diff options
| author | ArthurHoaro <arthur@hoa.ro> | 2020-11-07 14:27:49 +0100 |
|---|---|---|
| committer | ArthurHoaro <arthur@hoa.ro> | 2020-11-07 14:27:49 +0100 |
| commit | ce901a58289c72bf7f4dc3515a2be70562cd618b (patch) | |
| tree | 73ad1883bcdbb1ac5c15e4aa9472b53ebde763d4 /.docker | |
| parent | 8c5f6c786d00310b2e863aa316927effb7bfeedb (diff) | |
| download | Shaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.tar.gz Shaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.tar.zst Shaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.zip | |
Reviewed nginx configuration
Both in documentation and Docker image.
For security purpose, it no longer allow to access static files through
the main nginx *location*. Static files are served if their extension
matches the whitelist.
As a side effect, we no longer need specific restrictions, and
therefore it fixes the nginx part of #1608.
Diffstat (limited to '.docker')
| -rw-r--r-- | .docker/nginx.conf | 43 |
1 files changed, 12 insertions, 31 deletions
diff --git a/.docker/nginx.conf b/.docker/nginx.conf index 023f52c1..30810a87 100644 --- a/.docker/nginx.conf +++ b/.docker/nginx.conf | |||
| @@ -17,27 +17,13 @@ http { | |||
| 17 | index index.html index.php; | 17 | index index.html index.php; |
| 18 | 18 | ||
| 19 | server { | 19 | server { |
| 20 | listen 80; | 20 | listen 80; |
| 21 | root /var/www/shaarli; | 21 | root /var/www/shaarli; |
| 22 | 22 | ||
| 23 | access_log /var/log/nginx/shaarli.access.log; | 23 | access_log /var/log/nginx/shaarli.access.log; |
| 24 | error_log /var/log/nginx/shaarli.error.log; | 24 | error_log /var/log/nginx/shaarli.error.log; |
| 25 | 25 | ||
| 26 | location ~ /\. { | 26 | location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|oet|woff2?)$ { |
| 27 | # deny access to dotfiles | ||
| 28 | access_log off; | ||
| 29 | log_not_found off; | ||
| 30 | deny all; | ||
| 31 | } | ||
| 32 | |||
| 33 | location ~ ~$ { | ||
| 34 | # deny access to temp editor files, e.g. "script.php~" | ||
| 35 | access_log off; | ||
| 36 | log_not_found off; | ||
| 37 | deny all; | ||
| 38 | } | ||
| 39 | |||
| 40 | location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { | ||
| 41 | # cache static assets | 27 | # cache static assets |
| 42 | expires max; | 28 | expires max; |
| 43 | add_header Pragma public; | 29 | add_header Pragma public; |
| @@ -49,30 +35,25 @@ http { | |||
| 49 | alias /var/www/shaarli/images/favicon.ico; | 35 | alias /var/www/shaarli/images/favicon.ico; |
| 50 | } | 36 | } |
| 51 | 37 | ||
| 38 | location /doc/html/ { | ||
| 39 | default_type "text/html"; | ||
| 40 | try_files $uri $uri/ $uri.html =404; | ||
| 41 | } | ||
| 42 | |||
| 52 | location / { | 43 | location / { |
| 53 | # Slim - rewrite URLs | 44 | # Slim - rewrite URLs & do NOT serve static files through this location |
| 54 | try_files $uri /index.php$is_args$args; | 45 | try_files _ /index.php$is_args$args; |
| 55 | } | 46 | } |
| 56 | 47 | ||
| 57 | location ~ (index)\.php$ { | 48 | location ~ index\.php$ { |
| 58 | # Slim - split URL path into (script_filename, path_info) | 49 | # Slim - split URL path into (script_filename, path_info) |
| 59 | try_files $uri =404; | 50 | try_files $uri =404; |
| 60 | fastcgi_split_path_info ^(.+\.php)(/.+)$; | 51 | fastcgi_split_path_info ^(index.php)(/.+)$; |
| 61 | 52 | ||
| 62 | # filter and proxy PHP requests to PHP-FPM | 53 | # filter and proxy PHP requests to PHP-FPM |
| 63 | fastcgi_pass unix:/var/run/php-fpm.sock; | 54 | fastcgi_pass unix:/var/run/php-fpm.sock; |
| 64 | fastcgi_index index.php; | 55 | fastcgi_index index.php; |
| 65 | include fastcgi.conf; | 56 | include fastcgi.conf; |
| 66 | } | 57 | } |
| 67 | |||
| 68 | location ~ /doc/ { | ||
| 69 | default_type "text/html"; | ||
| 70 | try_files $uri $uri/ $uri.html =404; | ||
| 71 | } | ||
| 72 | |||
| 73 | location ~ \.php$ { | ||
| 74 | # deny access to all other PHP scripts | ||
| 75 | deny all; | ||
| 76 | } | ||
| 77 | } | 58 | } |
| 78 | } | 59 | } |