aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2020-11-07 14:27:49 +0100
committerArthurHoaro <arthur@hoa.ro>2020-11-07 14:27:49 +0100
commitce901a58289c72bf7f4dc3515a2be70562cd618b (patch)
tree73ad1883bcdbb1ac5c15e4aa9472b53ebde763d4
parent8c5f6c786d00310b2e863aa316927effb7bfeedb (diff)
downloadShaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.tar.gz
Shaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.tar.zst
Shaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.zip
Reviewed nginx configuration
Both in documentation and Docker image. For security purpose, it no longer allow to access static files through the main nginx *location*. Static files are served if their extension matches the whitelist. As a side effect, we no longer need specific restrictions, and therefore it fixes the nginx part of #1608.
-rw-r--r--.docker/nginx.conf43
-rw-r--r--.dockerignore11
-rw-r--r--doc/md/Server-configuration.md23
3 files changed, 26 insertions, 51 deletions
diff --git a/.docker/nginx.conf b/.docker/nginx.conf
index 023f52c1..30810a87 100644
--- a/.docker/nginx.conf
+++ b/.docker/nginx.conf
@@ -17,27 +17,13 @@ http {
17 index index.html index.php; 17 index index.html index.php;
18 18
19 server { 19 server {
20 listen 80; 20 listen 80;
21 root /var/www/shaarli; 21 root /var/www/shaarli;
22 22
23 access_log /var/log/nginx/shaarli.access.log; 23 access_log /var/log/nginx/shaarli.access.log;
24 error_log /var/log/nginx/shaarli.error.log; 24 error_log /var/log/nginx/shaarli.error.log;
25 25
26 location ~ /\. { 26 location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|oet|woff2?)$ {
27 # deny access to dotfiles
28 access_log off;
29 log_not_found off;
30 deny all;
31 }
32
33 location ~ ~$ {
34 # deny access to temp editor files, e.g. "script.php~"
35 access_log off;
36 log_not_found off;
37 deny all;
38 }
39
40 location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
41 # cache static assets 27 # cache static assets
42 expires max; 28 expires max;
43 add_header Pragma public; 29 add_header Pragma public;
@@ -49,30 +35,25 @@ http {
49 alias /var/www/shaarli/images/favicon.ico; 35 alias /var/www/shaarli/images/favicon.ico;
50 } 36 }
51 37
38 location /doc/html/ {
39 default_type "text/html";
40 try_files $uri $uri/ $uri.html =404;
41 }
42
52 location / { 43 location / {
53 # Slim - rewrite URLs 44 # Slim - rewrite URLs & do NOT serve static files through this location
54 try_files $uri /index.php$is_args$args; 45 try_files _ /index.php$is_args$args;
55 } 46 }
56 47
57 location ~ (index)\.php$ { 48 location ~ index\.php$ {
58 # Slim - split URL path into (script_filename, path_info) 49 # Slim - split URL path into (script_filename, path_info)
59 try_files $uri =404; 50 try_files $uri =404;
60 fastcgi_split_path_info ^(.+\.php)(/.+)$; 51 fastcgi_split_path_info ^(index.php)(/.+)$;
61 52
62 # filter and proxy PHP requests to PHP-FPM 53 # filter and proxy PHP requests to PHP-FPM
63 fastcgi_pass unix:/var/run/php-fpm.sock; 54 fastcgi_pass unix:/var/run/php-fpm.sock;
64 fastcgi_index index.php; 55 fastcgi_index index.php;
65 include fastcgi.conf; 56 include fastcgi.conf;
66 } 57 }
67
68 location ~ /doc/ {
69 default_type "text/html";
70 try_files $uri $uri/ $uri.html =404;
71 }
72
73 location ~ \.php$ {
74 # deny access to all other PHP scripts
75 deny all;
76 }
77 } 58 }
78} 59}
diff --git a/.dockerignore b/.dockerignore
index 96fd31c5..19fd87a5 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -2,8 +2,16 @@
2.dev 2.dev
3.git 3.git
4.github 4.github
5.gitattributes
6.gitignore
7.travis.yml
5tests 8tests
6 9
10# Docker related resources are not needed inside the container
11.dockerignore
12Dockerfile
13Dockerfile.armhf
14
7# Docker Compose resources 15# Docker Compose resources
8docker-compose.yml 16docker-compose.yml
9 17
@@ -13,6 +21,9 @@ data/*
13pagecache/* 21pagecache/*
14tmp/* 22tmp/*
15 23
24# Shaarli's docs are created during the build
25doc/html/
26
16# Eclipse project files 27# Eclipse project files
17.settings 28.settings
18.buildpath 29.buildpath
diff --git a/doc/md/Server-configuration.md b/doc/md/Server-configuration.md
index 4e74d80b..5b8aff53 100644
--- a/doc/md/Server-configuration.md
+++ b/doc/md/Server-configuration.md
@@ -296,7 +296,7 @@ server {
296 location / { 296 location / {
297 # default index file when no file URI is requested 297 # default index file when no file URI is requested
298 index index.php; 298 index index.php;
299 try_files $uri /index.php$is_args$args; 299 try_files _ /index.php$is_args$args;
300 } 300 }
301 301
302 location ~ (index)\.php$ { 302 location ~ (index)\.php$ {
@@ -309,23 +309,7 @@ server {
309 include fastcgi.conf; 309 include fastcgi.conf;
310 } 310 }
311 311
312 location ~ \.php$ { 312 location ~ /doc/html/ {
313 # deny access to all other PHP scripts
314 # disable this if you host other PHP applications on the same virtualhost
315 deny all;
316 }
317
318 location ~ /\. {
319 # deny access to dotfiles
320 deny all;
321 }
322
323 location ~ ~$ {
324 # deny access to temp editor files, e.g. "script.php~"
325 deny all;
326 }
327
328 location ~ /doc/ {
329 default_type "text/html"; 313 default_type "text/html";
330 try_files $uri $uri/ $uri.html =404; 314 try_files $uri $uri/ $uri.html =404;
331 } 315 }
@@ -336,13 +320,12 @@ server {
336 } 320 }
337 321
338 # allow client-side caching of static files 322 # allow client-side caching of static files
339 location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { 323 location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|oet|woff2?)$ {
340 expires max; 324 expires max;
341 add_header Cache-Control "public, must-revalidate, proxy-revalidate"; 325 add_header Cache-Control "public, must-revalidate, proxy-revalidate";
342 # HTTP 1.0 compatibility 326 # HTTP 1.0 compatibility
343 add_header Pragma public; 327 add_header Pragma public;
344 } 328 }
345
346} 329}
347``` 330```
348 331