diff options
author | ArthurHoaro <arthur@hoa.ro> | 2020-11-07 14:27:49 +0100 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2020-11-07 14:27:49 +0100 |
commit | ce901a58289c72bf7f4dc3515a2be70562cd618b (patch) | |
tree | 73ad1883bcdbb1ac5c15e4aa9472b53ebde763d4 /.docker/nginx.conf | |
parent | 8c5f6c786d00310b2e863aa316927effb7bfeedb (diff) | |
download | Shaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.tar.gz Shaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.tar.zst Shaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.zip |
Reviewed nginx configuration
Both in documentation and Docker image.
For security purpose, it no longer allow to access static files through
the main nginx *location*. Static files are served if their extension
matches the whitelist.
As a side effect, we no longer need specific restrictions, and
therefore it fixes the nginx part of #1608.
Diffstat (limited to '.docker/nginx.conf')
-rw-r--r-- | .docker/nginx.conf | 43 |
1 files changed, 12 insertions, 31 deletions
diff --git a/.docker/nginx.conf b/.docker/nginx.conf index 023f52c1..30810a87 100644 --- a/.docker/nginx.conf +++ b/.docker/nginx.conf | |||
@@ -17,27 +17,13 @@ http { | |||
17 | index index.html index.php; | 17 | index index.html index.php; |
18 | 18 | ||
19 | server { | 19 | server { |
20 | listen 80; | 20 | listen 80; |
21 | root /var/www/shaarli; | 21 | root /var/www/shaarli; |
22 | 22 | ||
23 | access_log /var/log/nginx/shaarli.access.log; | 23 | access_log /var/log/nginx/shaarli.access.log; |
24 | error_log /var/log/nginx/shaarli.error.log; | 24 | error_log /var/log/nginx/shaarli.error.log; |
25 | 25 | ||
26 | location ~ /\. { | 26 | location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|oet|woff2?)$ { |
27 | # deny access to dotfiles | ||
28 | access_log off; | ||
29 | log_not_found off; | ||
30 | deny all; | ||
31 | } | ||
32 | |||
33 | location ~ ~$ { | ||
34 | # deny access to temp editor files, e.g. "script.php~" | ||
35 | access_log off; | ||
36 | log_not_found off; | ||
37 | deny all; | ||
38 | } | ||
39 | |||
40 | location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { | ||
41 | # cache static assets | 27 | # cache static assets |
42 | expires max; | 28 | expires max; |
43 | add_header Pragma public; | 29 | add_header Pragma public; |
@@ -49,30 +35,25 @@ http { | |||
49 | alias /var/www/shaarli/images/favicon.ico; | 35 | alias /var/www/shaarli/images/favicon.ico; |
50 | } | 36 | } |
51 | 37 | ||
38 | location /doc/html/ { | ||
39 | default_type "text/html"; | ||
40 | try_files $uri $uri/ $uri.html =404; | ||
41 | } | ||
42 | |||
52 | location / { | 43 | location / { |
53 | # Slim - rewrite URLs | 44 | # Slim - rewrite URLs & do NOT serve static files through this location |
54 | try_files $uri /index.php$is_args$args; | 45 | try_files _ /index.php$is_args$args; |
55 | } | 46 | } |
56 | 47 | ||
57 | location ~ (index)\.php$ { | 48 | location ~ index\.php$ { |
58 | # Slim - split URL path into (script_filename, path_info) | 49 | # Slim - split URL path into (script_filename, path_info) |
59 | try_files $uri =404; | 50 | try_files $uri =404; |
60 | fastcgi_split_path_info ^(.+\.php)(/.+)$; | 51 | fastcgi_split_path_info ^(index.php)(/.+)$; |
61 | 52 | ||
62 | # filter and proxy PHP requests to PHP-FPM | 53 | # filter and proxy PHP requests to PHP-FPM |
63 | fastcgi_pass unix:/var/run/php-fpm.sock; | 54 | fastcgi_pass unix:/var/run/php-fpm.sock; |
64 | fastcgi_index index.php; | 55 | fastcgi_index index.php; |
65 | include fastcgi.conf; | 56 | include fastcgi.conf; |
66 | } | 57 | } |
67 | |||
68 | location ~ /doc/ { | ||
69 | default_type "text/html"; | ||
70 | try_files $uri $uri/ $uri.html =404; | ||
71 | } | ||
72 | |||
73 | location ~ \.php$ { | ||
74 | # deny access to all other PHP scripts | ||
75 | deny all; | ||
76 | } | ||
77 | } | 58 | } |
78 | } | 59 | } |