Welcome! Log In Create A New Profile

Advanced

Forbid web.config page from the browser as in https://mydomain.com/web.config

November 12, 2020 08:48AM
Hi,

I am running the Nginx version: nginx/1.16.1 on CentOS Linux release
7.8.2003 (Core). I am trying to forbid/prevent web.config file to
download it from the browser. When I hit
https://mydomain.com/web.config it is allowing me to download instead of
forbidding the page ( 403 Forbidden). I am sharing the below nginx.conf
file for your reference.

server {
> server_name _;
> root /var/www/html/apcv3/docroot; ## <-- Your only path reference.
> location /dacv3 {
> alias /var/www/html/apcv3/docroot;
> index index.php;
> location ~ \.php$ {
> include fastcgi_params;
> # Block httpoxy attacks. See https://httpoxy.org/.
> fastcgi_param HTTP_PROXY "";
> fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
> fastcgi_param PATH_INFO $fastcgi_path_info;
> fastcgi_param QUERY_STRING $query_string;
> fastcgi_intercept_errors on;
> fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
> }
> }
> location = /favicon.ico {
> log_not_found off;
> access_log off;
> }
> location = /robots.txt {
> allow all;
> log_not_found off;
> access_log off;
> }
> # Very rarely should these ever be accessed outside of your lan
> location ~* \.(txt|log)$ {
> allow 192.168.0.0/16;
> deny all;
> }
> location ~ \..*/.*\.php$ {
> return 403;
> }
> location ~ ^/sites/.*/private/ {
> return 403;
> }
> # Block access to scripts in site files directory
> location ~ ^/sites/[^/]+/files/.*\.php$ {
> deny all;
> }
> # Allow "Well-Known URIs" as per RFC 5785
> location ~* ^/.well-known/ {
> allow all;
> }
> # Block access to "hidden" files and directories whose names begin
> with a
> # period. This includes directories used by version control systems
> such
> # as Subversion or Git to store control files.
> location ~ (^|/)\. {
> return 403;
> }
> location / {
> # try_files $uri @rewrite; # For Drupal <= 6
> try_files $uri /index.php?$query_string; # For Drupal >= 7
> }
> location @rewrite {
> rewrite ^/(.*)$ /index.php?q=$1;
> }
> # Don't allow direct access to PHP files in the vendor directory.
> location ~ /vendor/.*\.php$ {
> deny all;
> return 404;
> }
> # Protect files and directories from prying eyes.
> location ~*
> \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$
> {
> deny all;
> return 404;
> }
> location ^~ /web.config {
> deny all;
> }
> # In Drupal 8, we must also match new paths where the '.php' appears in
> # the middle, such as update.php/selection. The rule we use is strict,
> # and only allows this pattern with the update.php front controller.
> # This allows legacy path aliases in the form of
> # blog/index.php/legacy-path to continue to route to Drupal nodes. If
> # you do not have any paths like that, then you might prefer to use a
> # laxer rule, such as:
> # location ~ \.php(/|$) {
> # The laxer rule will continue to work if Drupal uses this new URL
> # pattern with front controllers other than update.php in a future
> # release.
> location ~ '\.php$|^/update.php' {
> fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
> # Security note: If you're running a version of PHP older than the
> # latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini.
> # See http://serverfault.com/q/627903/94922 for details.
> include fastcgi_params;
> # Block httpoxy attacks. See https://httpoxy.org/.
> fastcgi_param HTTP_PROXY "";
> fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
> fastcgi_param PATH_INFO $fastcgi_path_info;
> fastcgi_param QUERY_STRING $query_string;
> fastcgi_intercept_errors on;
> # PHP 5 socket location.
> #fastcgi_pass unix:/var/run/php5-fpm.sock;
> # PHP 7 socket location.
> fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
> }
> # Fighting with Styles? This little gem is amazing.
> # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
> location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
> try_files $uri @rewrite;
> }
> # Handle private files through Drupal. Private file's path can come
> # with a language prefix.
> location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7
> try_files $uri /index.php?$query_string;
> }
> location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
> try_files $uri @rewrite;
> expires max;
> log_not_found off;
> }
> }


Please let me know if I am missing anything in the Nginx config file.
Thanks in advance and I look forward to hearing from you.

Best Regards,

Kaushal
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Forbid web.config page from the browser as in https://mydomain.com/web.config

kaushalshriyan November 12, 2020 08:48AM

Re: Forbid web.config page from the browser as in https://mydomain.com/web.config

Francis Daly November 12, 2020 09:44AM

Re: Forbid web.config page from the browser as in https://mydomain.com/web.config

kaushalshriyan November 12, 2020 07:24PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 67
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready