Dear all,
With news of that security issue, I want to share how I have secured my Gibbon server which runs on Nginx, and not Apache. Nginx does not use .htaccess files, so you need to make sure you convert the Apache configuration in those files to Nginx.
In the Gibbon Core there are a couple of .htaccess files. Here are the equivalent “location” directives for Nginx:
` # Protect sql files and others on root folder location ~* /.*\\.(htaccess|htpasswd|ini|log|sh|inc|bak|sql)$ { return 403; } # Protect tcpdf/tools folder location /lib/tcpdf/tools { return 403; } # Force downloads of pdf files location ~* (.*\\.pdf) { types { application/octet-stream .pdf; } default_type application/octet-stream; } location ~* /uploads/.*\\.(php|php3|php4|php5|php7|phtml|asp|jsp|py)$ { return 403; } ` ``` I'm going to look through the modules I use, and add the Nginx rules here as well, for the modules that have .htaccess files.