MODX Cloud uses the high-performance Nginx HTTP server rather than Apache and, therefore, things you'd normally do in an .htaccess file, you will do in your Cloud's Web Rules settings.
Editing Nginx Web Rules
-
From the Clouds page of the MODX Cloud Dashboard, locate the Cloud you'd like to download the backup for, and click on its name from the list to manage it.
-
Find and click on the Webserver Tab at the top of the Cloud edit screen to see the Web Rules / Rewrites section.
-
Two important things to keep in mind when adjusting web rules:
- Be sure to leave the MODX rewrite rule at the end.
- Because of the systems that run MODX Cloud, you may not modify the server block. If you need help with this, open a ticket from the MODX Cloud Dashboard with details.
Only Serve Your Sites via an Encrypted HTTPS Connection
Search engines and browsers now balk at showing any site not served over an HTTPS connection. If possible, it is best to use SSL for your site.
Force Requests to Use Secure HTTPS Connections
You should force all visitors to use https so they do not visit your site using an unsecured connection.
Be sure to put your correct domain where you see mydomain.com
. If you're using a redirect to point to or away from www
, be sure your intended domain matches that form.
Caution: Forcing HTTP to HTTPS cannot be easily reversed. It's best not to implement this if there is a chance you will turn off SSL. If you do need to reverse this, you can set the max-age
to -1
(HTTPS must still be enabled) and wait 30 days before removing your SSL certificate. You may wish to start with the HSTS max_age
setting to 86400
(1 day in seconds) before changing it to 31536000
(1 year in seconds) at some later time.
# Tells the browser to always force SSL.
# Do not uncomment this line if there is a chance you will turn off SSL
# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
if ($host != "www.mydomain.com") {
return 301 https://www.mydomain.com$request_uri;
}
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
Omit the add_header
line if you think there is a chance you will disable SSL in the future. It may result in visitors experiencing errors or being unable to visit your site without clearing their browser cache.
Security & Content Protection
-
Control access to your Cloud
If you are working on a website or specific part of the website that you don't want your visitors to have access to, but to have your team have access from a specific IP address. Using this method also prevents people other than the specified IP addresses to have access to your MODX Revolution manager by changing the location block.
#Block access to the entire website location / { allow 192.168.1.1/24; allow 127.0.0.1; deny all; }
#Block access to manager location /manager/ { allow 192.168.1.1/24; allow 127.0.0.1; deny all; }
If you wish to block a particular IP from accessing your website.
#Block access to the entire website for a single IP or range location / { deny 127.0.0.1; deny 192.168.1.1/24; }
Substitute real IPs or IP blocks for the ones above, or you may be locked out of the Manager.
-
Force a specific domain for the Manager
If you wish to redirect all requests for the manager to a certain domain the following rule should work.
set $mgrcheck $host$request_uri;
if ($mgrcheck ~* "((www.|sub1.|sub2.)domain1.com|(www.)?domain2.org|(www.)?domain3.(org|com))/manager") {
rewrite ^ https://domain.com$request_uri;
}You would replace the domain examples with your actual domains in the example above.
-
Prevent Access to a Directory and its Contents from the Web
You can block access to a directory and all its contents from the web, for example, for an internal application.
location ^~ /apps { deny all; } location / { try_files $uri $uri/ @modx-rewrite; }
Note that the path specified in the location block is relative to the site root.
Read more about allowing and denying access.
-
Preventing Hotlinking Files from Other Sites
-
Preventing Hotlinking Files globally except certain sites
location ~ \.(woff|eot)$ { valid_referers mysite.com www.mysite.com; if ($invalid_referer) { return 403; } try_files $uri $uri/ =404; } location / { try_files $uri $uri/ @modx-rewrite; }
-
Preventing Hotlinking Files from specific sites and showing specific page
location / { try_files $uri $uri/ @modx-rewrite; # Referrer protection if ($http_referer ~* (www.)?domain.com) { return 301 https://www.domain.com/custompage; } } location /custompage { try_files $uri $uri/ @modx-rewrite; }
-
-
Password Protect a Directory
In the following example, you should replace
cXXXX
with the Cloud Code of your instance - this is the same as the SSH/SFTP username that you see in the Cloud Dashboard. You will also need to manually create a .htpasswd file referenced in the configuration. You can use a tool such as this one or this one to get you started. This file cannot be created from within the MODX Manager. It is created via SSH or SFTP.location /somefolder/ { auth_basic "Restricted"; auth_basic_user_file /cXXXX/home/.htpasswd; # if the protected location is modx, then ... try_files $uri $uri/ @modx-rewrite; # otherwise, if static files, you'd use # try_files $uri $uri/ =404; }
To protect your access to the entire Cloud, you would do the same as above, however, you'd just do it for the
location / {…}
block. You can therefore combine the MODX rewrite line as it should also be inside thelocation / {…}
location / { auth_basic "Restricted"; auth_basic_user_file /cXXXX/home/.htpasswd; try_files $uri $uri/ @modx-rewrite; }
-
Block PHP execution in a user-uploads directory
Sometimes your users need to upload files, but you want to prevent any PHP uploaded from executing there using a 403 Forbidden error code (i.e., “ The server understood the request, but is refusing to authorize it.”). For example, you might have a
assets/uploads/
directory for this purpose:location ~ /assets/uploads/.*\.php$ { return 403; }
-
Common Security Headers and Content Security Policy (CSP)
If you are using a service like https://securityheaders.com/ to evaluate your site you may want to implement additional security headers. Below is a baseline to get started. For a more specialized Content-Security-Policy, we recommend using a tool like https://report-uri.com/ to monitor your site and generate a CSP.add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
add_header X-Content-Type-Options "nosniff" always;
add_header Content-Security-Policy "default-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: blob: 'unsafe-inline'";
add_header Referrer-Policy 'same-origin';
add_header X-Frame-Options SAMEORIGIN always;
add_header Permissions-Policy "geolocation=()";