aboutsummaryrefslogtreecommitdiffhomepage
path: root/.docker/nginx.conf
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2020-11-07 14:27:49 +0100
committerArthurHoaro <arthur@hoa.ro>2020-11-07 14:27:49 +0100
commitce901a58289c72bf7f4dc3515a2be70562cd618b (patch)
tree73ad1883bcdbb1ac5c15e4aa9472b53ebde763d4 /.docker/nginx.conf
parent8c5f6c786d00310b2e863aa316927effb7bfeedb (diff)
downloadShaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.tar.gz
Shaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.tar.zst
Shaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.zip
Reviewed nginx configuration
Both in documentation and Docker image. For security purpose, it no longer allow to access static files through the main nginx *location*. Static files are served if their extension matches the whitelist. As a side effect, we no longer need specific restrictions, and therefore it fixes the nginx part of #1608.
Diffstat (limited to '.docker/nginx.conf')
-rw-r--r--.docker/nginx.conf43
1 files changed, 12 insertions, 31 deletions
diff --git a/.docker/nginx.conf b/.docker/nginx.conf
index 023f52c1..30810a87 100644
--- a/.docker/nginx.conf
+++ b/.docker/nginx.conf
@@ -17,27 +17,13 @@ http {
17 index index.html index.php; 17 index index.html index.php;
18 18
19 server { 19 server {
20 listen 80; 20 listen 80;
21 root /var/www/shaarli; 21 root /var/www/shaarli;
22 22
23 access_log /var/log/nginx/shaarli.access.log; 23 access_log /var/log/nginx/shaarli.access.log;
24 error_log /var/log/nginx/shaarli.error.log; 24 error_log /var/log/nginx/shaarli.error.log;
25 25
26 location ~ /\. { 26 location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|oet|woff2?)$ {
27 # deny access to dotfiles
28 access_log off;
29 log_not_found off;
30 deny all;
31 }
32
33 location ~ ~$ {
34 # deny access to temp editor files, e.g. "script.php~"
35 access_log off;
36 log_not_found off;
37 deny all;
38 }
39
40 location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
41 # cache static assets 27 # cache static assets
42 expires max; 28 expires max;
43 add_header Pragma public; 29 add_header Pragma public;
@@ -49,30 +35,25 @@ http {
49 alias /var/www/shaarli/images/favicon.ico; 35 alias /var/www/shaarli/images/favicon.ico;
50 } 36 }
51 37
38 location /doc/html/ {
39 default_type "text/html";
40 try_files $uri $uri/ $uri.html =404;
41 }
42
52 location / { 43 location / {
53 # Slim - rewrite URLs 44 # Slim - rewrite URLs & do NOT serve static files through this location
54 try_files $uri /index.php$is_args$args; 45 try_files _ /index.php$is_args$args;
55 } 46 }
56 47
57 location ~ (index)\.php$ { 48 location ~ index\.php$ {
58 # Slim - split URL path into (script_filename, path_info) 49 # Slim - split URL path into (script_filename, path_info)
59 try_files $uri =404; 50 try_files $uri =404;
60 fastcgi_split_path_info ^(.+\.php)(/.+)$; 51 fastcgi_split_path_info ^(index.php)(/.+)$;
61 52
62 # filter and proxy PHP requests to PHP-FPM 53 # filter and proxy PHP requests to PHP-FPM
63 fastcgi_pass unix:/var/run/php-fpm.sock; 54 fastcgi_pass unix:/var/run/php-fpm.sock;
64 fastcgi_index index.php; 55 fastcgi_index index.php;
65 include fastcgi.conf; 56 include fastcgi.conf;
66 } 57 }
67
68 location ~ /doc/ {
69 default_type "text/html";
70 try_files $uri $uri/ $uri.html =404;
71 }
72
73 location ~ \.php$ {
74 # deny access to all other PHP scripts
75 deny all;
76 }
77 } 58 }
78} 59}