• Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

    • This community is user driven. Be polite with other users.
    • We recommend purchasing a Chevereto license to participate in this community.
    • Purchase a Community Subscription to get even faster ticket response times.

Updated default nginx configuration

Rodolfo

Rodolfo

👑 Chevereto Godlike
Chevereto Staff
Administrator
Dear all,

I've reviewed the documentation and I've improved the default nginx rules for Chevereto. The new recommendation deny access to application directories and it forbids access to any script in the content folders.

Let me know how it goes.

NGINX: 
    # Deny access to sensitive stuff
    location ~* ^/(app|importing)/ {
        deny all;
        return 404;
    }
    location ~* ^/(images|content)/ {
        fastcgi_pass off;
        default_type "";
        location ~* \.(php[345]?|phtml|html?)$ {
            deny all;
            return 403;
        }
    }
    location ~* composer\.json|composer\.lock|.gitignore$ {
        return 404;
    }
    location ~* /\.ht {
        return 404;
    }
    # Image not found replacement
    location ~* \.(jpe?g|png|gif|webp)$ {
        log_not_found off;
        error_page 404 /content/images/system/default/404.gif;
    }
    # CORS header (avoids font rendering issues)
    location ~* \.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$ {
        add_header Access-Control-Allow-Origin "*";
    }
    # PHP front controller
    location / {
        index index.php;
        try_files $uri $uri/ /index.php$is_args$query_string;
    }
    # Single PHP-entrypoint (disables direct access to .php files)
    location ~* \.php$  {
        internal;
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
    }
 
Error for this location, Nginx 1.27.5

NGINX: 
    location ~* ^/(images|content)/ {
        fastcgi_pass off;
        default_type "";
        location ~* \.(php[345]?|phtml|html?)$ {
            deny all;
            return 403;
        }
    }


Output:

Bash: 
# nginx  -t

nginx: [emerg] no port in upstream "off" in /etc/nginx/sites-enabled/example.conf:20

nginx: configuration file /etc/nginx/nginx.conf test failed

To prevent all access to .php/.html/.phtml files from /images and /content, I just simply replace with

NGINX: 
location ~* ^/(images|content)/.*\.(php[345]?|phtml|html?)$ {
    deny all;
    return 403;
}
 
Last edited:
@Showfom What catches my attention is the absence of a "no scripting" directive, because the rule says "restrict some.php" but what about files with other extensions? The PHP front controller should take care of that, but please double check it and let me know.
 
You must log in or register to reply here.
Back
Top