Vesta Control Panel - Forum

Community Forum

Skip to content

Advanced search
  • Quick links
    • Main site
    • Github repo
    • Google Search
  • FAQ
  • Login
  • Register
  • Board index Main Section Web Server
  • Search

Directory based file access control

Questions regarding the Web Server
Apache + Nginx, Nginx + PHP5-FPM
Post Reply
  • Print view
Advanced search
1 post • Page 1 of 1
Radivis
Posts: 1
Joined: Fri Jan 30, 2015 12:03 pm

Directory based file access control
  • Quote

Post by Radivis » Fri Jan 30, 2015 12:17 pm

Hi, I wanted to set up a DokuWiki on my VPS (in a /wiki subfolder of my HTML base – a WordPress instance is installed in the HTML base folder), and the installation worked without any problems. It's just that there is a persistent security issue: It's still possible to access files within directories that should be protected!

I've done everything that is listed on the DokuWiki security page for Apache and Nginx. What this seems to do is that you can't access the protected directories (for example visiting data or data/ or data/filethatdoesntexist will get you a 403 message), but you can still access files within these protected directories!

Now I've got a general question about this: Is it sufficient to let Apache handle the directory/file access, or do I also have to tell nginx which directories are protected?

So, what do I have to do to actually stop people from accessing the files in the directories that should be protected?

Edit: Ok, it seems that I primarily have to work with nginx, because that's in front. So, the current situation is like this: Nginx is now set up so that it spits out a 403 message for anything within the protected directories, except for files with the endings .txt or .png (and perhaps other image formats, haven't tested them, yet). Text files which don't have the ending .txt spawn a 403 message. Same goes for .php files and other critical files.

Here's my current line that should exclude access to the files within the protected folders:

Code: Select all

location ~ /wiki/(data|conf|bin|inc)/ {deny all;}
The question is why .txt and .png files seem to be excluded from this rule. There's nothing within the nginx.conf which would justify such special treatment.
Top


Post Reply
  • Print view
1 post • Page 1 of 1

Return to “Web Server”



  • Board index
  • All times are UTC
  • Delete all board cookies
  • The team
Powered by phpBB® Forum Software © phpBB Limited
*Original Author: Brad Veryard
*Updated to 3.2 by MannixMD
 

 

Login  •  Register

I forgot my password