• Welcome to the Chevereto User Community!

    Here, users from all over the world come together to learn, share, and collaborate on everything related to Chevereto. It's a place to exchange ideas, ask questions, and help improve the software.

    Please keep in mind:

    • This community is user-driven. Always be polite and respectful to others.
    • Support development by purchasing a Chevereto license, which also gives you priority support.
    • Go further by joining the Community Subscription for even faster response times and to help sustain this space

Updated default nginx configuration

Rodolfo

Rodolfo

👑 Chevereto Godlike
Chevereto Staff
Administrator
Dear all,

I've reviewed the documentation and I've improved the default nginx rules for Chevereto. The new recommendation deny access to application directories and it forbids access to any script in the content folders.

Let me know how it goes.

NGINX: 
    # Deny access to sensitive stuff
    location ~* ^/(app|importing)/ {
        deny all;
        return 404;
    }
    location ~* ^/(images|content)/ {
        fastcgi_pass off;
        default_type "";
        location ~* \.(php[345]?|phtml|html?)$ {
            deny all;
            return 403;
        }
    }
    location ~* composer\.json|composer\.lock|.gitignore$ {
        return 404;
    }
    location ~* /\.ht {
        return 404;
    }
    # Image not found replacement
    location ~* \.(jpe?g|png|gif|webp)$ {
        log_not_found off;
        error_page 404 /content/images/system/default/404.gif;
    }
    # CORS header (avoids font rendering issues)
    location ~* \.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$ {
        add_header Access-Control-Allow-Origin "*";
    }
    # PHP front controller
    location / {
        index index.php;
        try_files $uri $uri/ /index.php$is_args$query_string;
    }
    # Single PHP-entrypoint (disables direct access to .php files)
    location ~* \.php$  {
        internal;
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
    }
 
Error for this location, Nginx 1.27.5

NGINX: 
    location ~* ^/(images|content)/ {
        fastcgi_pass off;
        default_type "";
        location ~* \.(php[345]?|phtml|html?)$ {
            deny all;
            return 403;
        }
    }


Output:

Bash: 
# nginx  -t

nginx: [emerg] no port in upstream "off" in /etc/nginx/sites-enabled/example.conf:20

nginx: configuration file /etc/nginx/nginx.conf test failed

To prevent all access to .php/.html/.phtml files from /images and /content, I just simply replace with

NGINX: 
location ~* ^/(images|content)/.*\.(php[345]?|phtml|html?)$ {
    deny all;
    return 403;
}
 
Last edited:
@Showfom What catches my attention is the absence of a "no scripting" directive, because the rule says "restrict some.php" but what about files with other extensions? The PHP front controller should take care of that, but please double check it and let me know.
 
You must log in or register to reply here.
Back
Top