mirrors/bookwyrm
1
0
Fork 1
mirror of https://github.com/bookwyrm-social/bookwyrm.git synced 2024-05-17 07:53:02 +00:00
Code Issues Projects Releases Wiki Activity

Make nginx config safer

Browse source 
Instead of allowing all image files anywhere, and disallowing non-image file under /images/, only
allow image files under /images/ and don't match non-image files elsewhere. They get proxied to web
instead and result in a 404 there.

For example, the old config allowed /exports/foo.jpg to be served, while the new config does not.
This commit is contained in:
Bart Schuurmans 2024-03-29 15:04:38 +01:00
parent e7ae0fdf93
commit 75bc4f8cb0
2 changed files with 19 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
nginx/development
View file

@ -64,7 +64,7 @@ server {
# directly serve static files from the # directly serve static files from the
# bookwyrm filesystem using sendfile. # bookwyrm filesystem using sendfile.
# make the logs quieter by not reporting these requests # make the logs quieter by not reporting these requests
location ~ ^/static/ { location /static/ {
root /app; root /app;
try_files $uri =404; try_files $uri =404;
add_header X-Cache-Status STATIC; add_header X-Cache-Status STATIC;
@ -72,15 +72,14 @@ server {
} }
# same with image files not in static folder # same with image files not in static folder
location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ { location /images/ {
root /app; location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ {
try_files $uri =404; root /app;
add_header X-Cache-Status STATIC; try_files $uri =404;
access_log off; add_header X-Cache-Status STATIC;
} access_log off;
}
# block access to any non-image files from images # block access to any non-image files from images
location ~ ^/images/ {
return 403; return 403;
} }

21
nginx/production
View file

@ -96,23 +96,22 @@ server {
# # directly serve static files from the # # directly serve static files from the
# # bookwyrm filesystem using sendfile. # # bookwyrm filesystem using sendfile.
# # make the logs quieter by not reporting these requests # # make the logs quieter by not reporting these requests
# location ~ ^/static/ { # location /static/ {
# root /app; # root /app;
# try_files $uri =404; # try_files $uri =404;
# add_header X-Cache-Status STATIC; # add_header X-Cache-Status STATIC;
# access_log off; # access_log off;
# } # }
#
# # same with image files not in static folder # # same with image files not in static folder
# location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ { # location /images/ {
# root /app; # location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ {
# try_files $uri =404; # root /app;
# add_header X-Cache-Status STATIC; # try_files $uri =404;
# access_log off; # add_header X-Cache-Status STATIC;
# } # access_log off;
# }
# # block access to any non-image files from images # # block access to any non-image files from images
# location ~ ^/images/ {
# return 403; # return 403;
# } # }
# #