Reviewed nginx configuration

Both in documentation and Docker image.

For security purpose, it no longer allow to access static files through
the main nginx *location*. Static files are served if their extension
matches the whitelist.

As a side effect, we no longer need specific restrictions, and
therefore it fixes the nginx part of #1608.
This commit is contained in:
ArthurHoaro 2020-11-07 14:27:49 +01:00
parent 8c5f6c786d
commit ce901a5828
3 changed files with 27 additions and 52 deletions

View file

@ -17,27 +17,13 @@ http {
index index.html index.php; index index.html index.php;
server { server {
listen 80; listen 80;
root /var/www/shaarli; root /var/www/shaarli;
access_log /var/log/nginx/shaarli.access.log; access_log /var/log/nginx/shaarli.access.log;
error_log /var/log/nginx/shaarli.error.log; error_log /var/log/nginx/shaarli.error.log;
location ~ /\. { location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|oet|woff2?)$ {
# deny access to dotfiles
access_log off;
log_not_found off;
deny all;
}
location ~ ~$ {
# deny access to temp editor files, e.g. "script.php~"
access_log off;
log_not_found off;
deny all;
}
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
# cache static assets # cache static assets
expires max; expires max;
add_header Pragma public; add_header Pragma public;
@ -49,30 +35,25 @@ http {
alias /var/www/shaarli/images/favicon.ico; alias /var/www/shaarli/images/favicon.ico;
} }
location / { location /doc/html/ {
# Slim - rewrite URLs default_type "text/html";
try_files $uri /index.php$is_args$args; try_files $uri $uri/ $uri.html =404;
} }
location ~ (index)\.php$ { location / {
# Slim - rewrite URLs & do NOT serve static files through this location
try_files _ /index.php$is_args$args;
}
location ~ index\.php$ {
# Slim - split URL path into (script_filename, path_info) # Slim - split URL path into (script_filename, path_info)
try_files $uri =404; try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(index.php)(/.+)$;
# filter and proxy PHP requests to PHP-FPM # filter and proxy PHP requests to PHP-FPM
fastcgi_pass unix:/var/run/php-fpm.sock; fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;
include fastcgi.conf; include fastcgi.conf;
} }
location ~ /doc/ {
default_type "text/html";
try_files $uri $uri/ $uri.html =404;
}
location ~ \.php$ {
# deny access to all other PHP scripts
deny all;
}
} }
} }

View file

@ -2,8 +2,16 @@
.dev .dev
.git .git
.github .github
.gitattributes
.gitignore
.travis.yml
tests tests
# Docker related resources are not needed inside the container
.dockerignore
Dockerfile
Dockerfile.armhf
# Docker Compose resources # Docker Compose resources
docker-compose.yml docker-compose.yml
@ -13,6 +21,9 @@ data/*
pagecache/* pagecache/*
tmp/* tmp/*
# Shaarli's docs are created during the build
doc/html/
# Eclipse project files # Eclipse project files
.settings .settings
.buildpath .buildpath

View file

@ -296,7 +296,7 @@ server {
location / { location / {
# default index file when no file URI is requested # default index file when no file URI is requested
index index.php; index index.php;
try_files $uri /index.php$is_args$args; try_files _ /index.php$is_args$args;
} }
location ~ (index)\.php$ { location ~ (index)\.php$ {
@ -309,23 +309,7 @@ server {
include fastcgi.conf; include fastcgi.conf;
} }
location ~ \.php$ { location ~ /doc/html/ {
# deny access to all other PHP scripts
# disable this if you host other PHP applications on the same virtualhost
deny all;
}
location ~ /\. {
# deny access to dotfiles
deny all;
}
location ~ ~$ {
# deny access to temp editor files, e.g. "script.php~"
deny all;
}
location ~ /doc/ {
default_type "text/html"; default_type "text/html";
try_files $uri $uri/ $uri.html =404; try_files $uri $uri/ $uri.html =404;
} }
@ -336,13 +320,12 @@ server {
} }
# allow client-side caching of static files # allow client-side caching of static files
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|oet|woff2?)$ {
expires max; expires max;
add_header Cache-Control "public, must-revalidate, proxy-revalidate"; add_header Cache-Control "public, must-revalidate, proxy-revalidate";
# HTTP 1.0 compatibility # HTTP 1.0 compatibility
add_header Pragma public; add_header Pragma public;
} }
} }
``` ```