I'm trying to setup nginx so "static.domain.com" can only serve images. This is what I have come up with, but I know it can be done more efficiently. I want to serve 403.html if someone tries to access any .htm, .php, directory (anything else I'm missing?) files. Of course, with the exception of 403.htm and static.htm files.
Any ideas how I can secure this properly?
server {
listen xx.xx.xx.xx:80;
server_name static.domain.com;
root /www/domain.com/httpdocs;
index static.htm;
access_log off;
error_log /dev/null crit;
error_page 403 /403.html;
# Disable access to .htaccess or any other hidden file
location ~ /\.ht {
deny all;
}
location ~* \.php {
deny all;
}
# Serve static files directly from nginx
location ~* \.(jpg|jpeg|gif|png|bmp|ico|pdf|flv|swf|exe|html|htm|txt|css|js) {
add_header Cache-Control public;
add_header Cache-Control must-revalidate;
expires 7d;
}
}
Why not move the images up and then deny all?
location ~* \.(jpg|jpeg|gif|png|bmp|ico|pdf|flv|swf|exe|html|htm|txt|css|js) {
add_header Cache-Control public;
add_header Cache-Control must-revalidate;
expires 7d;
}
location / {
deny all;
}
there is no syntax for NOT matching a regular expression. Instead, match the target regular expression and assign an empty block, then use location / to match anything else. -From http://wiki.nginx.org/HttpCoreModule#location
Edit: Removed "=" from "location /"
To quote the docs:
location = / {
# matches the query / *only.*
}
location / {
# matches *any query*, since all queries begin with /, but regular
# expressions and any longer conventional blocks will be
# matched first.
}
My bad.
Related
I wan to exclude logs for all these extensions woff, jpg, jpeg, png, gif, ico, css, js, json
in default.conf I added these location rule
location ~* \.(woff|jpg|jpeg|png|gif|ico|css|js|json)$ {
access_log off;
}
all extensions was exluded from logs, except json
I tried separate rule like this
location ~* \.(json)$ {
access_log off;
}
or
location ~ \.json$ {
access_log off;
}
any way I still can see json files in logs
in the same default.conf I have another rule for json extension
location ~* \.(json)$ {
add_header Cache-Control "must-revalidate";
}
can this be the problem?
any idea how to solve?
Fixed by adding access_log off; rule in first location for json extension
location ~* \.(json)$ {
add_header Cache-Control "must-revalidate";
access_log off;
}
I am creating an NGINX global config file to be added to a website vhost file.
The code I put in the file /etc/nginx/global.d/wordpresscache.conf is:
set $cache_uri $request_uri;
# POST requests and URLs with a query string should always go to PHP
if ($request_method = POST) {
set $cache_uri 'null cache';
}
if ($query_string != "") {
set $cache_uri 'null cache';
}
# Don't cache URIs containing the following segments
if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php
|wp-.*.php|/feed/|index.php|wp-comments-popup.php
|wp-links-opml.php|wp-locations.php |sitemap(_index)?.xml
|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
set $cache_uri 'null cache';
}
# Don't use the cache for logged-in users or recent commenters
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+
|wp-postpass|wordpress_logged_in") {
set $cache_uri 'null cache';
}
# Use cached or actual file if it exists, otherwise pass request to WordPress
location / {
try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html
$uri $uri/ /index.php;
}
# Cache static files for as long as possible
location ~*.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg
|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid
|midi|wav|bmp|rtf)$ {
expires max;
log_not_found off;
access_log off;
}
The problem is that when I reload the configuration I get this error message:
nginx: [emerg] invalid number of arguments in "location" directive in
/etc/nginx/global.d/wordpresscache.conf:35
However the structure of that location directive seem to be good to me. Here is where I got the code from (Tip 7)
Can anyone point me out to what I am doing wrong?
Edit:
I have tried the following:
location ~*. (ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg
|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid
|midi|wav|bmp|rtf)$ {
expires max;
log_not_found off;
access_log off;
}
location ~*. (ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg
|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid
|midi|wav|bmp|rtf)$ {
expires max;
log_not_found off;
access_log off;
}
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg
|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid
|midi|wav|bmp|rtf)$ {
expires max;
log_not_found off;
access_log off;
}
location ~*\. (ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg
|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid
|midi|wav|bmp|rtf)$ {
expires max;
log_not_found off;
access_log off;
}
But they all give me the same error :(
New Edit. I tried to remove some extensions... and it works. Now I have for testing purposes only:
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf)$ {
expires max;
log_not_found off;
access_log off;
}
and it works. Does anybody know what is the maximum number of arguments in parentheses?
location ~*.(ogg
Missed a space right there, should be:
location ~*. (ogg
The regex in question is a bit off also, because it would match URI /frogg or /blahwav, etc.
The correct is escaping the dot with \:
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg
|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid
|midi|wav|bmp|rtf)$ {
expires max;
log_not_found off;
access_log off;
}
Same thing applies to
location ~ .php$ {
Should be:
location ~ \.php$ {
All in all, that linked article is not escaping much of regexes, for whatever reason.
I suspect it's due to bad formatting/content sanitizing in whatever custom CMS they use.
Example:
location ~* wp-config.php {
deny all;
}
Would unnecessarily match /wp-configaphp or /wp-configuphp, and even /whateveryouwantmetobewp-configaphp, etc. There is no performance benefit in not escaping stuff in those regex, so yeah - "bad blogging" :-)
Should be:
location ~* /wp-config\.php$ {
deny all;
}
And even better, if you know you're using a single site in webroot directory, use exact matching:
location = /wp-config.php {
deny all;
}
You can also look at secure NGINX WordPress configuration which deals with security-related part of NGINX-Wordpress configuration.
I need to apply the following location rule for every single folder of my app with the exception of /forum and its children:
location ~* \.(?:jpg|jpeg|gif)$ {
expires 1M;
access_log off;
add_header Cache-Control "public";
}
I tried out setting it to location ~* ^/forum/.*\.(?:jpg|jpeg)$ but it doesn't look like it's working the way I want it to.
This is the solver I came up with:
location /forum {
...
}
location / {
location ~* \.(?:jpg|jpeg|gif)$ {
...
}
...
}
Simply separate the location directives and adjust commands accordingly.
How can I exclude all URLs with a directory called dynamic in the following location block:
location ~* \.(?:js)$ {
expires 1y;
access_log off;
add_header Cache-Control "public";
}
Here's the entire config, most of this comes from herokus php nginx buildpack
http://pastebin.com/xQ4BDtwr
( stackex won't let me post "mostly code" )
I would add the following location:
location /path/to/dynamic/ {
location ~* \.js$ {internal;}
}
The key is to override the ~* \.(?:js)$ regex location with a prefix location. Then you don't have to worry about where it appears in your config.
It could be solved with another regex location ~ /dynamic/.*\.js$ {internal;}, but then you would need to be sure it always comes before the ~* \.(?:js)$ location; another problem waiting to happen when your config grows.
index.html page could access, but not spec_runner.html.I want to access two different pages, one for app, another for tests. Could you help me? thanks, :).My configure is following
location ^~ /p/login { rewrite .* /index.html last; }
location ^~ /specs { index spec_runner.html; }
location ~* ^/(users|books) {
proxy_pass http://api;
}
location / {
root /home/user/project;
proxy_cache off;
expires -1;
add_header Cache-Control no-cache;
add_header Cache-Control private;
}