mirror of
https://github.com/bookwyrm-social/bookwyrm.git
synced 2024-11-25 02:51:13 +00:00
Make nginx config safer
Instead of allowing all image files anywhere, and disallowing non-image file under /images/, only allow image files under /images/ and don't match non-image files elsewhere. They get proxied to web instead and result in a 404 there. For example, the old config allowed /exports/foo.jpg to be served, while the new config does not.
This commit is contained in:
parent
e7ae0fdf93
commit
75bc4f8cb0
2 changed files with 19 additions and 21 deletions
|
@ -64,7 +64,7 @@ server {
|
||||||
# directly serve static files from the
|
# directly serve static files from the
|
||||||
# bookwyrm filesystem using sendfile.
|
# bookwyrm filesystem using sendfile.
|
||||||
# make the logs quieter by not reporting these requests
|
# make the logs quieter by not reporting these requests
|
||||||
location ~ ^/static/ {
|
location /static/ {
|
||||||
root /app;
|
root /app;
|
||||||
try_files $uri =404;
|
try_files $uri =404;
|
||||||
add_header X-Cache-Status STATIC;
|
add_header X-Cache-Status STATIC;
|
||||||
|
@ -72,15 +72,14 @@ server {
|
||||||
}
|
}
|
||||||
|
|
||||||
# same with image files not in static folder
|
# same with image files not in static folder
|
||||||
|
location /images/ {
|
||||||
location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ {
|
location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ {
|
||||||
root /app;
|
root /app;
|
||||||
try_files $uri =404;
|
try_files $uri =404;
|
||||||
add_header X-Cache-Status STATIC;
|
add_header X-Cache-Status STATIC;
|
||||||
access_log off;
|
access_log off;
|
||||||
}
|
}
|
||||||
|
|
||||||
# block access to any non-image files from images
|
# block access to any non-image files from images
|
||||||
location ~ ^/images/ {
|
|
||||||
return 403;
|
return 403;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -96,23 +96,22 @@ server {
|
||||||
# # directly serve static files from the
|
# # directly serve static files from the
|
||||||
# # bookwyrm filesystem using sendfile.
|
# # bookwyrm filesystem using sendfile.
|
||||||
# # make the logs quieter by not reporting these requests
|
# # make the logs quieter by not reporting these requests
|
||||||
# location ~ ^/static/ {
|
# location /static/ {
|
||||||
# root /app;
|
# root /app;
|
||||||
# try_files $uri =404;
|
# try_files $uri =404;
|
||||||
# add_header X-Cache-Status STATIC;
|
# add_header X-Cache-Status STATIC;
|
||||||
# access_log off;
|
# access_log off;
|
||||||
# }
|
# }
|
||||||
|
#
|
||||||
# # same with image files not in static folder
|
# # same with image files not in static folder
|
||||||
|
# location /images/ {
|
||||||
# location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ {
|
# location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ {
|
||||||
# root /app;
|
# root /app;
|
||||||
# try_files $uri =404;
|
# try_files $uri =404;
|
||||||
# add_header X-Cache-Status STATIC;
|
# add_header X-Cache-Status STATIC;
|
||||||
# access_log off;
|
# access_log off;
|
||||||
# }
|
# }
|
||||||
|
|
||||||
# # block access to any non-image files from images
|
# # block access to any non-image files from images
|
||||||
# location ~ ^/images/ {
|
|
||||||
# return 403;
|
# return 403;
|
||||||
# }
|
# }
|
||||||
#
|
#
|
||||||
|
|
Loading…
Reference in a new issue