From 8cb029a55e471e1ece3a8a2d7bba00975a6f2d17 Mon Sep 17 00:00:00 2001
From: frju365 <win10@tutanota.com>
Date: Wed, 28 Nov 2018 01:21:28 +0100
Subject: [PATCH] Better Configuration of nginx (#564)

* path-traversal

* [fix] try a patch for path-traversal

* Use more_set_headers insta
---
 data/templates/nginx/server.tpl.conf | 18 +++++++++---------
 src/yunohost/certificate.py          |  2 +-
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/data/templates/nginx/server.tpl.conf b/data/templates/nginx/server.tpl.conf
index 464639952..ee20c29c9 100644
--- a/data/templates/nginx/server.tpl.conf
+++ b/data/templates/nginx/server.tpl.conf
@@ -11,7 +11,7 @@ server {
         return 301 https://$http_host$request_uri;
     }
 
-    location /.well-known/autoconfig/mail {
+    location /.well-known/autoconfig/mail/ {
         alias /var/www/.well-known/{{ domain }}/autoconfig/mail;
     }
 
@@ -51,14 +51,14 @@ server {
     # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
     # https://wiki.mozilla.org/Security/Guidelines/Web_Security
     # https://observatory.mozilla.org/ 
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 
-    add_header Content-Security-Policy "upgrade-insecure-requests";
-    add_header Content-Security-Policy-Report-Only "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
-    add_header X-Content-Type-Options nosniff;
-    add_header X-XSS-Protection "1; mode=block";
-    add_header X-Download-Options noopen;
-    add_header X-Permitted-Cross-Domain-Policies none;
-    add_header X-Frame-Options "SAMEORIGIN";
+    more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload"; 
+    more_set_headers "Content-Security-Policy : upgrade-insecure-requests";
+    more_set_headers "Content-Security-Policy-Report-Only : default-src https: data: 'unsafe-inline' 'unsafe-eval'";
+    more_set_headers "X-Content-Type-Options : nosniff";
+    more_set_headers "X-XSS-Protection : 1; mode=block";
+    more_set_headers "X-Download-Options : noopen";
+    more_set_headers "X-Permitted-Cross-Domain-Policies : none";
+    more_set_headers "X-Frame-Options : SAMEORIGIN";
 
     {% if domain_cert_ca == "Let's Encrypt" %}
     # OCSP settings
diff --git a/src/yunohost/certificate.py b/src/yunohost/certificate.py
index 049eeb0f4..801741b31 100644
--- a/src/yunohost/certificate.py
+++ b/src/yunohost/certificate.py
@@ -466,7 +466,7 @@ def _configure_for_acme_challenge(auth, domain):
     nginx_conf_file = "%s/000-acmechallenge.conf" % nginx_conf_folder
 
     nginx_configuration = '''
-location ^~ '/.well-known/acme-challenge'
+location ^~ '/.well-known/acme-challenge/'
 {
         default_type "text/plain";
         alias %s;