diff options
author | ArthurHoaro <arthur@hoa.ro> | 2020-11-08 13:13:13 +0100 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2020-11-08 13:13:13 +0100 |
commit | 8a9796014ce6c842095a9d031c8cbf40da761e0f (patch) | |
tree | 43542f3bcdd7effd4676c601349c655b82229ddc /doc | |
parent | 8c5f6c786d00310b2e863aa316927effb7bfeedb (diff) | |
download | Shaarli-8a9796014ce6c842095a9d031c8cbf40da761e0f.tar.gz Shaarli-8a9796014ce6c842095a9d031c8cbf40da761e0f.tar.zst Shaarli-8a9796014ce6c842095a9d031c8cbf40da761e0f.zip |
Reviewed Apache configuration
(in documentation)
For security purpose, block access to any static file not matching the list of allowed extensions.
It allows us to remove the specific retriction on dotfiles, and fix Apache part of #1608.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/md/Server-configuration.md | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/doc/md/Server-configuration.md b/doc/md/Server-configuration.md index 4e74d80b..66db8c57 100644 --- a/doc/md/Server-configuration.md +++ b/doc/md/Server-configuration.md | |||
@@ -193,19 +193,24 @@ sudo nano /etc/apache2/sites-available/shaarli.mydomain.org.conf | |||
193 | Require all granted | 193 | Require all granted |
194 | </Directory> | 194 | </Directory> |
195 | 195 | ||
196 | <LocationMatch "/\."> | 196 | # BE CAREFUL: directives order matter! |
197 | # Prevent accessing dotfiles | ||
198 | RedirectMatch 404 ".*" | ||
199 | </LocationMatch> | ||
200 | 197 | ||
201 | <LocationMatch "\.(?:ico|css|js|gif|jpe?g|png)$"> | 198 | <FilesMatch ".*\.(?!(ico|css|js|gif|jpe?g|png|ttf|oet|woff2?)$)[^\.]*$"> |
199 | Require all denied | ||
200 | </FilesMatch> | ||
201 | |||
202 | <Files "index.php"> | ||
203 | Require all granted | ||
204 | </Files> | ||
205 | |||
206 | <FilesMatch "\.(?:ico|css|js|gif|jpe?g|png|ttf|oet|woff2)$"> | ||
202 | # allow client-side caching of static files | 207 | # allow client-side caching of static files |
203 | Header set Cache-Control "max-age=2628000, public, must-revalidate, proxy-revalidate" | 208 | Header set Cache-Control "max-age=2628000, public, must-revalidate, proxy-revalidate" |
204 | </LocationMatch> | 209 | </FilesMatch> |
210 | |||
205 | 211 | ||
206 | # serve the Shaarli favicon from its custom location | 212 | # serve the Shaarli favicon from its custom location |
207 | Alias favicon.ico /var/www/shaarli.mydomain.org/images/favicon.ico | 213 | Alias favicon.ico /var/www/shaarli.mydomain.org/images/favicon.ico |
208 | |||
209 | </VirtualHost> | 214 | </VirtualHost> |
210 | ``` | 215 | ``` |
211 | 216 | ||