Dear all,
I've reviewed the documentation and I've improved the default nginx rules for Chevereto. The new recommendation deny access to application directories and it forbids access to any script in the content folders.
Let me know how it goes.
I've reviewed the documentation and I've improved the default nginx rules for Chevereto. The new recommendation deny access to application directories and it forbids access to any script in the content folders.
Let me know how it goes.
NGINX:
# Deny access to sensitive stuff
location ~* ^/(app|importing)/ {
deny all;
return 404;
}
location ~* ^/(images|content)/ {
fastcgi_pass off;
default_type "";
location ~* \.(php[345]?|phtml|html?)$ {
deny all;
return 403;
}
}
location ~* composer\.json|composer\.lock|.gitignore$ {
return 404;
}
location ~* /\.ht {
return 404;
}
# Image not found replacement
location ~* \.(jpe?g|png|gif|webp)$ {
log_not_found off;
error_page 404 /content/images/system/default/404.gif;
}
# CORS header (avoids font rendering issues)
location ~* \.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$ {
add_header Access-Control-Allow-Origin "*";
}
# PHP front controller
location / {
index index.php;
try_files $uri $uri/ /index.php$is_args$query_string;
}
# Single PHP-entrypoint (disables direct access to .php files)
location ~* \.php$ {
internal;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
}