We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Preventing users from adding file formats to nginx
-
- Posts: 40
- Joined: Mon Dec 22, 2014 1:29 pm
Preventing users from adding file formats to nginx
I understand in the case of Vesta that nginx is functioning as a reverse proxy, but I find a flaw in one thing. When one adds a web domain to ones account, that user can then add and delete extensions is there a reason for this? Shouldn't the admin set what file formats are supported?
What do I need to do to prevent users from being able to add extensions or removing extensions?
What do I need to do to prevent users from being able to add extensions or removing extensions?
Re: Preventing users from adding file formats to nginx
One user = one domaineagles051387 wrote:I understand in the case of Vesta that nginx is functioning as a reverse proxy, but I find a flaw in one thing. When one adds a web domain to ones account, that user can then add and delete extensions is there a reason for this? Shouldn't the admin set what file formats are supported? What do I need to do to prevent users from being able to add extensions or removing extensions?
It's simple logic and tight security.
And those nginx extensions it's for nginx setting "location" (code below). Bad or not add or delete extensions? Mmm... tricky question! If you have extention in config, then this request will be done by nginx. If not, then apache will be do it. When apache processes the request, the resources spent a more.
This line in config for user /conf/web/nginx.conf:
Code: Select all
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|tif|tiff|css|js|htm|html|ttf|otf|webp|woff|txt|csv|rtf|doc|docx|xls|xlsx|ppt|pptx|odf|odp|ods|odt|pdf|psd|ai|eot|eps|ps|zip|tar|tgz|gz|rar|bz2|7z|aac|m4a|mp3|mp4|ogg|wav|wma|3gp|avi|flv|m4v|mkv|mov|mp4|mpeg|mpg|wmv|exe|iso|dmg|swf)$ {
A request “/logo.gif” is matched by the prefix location “/” first and then by the regular expression “\.(gif|jpg|png)$”, therefore, it is handled by the latter location. Using the directive “root /data/www” the request is mapped to the file /data/www/logo.gif, and the file is sent to the client.
-
- Posts: 40
- Joined: Mon Dec 22, 2014 1:29 pm
Re: Preventing users from adding file formats to nginx
is there a way to prevent users from modifying their web domain on their account in terms of extensions? What I mean is if you click on web and edit your domain you have the nginx box with the extensions there it seems a plain user can just add and remove extensions. Shouldn't this be done only by the administrator?
Re: Preventing users from adding file formats to nginx
If user add or remove extension, nothing critical will not happen.eagles051387 wrote:is there a way to prevent users from modifying their web domain on their account in terms of extensions?
In current version - nope, no standat way. But you can edit /usr/local/vesta/web/templates/user/edit_web.html and remove proxy settings, from this and-and-and
Code: Select all
<table style="display:<?php if (empty($v_proxy)) { echo 'none';} else {echo 'block';}?> ;" id="proxytable">
Code: Select all
<tr>
<td class="step-left">
<table style="display:<?php if (empty($v_proxy)) { echo 'none';} else {echo 'block';}?> ;" id="proxytable">
<tr>
<td class="vst-text" style="padding: 12px 0 0 0;">
<?php print __('Proxy Extensions');?>
</td>
</tr>
<tr>
<td>
<textarea size="20" class="vst-textinput" name="v_proxy_ext"><?php if (!empty($v_proxy_ext)) { echo $v_proxy_ext;} else { echo 'jpeg, jpg, png, gif, bmp, ic$
</td>
</tr>
</table>
</td>
</tr>
-
- Posts: 40
- Joined: Mon Dec 22, 2014 1:29 pm
Re: Preventing users from adding file formats to nginx
What will the system do with the extensions that the user would have added how does it handle them or does it ignore them?
skurudo wrote:If user add or remove extension, nothing critical will not happen.eagles051387 wrote:is there a way to prevent users from modifying their web domain on their account in terms of extensions?
In current version - nope, no standat way. But you can edit /usr/local/vesta/web/templates/user/edit_web.html and remove proxy settings, from this and-and-andI think, this part (it's not tested, please make a copy!)Code: Select all
<table style="display:<?php if (empty($v_proxy)) { echo 'none';} else {echo 'block';}?> ;" id="proxytable">
Code: Select all
<tr> <td class="step-left"> <table style="display:<?php if (empty($v_proxy)) { echo 'none';} else {echo 'block';}?> ;" id="proxytable"> <tr> <td class="vst-text" style="padding: 12px 0 0 0;"> <?php print __('Proxy Extensions');?> </td> </tr> <tr> <td> <textarea size="20" class="vst-textinput" name="v_proxy_ext"><?php if (!empty($v_proxy_ext)) { echo $v_proxy_ext;} else { echo 'jpeg, jpg, png, gif, bmp, ic$ </td> </tr> </table> </td> </tr>
Re: Preventing users from adding file formats to nginx
Oh... my idea was, you can edit user interface and make, what do you want. With this "corrections" your users can't see this part of control panel.
Nginx will take files with extensions "directly" from folders, apache2 will do nothing with those files. Otherwise webserver apache2 will do all job.
"System" add these extension in config for Nginx - /home/user/conf/web/nginx.confeagles051387 wrote:What will the system do with the extensions that the user would have added how does it handle them or does it ignore them?
Nginx will take files with extensions "directly" from folders, apache2 will do nothing with those files. Otherwise webserver apache2 will do all job.