Both in documentation and Docker image.
For security purpose, it no longer allow to access static files through
the main nginx *location*. Static files are served if their extension
matches the whitelist.
As a side effect, we no longer need specific restrictions, and
therefore it fixes the nginx part of #1608.
index index.html index.php;
server {
index index.html index.php;
server {
- listen 80;
- root /var/www/shaarli;
+ listen 80;
+ root /var/www/shaarli;
access_log /var/log/nginx/shaarli.access.log;
error_log /var/log/nginx/shaarli.error.log;
access_log /var/log/nginx/shaarli.access.log;
error_log /var/log/nginx/shaarli.error.log;
- location ~ /\. {
- # deny access to dotfiles
- access_log off;
- log_not_found off;
- deny all;
- }
-
- location ~ ~$ {
- # deny access to temp editor files, e.g. "script.php~"
- access_log off;
- log_not_found off;
- deny all;
- }
-
- location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
+ location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|oet|woff2?)$ {
# cache static assets
expires max;
add_header Pragma public;
# cache static assets
expires max;
add_header Pragma public;
alias /var/www/shaarli/images/favicon.ico;
}
alias /var/www/shaarli/images/favicon.ico;
}
+ location /doc/html/ {
+ default_type "text/html";
+ try_files $uri $uri/ $uri.html =404;
+ }
+
- # Slim - rewrite URLs
- try_files $uri /index.php$is_args$args;
+ # Slim - rewrite URLs & do NOT serve static files through this location
+ try_files _ /index.php$is_args$args;
- location ~ (index)\.php$ {
+ location ~ index\.php$ {
# Slim - split URL path into (script_filename, path_info)
try_files $uri =404;
# Slim - split URL path into (script_filename, path_info)
try_files $uri =404;
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ fastcgi_split_path_info ^(index.php)(/.+)$;
# filter and proxy PHP requests to PHP-FPM
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
# filter and proxy PHP requests to PHP-FPM
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
-
- location ~ /doc/ {
- default_type "text/html";
- try_files $uri $uri/ $uri.html =404;
- }
-
- location ~ \.php$ {
- # deny access to all other PHP scripts
- deny all;
- }
+.gitattributes
+.gitignore
+.travis.yml
+# Docker related resources are not needed inside the container
+.dockerignore
+Dockerfile
+Dockerfile.armhf
+
# Docker Compose resources
docker-compose.yml
# Docker Compose resources
docker-compose.yml
+# Shaarli's docs are created during the build
+doc/html/
+
# Eclipse project files
.settings
.buildpath
# Eclipse project files
.settings
.buildpath
location / {
# default index file when no file URI is requested
index index.php;
location / {
# default index file when no file URI is requested
index index.php;
- try_files $uri /index.php$is_args$args;
+ try_files _ /index.php$is_args$args;
}
location ~ (index)\.php$ {
}
location ~ (index)\.php$ {
- location ~ \.php$ {
- # deny access to all other PHP scripts
- # disable this if you host other PHP applications on the same virtualhost
- deny all;
- }
-
- location ~ /\. {
- # deny access to dotfiles
- deny all;
- }
-
- location ~ ~$ {
- # deny access to temp editor files, e.g. "script.php~"
- deny all;
- }
-
- location ~ /doc/ {
+ location ~ /doc/html/ {
default_type "text/html";
try_files $uri $uri/ $uri.html =404;
}
default_type "text/html";
try_files $uri $uri/ $uri.html =404;
}
}
# allow client-side caching of static files
}
# allow client-side caching of static files
- location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
+ location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|oet|woff2?)$ {
expires max;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
# HTTP 1.0 compatibility
add_header Pragma public;
}
expires max;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
# HTTP 1.0 compatibility
add_header Pragma public;
}