Hello!

On Wed, Nov 12, 2014 at 05:26:27AM -0500, carlg wrote:

> HI,
>
> I want to configure our nginx to be a little more paranoid concerning file
> access.
>
> Right now, i am using rules like :
>
> location /includes {
> allow 127.0.0.1;
> deny all;
> }
>
> ... but i need to repeat this kind of rules for every folders, and then
> restrict access to the php files inside. So our rules file is too long,
> complicated and getting very messy. Also, this doesn't protect the php
> files, only the folders. so i need to add more and more rules, always.
>
> The php files a visitor require to be able to reach directly are in / (like
> index.php, login.php, etc..)
>
> I would like to restrict every other files to 127.0.0.1, and then add some
> rules to allow all traffic only where required.
>
> But i cannot figure out how i can achieve this with nginx. I'm pretty sure
> there is a single rule that can do this. :D
>
> Any help will be very appreciated, and may help may others i am sure to be
> more secure

Most secure approach would be to explicitly allow access to
certain files by using access rules at server (or even http)
level, like this:

server {
...

allow 127.0.0.2;
deny all;

location = /file_to_be_allowed {
allow all;
...
}

...
}

Note that you have configure all required processing, not just
access rules. That is, for php files you'll have to configure
fastcgi_pass/whatever as appropriate.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx