diff options
author | ArthurHoaro <arthur@hoa.ro> | 2020-11-07 14:27:49 +0100 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2020-11-07 14:27:49 +0100 |
commit | ce901a58289c72bf7f4dc3515a2be70562cd618b (patch) | |
tree | 73ad1883bcdbb1ac5c15e4aa9472b53ebde763d4 | |
parent | 8c5f6c786d00310b2e863aa316927effb7bfeedb (diff) | |
download | Shaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.tar.gz Shaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.tar.zst Shaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.zip |
Reviewed nginx configuration
Both in documentation and Docker image.
For security purpose, it no longer allow to access static files through
the main nginx *location*. Static files are served if their extension
matches the whitelist.
As a side effect, we no longer need specific restrictions, and
therefore it fixes the nginx part of #1608.
-rw-r--r-- | .docker/nginx.conf | 43 | ||||
-rw-r--r-- | .dockerignore | 11 | ||||
-rw-r--r-- | doc/md/Server-configuration.md | 23 |
3 files changed, 26 insertions, 51 deletions
diff --git a/.docker/nginx.conf b/.docker/nginx.conf index 023f52c1..30810a87 100644 --- a/.docker/nginx.conf +++ b/.docker/nginx.conf | |||
@@ -17,27 +17,13 @@ http { | |||
17 | index index.html index.php; | 17 | index index.html index.php; |
18 | 18 | ||
19 | server { | 19 | server { |
20 | listen 80; | 20 | listen 80; |
21 | root /var/www/shaarli; | 21 | root /var/www/shaarli; |
22 | 22 | ||
23 | access_log /var/log/nginx/shaarli.access.log; | 23 | access_log /var/log/nginx/shaarli.access.log; |
24 | error_log /var/log/nginx/shaarli.error.log; | 24 | error_log /var/log/nginx/shaarli.error.log; |
25 | 25 | ||
26 | location ~ /\. { | 26 | location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|oet|woff2?)$ { |
27 | # deny access to dotfiles | ||
28 | access_log off; | ||
29 | log_not_found off; | ||
30 | deny all; | ||
31 | } | ||
32 | |||
33 | location ~ ~$ { | ||
34 | # deny access to temp editor files, e.g. "script.php~" | ||
35 | access_log off; | ||
36 | log_not_found off; | ||
37 | deny all; | ||
38 | } | ||
39 | |||
40 | location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { | ||
41 | # cache static assets | 27 | # cache static assets |
42 | expires max; | 28 | expires max; |
43 | add_header Pragma public; | 29 | add_header Pragma public; |
@@ -49,30 +35,25 @@ http { | |||
49 | alias /var/www/shaarli/images/favicon.ico; | 35 | alias /var/www/shaarli/images/favicon.ico; |
50 | } | 36 | } |
51 | 37 | ||
38 | location /doc/html/ { | ||
39 | default_type "text/html"; | ||
40 | try_files $uri $uri/ $uri.html =404; | ||
41 | } | ||
42 | |||
52 | location / { | 43 | location / { |
53 | # Slim - rewrite URLs | 44 | # Slim - rewrite URLs & do NOT serve static files through this location |
54 | try_files $uri /index.php$is_args$args; | 45 | try_files _ /index.php$is_args$args; |
55 | } | 46 | } |
56 | 47 | ||
57 | location ~ (index)\.php$ { | 48 | location ~ index\.php$ { |
58 | # Slim - split URL path into (script_filename, path_info) | 49 | # Slim - split URL path into (script_filename, path_info) |
59 | try_files $uri =404; | 50 | try_files $uri =404; |
60 | fastcgi_split_path_info ^(.+\.php)(/.+)$; | 51 | fastcgi_split_path_info ^(index.php)(/.+)$; |
61 | 52 | ||
62 | # filter and proxy PHP requests to PHP-FPM | 53 | # filter and proxy PHP requests to PHP-FPM |
63 | fastcgi_pass unix:/var/run/php-fpm.sock; | 54 | fastcgi_pass unix:/var/run/php-fpm.sock; |
64 | fastcgi_index index.php; | 55 | fastcgi_index index.php; |
