From 9e0fcdc4fa47272ae5bd92c58722a806a61ec633 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 19 Apr 2019 13:37:29 +0200 Subject: [PATCH] The directive that blocks dotfile requests is now under a conditional. See https://support.d4science.org/issues/16586 --- nginx/defaults/main.yml | 1 + nginx/templates/nginx-virthost.j2 | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index 230c989b..bdf9240b 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -93,6 +93,7 @@ nginx_ssl_type: ssl # When we do not use letsencrypt: # nginx_ssl_cert_file: '{{ pki_dir }}/certs/nginx.crt' # nginx_ssl_cert_key: '{{ pki_dir }}/keys/nginx.key' +nginx_block_dotfiles: True # Virtualhost example # nginx_virthosts: diff --git a/nginx/templates/nginx-virthost.j2 b/nginx/templates/nginx-virthost.j2 index a7119735..d8d377ee 100644 --- a/nginx/templates/nginx-virthost.j2 +++ b/nginx/templates/nginx-virthost.j2 @@ -9,12 +9,14 @@ include /etc/nginx/snippets/nginx-websockets.conf; server { listen {{ item.http_port | default ('80') }}; server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %}; +{% if nginx_block_dotfiles %} location ~ /\.(?!well-known).* { deny all; access_log off; log_not_found off; return 404; } +{% endif %} {% if letsencrypt_acme_install %} include /etc/nginx/snippets/letsencrypt-proxy.conf; @@ -54,12 +56,14 @@ server { log_not_found off; access_log off; } +{% if nginx_block_dotfiles %} location ~ /\. { deny all; access_log off; log_not_found off; return 404; } +{% endif %} {% if haproxy_ips is defined %} # We are behind haproxy {% for ip in haproxy_ips %} @@ -213,9 +217,14 @@ server { log_not_found off; access_log off; } +{% if nginx_block_dotfiles %} location ~ /\. { deny all; + access_log off; + log_not_found off; + return 404; } +{% endif %} {% if haproxy_ips is defined %} # We are behind haproxy