Make nginx config safer

Instead of allowing all image files anywhere, and disallowing non-image file under /images/, only
allow image files under /images/ and don't match non-image files elsewhere. They get proxied to web
instead and result in a 404 there.

For example, the old config allowed /exports/foo.jpg to be served, while the new config does not.
This commit is contained in:
Bart Schuurmans 2024-03-29 15:04:38 +01:00
parent e7ae0fdf93
commit 75bc4f8cb0
2 changed files with 19 additions and 21 deletions

View file

@ -64,7 +64,7 @@ server {
# directly serve static files from the # directly serve static files from the
# bookwyrm filesystem using sendfile. # bookwyrm filesystem using sendfile.
# make the logs quieter by not reporting these requests # make the logs quieter by not reporting these requests
location ~ ^/static/ { location /static/ {
root /app; root /app;
try_files $uri =404; try_files $uri =404;
add_header X-Cache-Status STATIC; add_header X-Cache-Status STATIC;
@ -72,15 +72,14 @@ server {
} }
# same with image files not in static folder # same with image files not in static folder
location /images/ {
location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ { location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ {
root /app; root /app;
try_files $uri =404; try_files $uri =404;
add_header X-Cache-Status STATIC; add_header X-Cache-Status STATIC;
access_log off; access_log off;
} }
# block access to any non-image files from images # block access to any non-image files from images
location ~ ^/images/ {
return 403; return 403;
} }

View file

@ -96,23 +96,22 @@ server {
# # directly serve static files from the # # directly serve static files from the
# # bookwyrm filesystem using sendfile. # # bookwyrm filesystem using sendfile.
# # make the logs quieter by not reporting these requests # # make the logs quieter by not reporting these requests
# location ~ ^/static/ { # location /static/ {
# root /app; # root /app;
# try_files $uri =404; # try_files $uri =404;
# add_header X-Cache-Status STATIC; # add_header X-Cache-Status STATIC;
# access_log off; # access_log off;
# } # }
#
# # same with image files not in static folder # # same with image files not in static folder
# location /images/ {
# location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ { # location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ {
# root /app; # root /app;
# try_files $uri =404; # try_files $uri =404;
# add_header X-Cache-Status STATIC; # add_header X-Cache-Status STATIC;
# access_log off; # access_log off;
# } # }
# # block access to any non-image files from images # # block access to any non-image files from images
# location ~ ^/images/ {
# return 403; # return 403;
# } # }
# #