65 | include fastcgi.conf; | 56 | include fastcgi.conf; |
66 | } | 57 | } |
67 | |||
68 | location ~ /doc/ { | ||
69 | default_type "text/html"; | ||
70 | try_files $uri $uri/ $uri.html =404; | ||
71 | } | ||
72 | |||
73 | location ~ \.php$ { | ||
74 | # deny access to all other PHP scripts | ||
75 | deny all; | ||
76 | } | ||
77 | } | 58 | } |
78 | } | 59 | } |
diff --git a/.dockerignore b/.dockerignore index 96fd31c5..19fd87a5 100644 --- a/.dockerignore +++ b/.dockerignore | |||
@@ -2,8 +2,16 @@ | |||
2 | .dev | 2 | .dev |
3 | .git | 3 | .git |
4 | .github | 4 | .github |
5 | .gitattributes | ||
6 | .gitignore | ||
7 | .travis.yml | ||
5 | tests | 8 | tests |
6 | 9 | ||
10 | # Docker related resources are not needed inside the container | ||
11 | .dockerignore | ||
12 | Dockerfile | ||
13 | Dockerfile.armhf | ||
14 | |||
7 | # Docker Compose resources | 15 | # Docker Compose resources |
8 | docker-compose.yml | 16 | docker-compose.yml |
9 | 17 | ||
@@ -13,6 +21,9 @@ data/* | |||
13 | pagecache/* | 21 | pagecache/* |
14 | tmp/* | 22 | tmp/* |
15 | 23 | ||
24 | # Shaarli's docs are created during the build | ||
25 | doc/html/ | ||
26 | |||
16 | # Eclipse project files | 27 | # Eclipse project files |
17 | .settings | 28 | .settings |
18 | .buildpath | 29 | .buildpath |
diff --git a/doc/md/Server-configuration.md b/doc/md/Server-configuration.md index 4e74d80b..5b8aff53 100644 --- a/doc/md/Server-configuration.md +++ b/doc/md/Server-configuration.md | |||
@@ -296,7 +296,7 @@ server { | |||
296 | location / { | 296 | location / { |
297 | # default index file when no file URI is requested | 297 | # default index file when no file URI is requested |
298 | index index.php; | 298 | index index.php; |
299 | try_files $uri /index.php$is_args$args; | 299 | try_files _ /index.php$is_args$args; |
300 | } | 300 | } |
301 | 301 | ||
302 | location ~ (index)\.php$ { | 302 | location ~ (index)\.php$ { |
@@ -309,23 +309,7 @@ server { | |||
309 | include fastcgi.conf; | 309 | include fastcgi.conf; |
310 | } | 310 | } |
311 | 311 | ||
312 | location ~ \.php$ { | 312 | location ~ /doc/html/ { |
313 | # deny access to all other PHP scripts | ||
314 | # disable this if you host other PHP applications on the same virtualhost | ||
315 | deny all; | ||
316 | } | ||
317 | |||
318 | location ~ /\. { | ||
319 | # deny access to dotfiles | ||
320 | deny all; | ||
321 | } | ||
322 | |||
323 | location ~ ~$ { | ||
324 | # deny access to temp editor files, e.g. "script.php~" | ||
325 | deny all; | ||
326 | } | ||
327 | |||
328 | location ~ /doc/ { | ||
329 | default_type "text/html"; | 313 | default_type "text/html"; |
330 | try_files $uri $uri/ $uri.html =404; | 314 | try_files $uri $uri/ $uri.html =404; |
331 | } | 315 | } |
@@ -336,13 +320,12 @@ server { | |||
336 | } | 320 | } |
337 | 321 | ||
338 | # allow client-side caching of static files | 322 | # allow client-side caching of static files |
339 | location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { | 323 | location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|oet|woff2?)$ { |
340 | expires max; | 324 | expires max; |
341 | add_header Cache-Control "public, must-revalidate, proxy-revalidate"; | 325 | add_header Cache-Control "public, must-revalidate, proxy-revalidate"; |
342 | # HTTP 1.0 compatibility | 326 | # HTTP 1.0 compatibility |
343 | add_header Pragma public; | 327 | add_header Pragma public; |
344 | } | 328 | } |
345 | |||
346 | } | 329 | } |
347 | ``` | 330 | ``` |
348 | 331 | ||