Welcome! Log In Create A New Profile

Advanced

Sensitive file blocking in location not working

Posted by talkingnews 
Sensitive file blocking in location not working
January 05, 2016 07:35AM
I want to block some sensitive files, especially all *.log files wherever they occur.
So, I copied and pasted the following example, right into the very first rule.

location ~* \.(pl|cgi|py|sh|lua|log|md5)\$ {
return 444;
}

Restarted nginx - could still get to file.

Found various other examples, some on the nginx wiki, some on StackOverflow - I modified all the examples to include "log", so for example, I end the pattern with ) or )$ or )\$ and start the pattern with ~* \.( or ~* ^.+\.( for example.

location ~* \.(pl|cgi|py|sh|lua|log|md5)\$ {
return 444;
}


location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}


location ~* \.(gif|jpg|png)$ {
return 444;
}


location ~ (\.php$|myadmin) {
return 403;
}

location ~* ^.+\.(jpg|txt)$ {
return 444;
}

I think I've tried every combination, restarted everything including the damn server, flushed my cache, tried in an incognito window and a whole new browser., double checked that nothing like cloudflare is caching the file, and still I can get to the file.

I'm starting to doubt both my own eyes and sanity! Can someone please let me know why I can still get "install.log" with those patterns?

Thanks!

PS - rest of file:

location / {
try_files $uri $uri/ =404;
index index.html index.htm index.php;
}


location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/fpm.sock;
fastcgi_index index.php;
fastcgi_ignore_client_abort on;
}
}



Edited 1 time(s). Last edit at 01/05/2016 07:36AM by talkingnews.
Re: Sensitive file blocking in location not working
January 05, 2016 08:11AM
Enable debug mode and see which location block is processing the request, there might be an issue with the order.

---
nginx for Windows http://nginx-win.ecsds.eu/
Re: Sensitive file blocking in location not working
January 05, 2016 12:33PM
So you know I said I'd tried every pattern? Well I went back, CTRL-Z in the editor and I found that actually I had skipped one:

This DOES work!

location ~* \.(pl|cgi|py|sh|lua|log|md5)$ {
return 444;
}

What had happened was that I hadn't noticed that I had left the )\$ on from another example.

Question: What is the purpose of that )\$ at the end of the closing bracket? I got the example from here:
http://www.queryadmin.com/1071/deny-access-sensitive-files-nginx/

I'd like to go back and tell the page owner that it's incorrect, but does it ever hold a valid context or is it just an annoying typo that cost me an hour?

Thanks - and sorry for taking your time, but I was copying one of the many bad configs off the internet!
Re: Sensitive file blocking in location not working
January 05, 2016 01:39PM
talkingnews Wrote:
-------------------------------------------------------
> Question: What is the purpose of that )\$ at the end of the closing
> bracket? I got the example from here:

http://stackoverflow.com/questions/15205994/what-does-mean-in-this-regex

> Thanks - and sorry for taking your time, but I was copying one of the
> many bad configs off the internet!

Stop doing that or I will bill you next time :-)

---
nginx for Windows http://nginx-win.ecsds.eu/
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 74
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready