Reviewed Apache configuration

(in documentation)

For security purpose, block access to any static file not matching the list of allowed extensions.
It allows us to remove the specific retriction on dotfiles, and fix Apache part of #1608.
This commit is contained in:
ArthurHoaro 2020-11-08 13:13:13 +01:00
parent 8c5f6c786d
commit 8a9796014c
2 changed files with 13 additions and 8 deletions

View file

@ -13,7 +13,7 @@ RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
# Alternative (if the 2 lines above don't work) # Alternative (if the 2 lines above don't work)
# SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0 # SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
# REST API # Slim URL Redirection
# Ionos Hosting needs RewriteBase / # Ionos Hosting needs RewriteBase /
# RewriteBase / # RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-f

View file

@ -193,19 +193,24 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf
Require all granted Require all granted
</Directory> </Directory>
<LocationMatch "/\."> # BE CAREFUL: directives order matter!
# Prevent accessing dotfiles
RedirectMatch 404 ".*"
</LocationMatch>
<LocationMatch "\.(?:ico|css|js|gif|jpe?g|png)$"> <FilesMatch ".*\.(?!(ico|css|js|gif|jpe?g|png|ttf|oet|woff2?)$)[^\.]*$">
Require all denied
</FilesMatch>
<Files "index.php">
Require all granted
</Files>
<FilesMatch "\.(?:ico|css|js|gif|jpe?g|png|ttf|oet|woff2)$">
# allow client-side caching of static files # allow client-side caching of static files
Header set Cache-Control "max-age=2628000, public, must-revalidate, proxy-revalidate" Header set Cache-Control "max-age=2628000, public, must-revalidate, proxy-revalidate"
</LocationMatch> </FilesMatch>
# serve the Shaarli favicon from its custom location # serve the Shaarli favicon from its custom location
Alias favicon.ico /var/www/shaarli.mydomain.org/images/favicon.ico Alias favicon.ico /var/www/shaarli.mydomain.org/images/favicon.ico
</VirtualHost> </VirtualHost>
``` ```