mirror of
https://github.com/bookwyrm-social/bookwyrm.git
synced 2024-11-21 17:11:06 +00:00
Make nginx config safer
Instead of allowing all image files anywhere, and disallowing non-image file under /images/, only allow image files under /images/ and don't match non-image files elsewhere. They get proxied to web instead and result in a 404 there. For example, the old config allowed /exports/foo.jpg to be served, while the new config does not.
This commit is contained in:
parent
e7ae0fdf93
commit
75bc4f8cb0
2 changed files with 19 additions and 21 deletions
|
@ -64,7 +64,7 @@ server {
|
|||
# directly serve static files from the
|
||||
# bookwyrm filesystem using sendfile.
|
||||
# make the logs quieter by not reporting these requests
|
||||
location ~ ^/static/ {
|
||||
location /static/ {
|
||||
root /app;
|
||||
try_files $uri =404;
|
||||
add_header X-Cache-Status STATIC;
|
||||
|
@ -72,15 +72,14 @@ server {
|
|||
}
|
||||
|
||||
# same with image files not in static folder
|
||||
location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ {
|
||||
root /app;
|
||||
try_files $uri =404;
|
||||
add_header X-Cache-Status STATIC;
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# block access to any non-image files from images
|
||||
location ~ ^/images/ {
|
||||
location /images/ {
|
||||
location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ {
|
||||
root /app;
|
||||
try_files $uri =404;
|
||||
add_header X-Cache-Status STATIC;
|
||||
access_log off;
|
||||
}
|
||||
# block access to any non-image files from images
|
||||
return 403;
|
||||
}
|
||||
|
||||
|
|
|
@ -96,23 +96,22 @@ server {
|
|||
# # directly serve static files from the
|
||||
# # bookwyrm filesystem using sendfile.
|
||||
# # make the logs quieter by not reporting these requests
|
||||
# location ~ ^/static/ {
|
||||
# location /static/ {
|
||||
# root /app;
|
||||
# try_files $uri =404;
|
||||
# add_header X-Cache-Status STATIC;
|
||||
# access_log off;
|
||||
# }
|
||||
|
||||
#
|
||||
# # same with image files not in static folder
|
||||
# location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ {
|
||||
# root /app;
|
||||
# try_files $uri =404;
|
||||
# add_header X-Cache-Status STATIC;
|
||||
# access_log off;
|
||||
# }
|
||||
|
||||
# # block access to any non-image files from images
|
||||
# location ~ ^/images/ {
|
||||
# location /images/ {
|
||||
# location ~ \.(bmp|ico|jpg|jpeg|png|svg|tif|tiff|webp)$ {
|
||||
# root /app;
|
||||
# try_files $uri =404;
|
||||
# add_header X-Cache-Status STATIC;
|
||||
# access_log off;
|
||||
# }
|
||||
# # block access to any non-image files from images
|
||||
# return 403;
|
||||
# }
|
||||
#
|
||||
|
|
Loading…
Reference in a new issue