Hi,
I have a small server running nginx and hosting a dokuwiki site. For security reason some directories of the dokuwiki install should be accessed by the outside world so my nginx site file is like that :
[code]
server {
listen 80; ## listen for ipv4
server_name XXX;
access_log /var/log/nginx/xxx.access.log;
error_log /var/log/nginx/xxx.error.log notice;
rewrite_log on;
root /var/www/xxx;
index doku.php;
location ~ ^/(data|conf|bin|inc) {
deny all;
}
location / {
try_files $uri $uri/ @dokuwiki;
}
location @dokuwiki {
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/tag/(.*) /doku.php?id=tag:$1&do=showtag&tag=tag:$1 last;
rewrite ^/(.*) /doku.php?id=$1&$args last;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}
[/code]
Notice the fact that the directories data, conf, bin and inc are denied.
With ipv4 only (like in the previous config file), everything works great : the wiki is working great and the forbidden directories are well protected.
Yesterday I made one change listen 80 -> listen [::]:80 (to enable ipv6) and all the forbidden directories are not protected anymore (anybody with ipv4 or ipv6 can access them). Reverting to ipv4 (listen 80) fix the problem.
I tried to change my configuration file that way
[code]
listen 80; ## listen for ipv4
listen [::]:80 default ipv6only=on;
[/code]
to have two explicit bind.
And if I force my browser to use ipv4 the directories are protected. If my browser use ipv6 the directories are not protected anymore.
So I have many questions :
- Is my configuration file wrong ?
- Is there something wrong with ipv6 and nginx ?
- Does anybody already had this problem ?
Thanks in advance.
Vlad