Nginx configuration settings

ITManagerBali · April 27, 2017, 1:29am

Dear all,
With news of that security issue, I want to share how I have secured my Gibbon server which runs on Nginx, and not Apache. Nginx does not use .htaccess files, so you need to make sure you convert the Apache configuration in those files to Nginx.

In the Gibbon Core there are a couple of .htaccess files. Here are the equivalent “location” directives for Nginx:

`
        # Protect sql files and others on root folder
        location ~* /.*\\.(htaccess|htpasswd|ini|log|sh|inc|bak|sql)$ {
                return 403;
        }

        # Protect tcpdf/tools folder
        location /lib/tcpdf/tools {
                return 403;
        }

        # Force downloads of pdf files
        location ~* (.*\\.pdf) {
                types { application/octet-stream .pdf; }
                default_type application/octet-stream;
        }

        location ~* /uploads/.*\\.(php|php3|php4|php5|php7|phtml|asp|jsp|py)$ {
                return 403;
        }
`
```


I'm going to look through the modules I use, and add the Nginx rules here as well, for the modules that have .htaccess files.

ross · April 27, 2017, 2:24am

Urko, thanks for this. The modules all upload to /upload, so they don’t have any .htaccess files. The updates to those modules include server side checking of files to prevent undesirable uploads. Ross.

ITManagerBali · April 27, 2017, 2:48am

Ah, great, then my work is done