We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Directory based file access control
Directory based file access control
Hi, I wanted to set up a DokuWiki on my VPS (in a /wiki subfolder of my HTML base – a WordPress instance is installed in the HTML base folder), and the installation worked without any problems. It's just that there is a persistent security issue: It's still possible to access files within directories that should be protected!
I've done everything that is listed on the DokuWiki security page for Apache and Nginx. What this seems to do is that you can't access the protected directories (for example visiting data or data/ or data/filethatdoesntexist will get you a 403 message), but you can still access files within these protected directories!
Now I've got a general question about this: Is it sufficient to let Apache handle the directory/file access, or do I also have to tell nginx which directories are protected?
So, what do I have to do to actually stop people from accessing the files in the directories that should be protected?
Edit: Ok, it seems that I primarily have to work with nginx, because that's in front. So, the current situation is like this: Nginx is now set up so that it spits out a 403 message for anything within the protected directories, except for files with the endings .txt or .png (and perhaps other image formats, haven't tested them, yet). Text files which don't have the ending .txt spawn a 403 message. Same goes for .php files and other critical files.
Here's my current line that should exclude access to the files within the protected folders:
The question is why .txt and .png files seem to be excluded from this rule. There's nothing within the nginx.conf which would justify such special treatment.
I've done everything that is listed on the DokuWiki security page for Apache and Nginx. What this seems to do is that you can't access the protected directories (for example visiting data or data/ or data/filethatdoesntexist will get you a 403 message), but you can still access files within these protected directories!
Now I've got a general question about this: Is it sufficient to let Apache handle the directory/file access, or do I also have to tell nginx which directories are protected?
So, what do I have to do to actually stop people from accessing the files in the directories that should be protected?
Edit: Ok, it seems that I primarily have to work with nginx, because that's in front. So, the current situation is like this: Nginx is now set up so that it spits out a 403 message for anything within the protected directories, except for files with the endings .txt or .png (and perhaps other image formats, haven't tested them, yet). Text files which don't have the ending .txt spawn a 403 message. Same goes for .php files and other critical files.
Here's my current line that should exclude access to the files within the protected folders:
Code: Select all
location ~ /wiki/(data|conf|bin|inc)/ {deny all;}