nginx - Protect Writeable Folders From Dangerous Files

[ctrlbrk]

Regarding the security advisory in the ACP "Protect Writeable Folders From Dangerous Files", this only works for Apache.

Can someone share the equivalent code block for nginx assuming the default directories?  Also, the devs should really consider adding the output of this code block when the server detected is nginx...

I added this as my first location directive:

location ~* /(uploads)/.*\.(php)$ { return 403; }

I tested it and it seems to work, preventing the execution of a php file I stuck in the  attachments directory as a test.  If anyone can comment further it would be appreciated.

 

[Ali Majrashi]

can you share your Nginx config for IPS4

i'm planing to switch form apache to Nginx

but i'm afraid since we don't have documentation about it here

 

thank you

[ctrlbrk]

can you share your Nginx config for IPS4

i'm planing to switch form apache to Nginx

but i'm afraid since we don't have documentation about it here

 

thank you

I don't mind sharing, but my IPB site is not in production yet.  I am not sure this is the best nginx configuration for IPS, so take it with a grain of salt.

server {
        listen xxx.xxx.xxx.xxx:80 default_server;
        server_name beta.mysite.com;

        location / {
                rewrite ^ https://beta.mysite.com$request_uri? permanent;
        }
}

server {
        listen xxx.xxx.xxx.xxx:443 ssl spdy default_server;
        server_name beta.mysite.com;

        ssl_certificate         /etc/nginx/ssl/wildcard_mysite_com.crt;
        ssl_certificate_key     /etc/nginx/ssl/wildcard_mysite_com.key;

        root /var/www/ipb;

        index index.php;

        access_log  /var/log/nginx/mysite.access.log custom buffer=32k;
        error_log   /var/log/nginx/mysite.error.log;
        #access_log off;
        log_not_found off;

        auth_basic             "Restricted";
        auth_basic_user_file   /etc/nginx/htpasswd;

        # prevent execution in sensitive directories
        location ~* /(uploads)/.*\.(php)$ { return 403; }

        location / {
                try_files $uri $uri/ /index.php;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        location ~ /\.ht {
                deny all;
        }

        # deny access to sensitive directories
#       location ~ /(secretadmin/).* {
#               rewrite ^/secretadmin/index.php? /secretadmin/$1 last;
#               auth_basic              "Restricted";
#               auth_basic_user_file    /etc/nginx/htpasswd-ipb-admin;
#               include snippets/fastcgi-php.conf;
#               fastcgi_pass unix:/var/run/php5-fpm.sock;
#       }

#
# Expire static content
#
       location ~* ^.+\.(jpg|jpeg|gif|png|ico|cur|swf|avi|mp4|flv|bmp|bin)$ {
                expires 7d;
                access_log off;
       }

       location ~* ^.+\.(css|js)$ {
                expires 7d;
                access_log off;
       }

}