From b956e9b389124a5daa2281d8a74ab4c474354c4a Mon Sep 17 00:00:00 2001 From: Josue-T Date: Fri, 12 Jan 2018 22:23:14 +0100 Subject: [PATCH 1/4] Force https Actually we can access to friendica without encryption. So force the connexion to be always encrypted. --- conf/nginx.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/conf/nginx.conf b/conf/nginx.conf index d0361fa..defb298 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -31,6 +31,10 @@ location __PATH__ { alias __FINALPATH__/; +if ($scheme = http) { + rewrite ^ https://$server_name$request_uri? permanent; +} + rewrite ^ https://$server_name$request_uri? permanent; #allow uploads up to 20MB in size From 40df12542bdcd712b7b1bf628b1aee88c3590f5d Mon Sep 17 00:00:00 2001 From: Josue-T Date: Thu, 18 Jan 2018 23:27:09 +0100 Subject: [PATCH 2/4] Fix rewrite instruction --- conf/nginx.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index defb298..a3d0747 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -34,8 +34,6 @@ alias __FINALPATH__/; if ($scheme = http) { rewrite ^ https://$server_name$request_uri? permanent; } - -rewrite ^ https://$server_name$request_uri? permanent; #allow uploads up to 20MB in size client_max_body_size 20m; @@ -93,8 +91,10 @@ rewrite ^ https://$server_name$request_uri? permanent; #.htaccess file from Friendica converted using http://winginx.com/en/htaccess location ~ "(^|/)\.git" { return 403;} autoindex off; - location / { if (!-e $request_filename) { rewrite ^(.*)$ /index.php?pagename=$1;} - } + if (!-e $request_filename) { + rewrite ^(.*)$ /index.php?pagename=$1; +} + #deny access to all dot files location ~ /\. { From 57fdba3a147f073c2cc63ea1fee4847605af9d95 Mon Sep 17 00:00:00 2001 From: Josue-T Date: Thu, 18 Jan 2018 23:29:59 +0100 Subject: [PATCH 3/4] Fix Indentation --- conf/nginx.conf | 148 ++++++++++++++++++++++++------------------------ 1 file changed, 75 insertions(+), 73 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index a3d0747..854795e 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -29,78 +29,80 @@ # You have Friendica installed in /var/www/friendica ## location __PATH__ { -alias __FINALPATH__/; + alias __FINALPATH__/; -if ($scheme = http) { - rewrite ^ https://$server_name$request_uri? permanent; + if ($scheme = http) { + rewrite ^ https://$server_name$request_uri? permanent; + } + + #allow uploads up to 20MB in size + client_max_body_size 20m; + client_body_buffer_size 128k; + + + #Default indexes and catch-all + index index.php; + try_files $uri $uri/ /index.php?$args; + + #Prevent useless logs + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # make sure webfinger and other well known services aren't blocked + # by denying dot files and rewrite request to the front controller + location ^~ /.well-known/ { + allow all; + rewrite ^/(.*) /index.php?pagename=$uri&$args last; + } + + #statically serve these file types when possible + #otherwise fall back to front controller + #allow browser to cache them + #added .htm for advanced source code editor library + location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ { + expires 30d; + try_files $uri /index.php?pagename=$uri&$args; + } + + #block these file types + location ~* \.(tpl|md|tgz|log|out)$ { + deny all; + } + + #Execute and serve PHP files + location ~ [^/]\.php(/|$) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param REMOTE_USER $remote_user; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param SCRIPT_FILENAME $request_filename; + } + + #.htaccess file from Friendica converted using http://winginx.com/en/htaccess + location ~ "(^|/)\.git" { + return 403; + } + autoindex off; + if (!-e $request_filename) { + rewrite ^(.*)$ /index.php?pagename=$1; + } + + + #deny access to all dot files + location ~ /\. { + deny all; + } + + #Include SSOWAT user panel. + include conf.d/yunohost_panel.conf.inc; } - -#allow uploads up to 20MB in size - client_max_body_size 20m; - client_body_buffer_size 128k; - - -#Default indexes and catch-all - index index.php; - try_files $uri $uri/ /index.php?$args; - -#Prevent useless logs - location = /favicon.ico { - log_not_found off; - access_log off; - } - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - -# make sure webfinger and other well known services aren't blocked -# by denying dot files and rewrite request to the front controller - location ^~ /.well-known/ { - allow all; - rewrite ^/(.*) /index.php?pagename=$uri&$args last; - } - -#statically serve these file types when possible -#otherwise fall back to front controller -#allow browser to cache them -#added .htm for advanced source code editor library - location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ { - expires 30d; - try_files $uri /index.php?pagename=$uri&$args; - } - -#block these file types - location ~* \.(tpl|md|tgz|log|out)$ { - deny all; - } - -#Execute and serve PHP files - location ~ [^/]\.php(/|$) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - fastcgi_pass unix:/var/run/php5-fpm.sock; - fastcgi_index index.php; - include fastcgi_params; - fastcgi_param REMOTE_USER $remote_user; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param SCRIPT_FILENAME $request_filename; - } - - #.htaccess file from Friendica converted using http://winginx.com/en/htaccess - location ~ "(^|/)\.git" { return 403;} - autoindex off; - if (!-e $request_filename) { - rewrite ^(.*)$ /index.php?pagename=$1; -} - - - #deny access to all dot files - location ~ /\. { - deny all; - } - - #Include SSOWAT user panel. - include conf.d/yunohost_panel.conf.inc; - } From 83b68e639bf427b6274d3919978ad8d31ee41256 Mon Sep 17 00:00:00 2001 From: Josue-T Date: Thu, 18 Jan 2018 23:33:29 +0100 Subject: [PATCH 4/4] Fix nginx security Issue #1 --- conf/nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 854795e..6d7ea16 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -60,7 +60,7 @@ location __PATH__ { # by denying dot files and rewrite request to the front controller location ^~ /.well-known/ { allow all; - rewrite ^/(.*) /index.php?pagename=$uri&$args last; + rewrite ^/(.*) /index.php?pagename=$request_uri&$args last; } #statically serve these file types when possible @@ -69,7 +69,7 @@ location __PATH__ { #added .htm for advanced source code editor library location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ { expires 30d; - try_files $uri /index.php?pagename=$uri&$args; + try_files $uri /index.php?pagename=$request_uri&$args; } #block these file types