Sensitive file blocking in location not working
Posted by talkingnews
|
Sensitive file blocking in location not working January 05, 2016 07:35AM |
Registered: 12 years ago Posts: 33 |
I want to block some sensitive files, especially all *.log files wherever they occur.
So, I copied and pasted the following example, right into the very first rule.
location ~* \.(pl|cgi|py|sh|lua|log|md5)\$ {
return 444;
}
Restarted nginx - could still get to file.
Found various other examples, some on the nginx wiki, some on StackOverflow - I modified all the examples to include "log", so for example, I end the pattern with ) or )$ or )\$ and start the pattern with ~* \.( or ~* ^.+\.( for example.
location ~* \.(pl|cgi|py|sh|lua|log|md5)\$ {
return 444;
}
location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}
location ~* \.(gif|jpg|png)$ {
return 444;
}
location ~ (\.php$|myadmin) {
return 403;
}
location ~* ^.+\.(jpg|txt)$ {
return 444;
}
I think I've tried every combination, restarted everything including the damn server, flushed my cache, tried in an incognito window and a whole new browser., double checked that nothing like cloudflare is caching the file, and still I can get to the file.
I'm starting to doubt both my own eyes and sanity! Can someone please let me know why I can still get "install.log" with those patterns?
Thanks!
PS - rest of file:
location / {
try_files $uri $uri/ =404;
index index.html index.htm index.php;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/fpm.sock;
fastcgi_index index.php;
fastcgi_ignore_client_abort on;
}
}
Edited 1 time(s). Last edit at 01/05/2016 07:36AM by talkingnews.
So, I copied and pasted the following example, right into the very first rule.
location ~* \.(pl|cgi|py|sh|lua|log|md5)\$ {
return 444;
}
Restarted nginx - could still get to file.
Found various other examples, some on the nginx wiki, some on StackOverflow - I modified all the examples to include "log", so for example, I end the pattern with ) or )$ or )\$ and start the pattern with ~* \.( or ~* ^.+\.( for example.
location ~* \.(pl|cgi|py|sh|lua|log|md5)\$ {
return 444;
}
location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}
location ~* \.(gif|jpg|png)$ {
return 444;
}
location ~ (\.php$|myadmin) {
return 403;
}
location ~* ^.+\.(jpg|txt)$ {
return 444;
}
I think I've tried every combination, restarted everything including the damn server, flushed my cache, tried in an incognito window and a whole new browser., double checked that nothing like cloudflare is caching the file, and still I can get to the file.
I'm starting to doubt both my own eyes and sanity! Can someone please let me know why I can still get "install.log" with those patterns?
Thanks!
PS - rest of file:
location / {
try_files $uri $uri/ =404;
index index.html index.htm index.php;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/fpm.sock;
fastcgi_index index.php;
fastcgi_ignore_client_abort on;
}
}
Edited 1 time(s). Last edit at 01/05/2016 07:36AM by talkingnews.
|
Re: Sensitive file blocking in location not working January 05, 2016 08:11AM |
Admin Registered: 11 years ago Posts: 1,297 |
|
Re: Sensitive file blocking in location not working January 05, 2016 12:33PM |
Registered: 12 years ago Posts: 33 |
So you know I said I'd tried every pattern? Well I went back, CTRL-Z in the editor and I found that actually I had skipped one:
This DOES work!
location ~* \.(pl|cgi|py|sh|lua|log|md5)$ {
return 444;
}
What had happened was that I hadn't noticed that I had left the )\$ on from another example.
Question: What is the purpose of that )\$ at the end of the closing bracket? I got the example from here:
http://www.queryadmin.com/1071/deny-access-sensitive-files-nginx/
I'd like to go back and tell the page owner that it's incorrect, but does it ever hold a valid context or is it just an annoying typo that cost me an hour?
Thanks - and sorry for taking your time, but I was copying one of the many bad configs off the internet!
This DOES work!
location ~* \.(pl|cgi|py|sh|lua|log|md5)$ {
return 444;
}
What had happened was that I hadn't noticed that I had left the )\$ on from another example.
Question: What is the purpose of that )\$ at the end of the closing bracket? I got the example from here:
http://www.queryadmin.com/1071/deny-access-sensitive-files-nginx/
I'd like to go back and tell the page owner that it's incorrect, but does it ever hold a valid context or is it just an annoying typo that cost me an hour?
Thanks - and sorry for taking your time, but I was copying one of the many bad configs off the internet!
|
Re: Sensitive file blocking in location not working January 05, 2016 01:39PM |
Admin Registered: 11 years ago Posts: 1,297 |
talkingnews Wrote:
-------------------------------------------------------
> Question: What is the purpose of that )\$ at the end of the closing
> bracket? I got the example from here:
http://stackoverflow.com/questions/15205994/what-does-mean-in-this-regex
> Thanks - and sorry for taking your time, but I was copying one of the
> many bad configs off the internet!
Stop doing that or I will bill you next time :-)
---
nginx for Windows http://nginx-win.ecsds.eu/
-------------------------------------------------------
> Question: What is the purpose of that )\$ at the end of the closing
> bracket? I got the example from here:
http://stackoverflow.com/questions/15205994/what-does-mean-in-this-regex
> Thanks - and sorry for taking your time, but I was copying one of the
> many bad configs off the internet!
Stop doing that or I will bill you next time :-)
---
nginx for Windows http://nginx-win.ecsds.eu/
Sorry, only registered users may post in this forum.
Online Users
Guests:
116
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|