nginx: create the document root if different from the default. Deny access to the filenames that start with a .

2017-11-07 00:09:01 +01:00 · 2017-11-07 00:09:01 +01:00 · 14f4fc2c08
parent fe75249c69
commit 14f4fc2c08
3 changed files with 30 additions and 10 deletions
--- a/nginx/defaults/main.yml
+++ b/nginx/defaults/main.yml
@ -76,6 +76,7 @@ nginx_basic_auth_users:
  - { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' }
 # nginx_ldap_login_attribute: uid
 # nginx_ldap_pam_groupdn:
+nginx_webroot: /usr/share/nginx/html
 nginx_letsencrypt_managed: True
 nginx_websockets_support: False
 nginx_use_common_virthost: False
@ -96,7 +97,7 @@ nginx_ssl_type: ssl
 #     ssl_enabled: False
 #     ssl_only: False
 #     ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
-#     root: /usr/share/nginx/html/
+#     root: {{ nginx_webroot }}
 #     server_tokens: 'off'
 #     proxy_standard_setup: True
 #     proxy_additional_options:
--- a/nginx/tasks/nginx-virtualhosts.yml
+++ b/nginx/tasks/nginx-virtualhosts.yml
@ -1,12 +1,17 @@
 ---
+- block:
+    - name: Create the nginx webroot if different from the default
+      file: dest={{ nginx_webroot }} mode=0755
+      when: nginx_webroot != '/usr/share/nginx/html'
+
    - name: Install the nginx virtualhost files
      template: src=nginx-virthost.j2 dest=/etc/nginx/sites-available/{{ item.virthost_name }} owner=root group=root mode=0444
      with_items: '{{ nginx_virthosts | default(omit) }}'
      notify: Reload nginx
-  tags: [ 'nginx', 'virtualhost' ]

    - name: Enable the nginx virtualhosts
      file: src=/etc/nginx/sites-available/{{ item.virthost_name }} dest=/etc/nginx/sites-enabled/{{ item.virthost_name }} state=link
      with_items: '{{ nginx_virthosts | default(omit) }}'
      notify: Reload nginx
+
  tags: [ 'nginx', 'virtualhost' ]
--- a/nginx/templates/nginx-virthost.j2
+++ b/nginx/templates/nginx-virthost.j2
@ -1,7 +1,13 @@
 server {
    listen {{ item.http_port | default (80) }};
    server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
+    location ~ /\.(?!well-known).* {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
 {% if letsencrypt_acme_install %}
+## Disable .htaccess and other hidden files
    include /etc/nginx/snippets/letsencrypt-proxy.conf;
 {% endif %}
    {% if item.access_log is defined %}
@ -36,6 +42,11 @@ server {
        log_not_found off;
        access_log off;
    }
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
    {% if haproxy_ips is defined %}
    # We are behind haproxy
    {% for ip in haproxy_ips %}
@ -128,6 +139,9 @@ server {
        log_not_found off;
        access_log off;
    }
+    location ~ /\. {
+        deny all;
+    }
    {% if haproxy_ips is defined %}
    # We are behind haproxy
    {% for ip in haproxy_ips %}