care of the PHP issue.
I'm totally clear now that my site runs on the Apache not Nginx, thanks again.

Re: web.config vs. web.config.txt file?

Posted: Fri Mar 01, 2019 5:57 am
by iwecom
@sozzled So would you believe BH came back shortly ago and responded:

"To answer you question though, rather than using Nginx you would be using Apache. We use Nginx as a caching layer to reduce service load through Apache."

(so this is why nginx came up on that third party scanner I previously mentioned?)

So referring to your analogy, it kinda freaks me out a little that gasoline is being "mixed" with diesel, at least to this layman's eyes.

Anyway, as long as the Joomla authors are aware of this kind of activity that BH and surely others do, and that there is for sure no additional anti-sniffing code to be put into the htacess file because of this lingering nginx factor, then I'll stop worrying about it. I'm just sick of bad bots! Are you part of the author team? Do they see this stuff anyway?

Thanks in advance,

Re: web.config vs. web.config.txt file?

Posted: Fri Mar 08, 2019 9:54 pm
by iwecom
@sozzled ok please check out this strange sitruation.

Bluehost told me in CHAT the following back in February:
"To answer you question though, rather than using Nginx you would be using Apache. We use Nginx as a caching layer to reduce service load through Apache"

Today, I ran into some strange error in the backend, which is now resolved

but here is the screenshot I took:
nginx-bl-s.png
I was getting ready to ask Bluehost what it would show Ngnix , when I found an email from Bluehost in late February, and it says:

"Thanks for getting back to us. Both Apache and Nginx are installed on your server However you will be actually using only Nginx "

I have not contacted them back to ask why your FPA shows Apache, because I wanted to run this situation by you first.

A few minutes ago I ran a fresh FPA on the site in question, so look at this:
fpa-a-n-3-8-19.jpg
What do you think is going on here?
Is there a chance, because both Nginx and Apache are installed on my server, that FPA is not detecting instances of active Nginx and thinks that Apache is the active one?

Thanks in advance,

Re: web.config vs. web.config.txt file?

Posted: Wed Mar 13, 2019 5:42 am
by iwecom
Hi Team Joomla, just checking in here please:

So, so since it is confirmed that my web hoster surprisingly has me using Nginx, I need help in understanding this post-installation message from Joomla 3.9.3:

----------------
Changes for Nginx
In case you are using Nginx webserver, add the following parameter under the server block in your Nginx configuration /etc/nginx/nginx.conf

http {
add_header X-Content-Type-Options nosniff;
}
---------------------

Sorry if I am confused here from a layman's point of view. How can I know where the server block is in my Nginx configuration is? Or do I pass this instruction to my web hoster?

Also, what should be the contents of the file nginx.conf ? Currently there is no folder inside of ETC called NGINX, should I make one?

Thanks in advance,

Re: web.config vs. web.config.txt file?

Posted: Thu Mar 14, 2019 4:08 pm
by toivo
Your screenshot from FPA on 8 March shows clearly that your Joomla site is hosted on Apache. Are you saying that your site has now been migrated to Nginx?

Your host may have installed both applications or the Nginx instance is used as a proxy server front ending Joomla, but as far as Joomla is concerned, it has been installed under Apache.

Re: web.config vs. web.config.txt file?

Posted: Mon Mar 18, 2019 5:51 pm
by iwecom
Ok @toivo, so Bluehost finally confirmed back to me , after talking to multiple internal people there, that the NGINX they are using on my server is "for caching purposes on Bluehosts's end", and that I should not have to take anti-sniffing steps against it, because I am on Apache 3.

Thanks again, it's just confusing to this layman when Blue host tells me different things on different days.

Re: web.config vs. web.config.txt file?

Posted: Mon Mar 18, 2019 6:17 pm
by toivo
Cheers, good to hear that it is now sorted out.

Re: web.config vs. web.config.txt file?

Posted: Tue Apr 02, 2019 8:33 pm
by kimhuff
JAVesey wrote:
Fri Feb 22, 2019 3:26 pm
iwecom wrote:
Fri Feb 22, 2019 3:16 pm
The only file I see related is /public_html/web.config.txt

Is this the file I should add the code to?
This file is only used on a Microsoft IIS server. If your site is operating under this environment then yes, add the text to this file and then rename the web.config.txt to web.config

If your site is running under Apache then you only need to following the instructions for the .htaccess file, i.e. add the text to this file.
JAVesey,

So does that mean that if I am on a Linux server, I would never need the web.config.txt file and I could just delete it?

Re: web.config vs. web.config.txt file?

Posted: Tue Apr 02, 2019 8:43 pm
by sozzled
@kimhuff: yes, you're right; you could just delete the file web.config.txt. The file will be re-created when you update Joomla again in future (and you could delete it again) and it will be re-created in future, and so on. Or, you could do what just about everyone else does and don't worry about it. It's not doing anything.