diff options
author | ArthurHoaro <arthur@hoa.ro> | 2020-11-07 14:27:49 +0100 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2020-11-07 14:27:49 +0100 |
commit | ce901a58289c72bf7f4dc3515a2be70562cd618b (patch) | |
tree | 73ad1883bcdbb1ac5c15e4aa9472b53ebde763d4 /doc | |
parent | 8c5f6c786d00310b2e863aa316927effb7bfeedb (diff) | |
download | Shaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.tar.gz Shaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.tar.zst Shaarli-ce901a58289c72bf7f4dc3515a2be70562cd618b.zip |
Reviewed nginx configuration
Both in documentation and Docker image.
For security purpose, it no longer allow to access static files through
the main nginx *location*. Static files are served if their extension
matches the whitelist.
As a side effect, we no longer need specific restrictions, and
therefore it fixes the nginx part of #1608.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/md/Server-configuration.md | 23 |
1 files changed, 3 insertions, 20 deletions
diff --git a/doc/md/Server-configuration.md b/doc/md/Server-configuration.md index 4e74d80b..5b8aff53 100644 --- a/doc/md/Server-configuration.md +++ b/doc/md/Server-configuration.md | |||
@@ -296,7 +296,7 @@ server { | |||
296 | location / { | 296 | location / { |
297 | # default index file when no file URI is requested | 297 | # default index file when no file URI is requested |
298 | index index.php; | 298 | index index.php; |
299 | try_files $uri /index.php$is_args$args; | 299 | try_files _ /index.php$is_args$args; |
300 | } | 300 | } |
301 | 301 | ||
302 | location ~ (index)\.php$ { | 302 | location ~ (index)\.php$ { |
@@ -309,23 +309,7 @@ server { | |||
309 | include fastcgi.conf; | 309 | include fastcgi.conf; |
310 | } | 310 | } |
311 | 311 | ||
312 | location ~ \.php$ { | 312 | location ~ /doc/html/ { |
313 | # deny access to all other PHP scripts | ||
314 | # disable this if you host other PHP applications on the same virtualhost | ||
315 | deny all; | ||
316 | } | ||
317 | |||
318 | location ~ /\. { | ||
319 | # deny access to dotfiles | ||
320 | deny all; | ||
321 | } | ||
322 | |||
323 | location ~ ~$ { | ||
324 | # deny access to temp editor files, e.g. "script.php~" | ||
325 | deny all; | ||
326 | } | ||
327 | |||
328 | location ~ /doc/ { | ||
329 | default_type "text/html"; | 313 | default_type "text/html"; |
330 | try_files $uri $uri/ $uri.html =404; | 314 | try_files $uri $uri/ $uri.html =404; |
331 | } | 315 | } |
@@ -336,13 +320,12 @@ server { | |||
336 | } | 320 | } |
337 | 321 | ||
338 | # allow client-side caching of static files | 322 | # allow client-side caching of static files |
339 | location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { | 323 | location ~* \.(?:ico|css|js|gif|jpe?g|png|ttf|oet|woff2?)$ { |
340 | expires max; | 324 | expires max; |
341 | add_header Cache-Control "public, must-revalidate, proxy-revalidate"; | 325 | add_header Cache-Control "public, must-revalidate, proxy-revalidate"; |
342 | # HTTP 1.0 compatibility | 326 | # HTTP 1.0 compatibility |
343 | add_header Pragma public; | 327 | add_header Pragma public; |
344 | } | 328 | } |
345 | |||
346 | } | 329 | } |
347 | ``` | 330 | ``` |
348 | 331 | ||