Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More secure nginx configuration examples #1966

Merged
merged 1 commit into from
Apr 4, 2023
Merged

More secure nginx configuration examples #1966

merged 1 commit into from
Apr 4, 2023

Conversation

LorenzoLeonardini
Copy link
Contributor

The current Nginx example configuration in the docs is potentially vulnerable.
This PR fixes that to avoid people introducing potential issues in their apps when copy-pasting that configuration.

Explaination

This is the current configuration:

location /static {
	alias <path-to-your-application>/static;
	expires 30d;
}

in case there are two separate folders, <path-to-your-application>/static and <path-to-your-application>/static_secret this setup would allow an attacker to access all the files contained in /static_secret just by requesting http://[domain]/static_secret/[file]. Adding a final slash ensures only the static folder is served.

location /static/ {
	alias <path-to-your-application>/static/;
	expires 30d;
}

Note that as we add the slash to alias <path-to-your-application>/static/, it's extremely important that we add the final slash to location /static/ as well, as a lack of this would lead to a much more serious path traversal vulnerability[1][2]

@miguelgrinberg miguelgrinberg merged commit 9b861ce into miguelgrinberg:main Apr 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LorenzoLeonardini @miguelgrinberg