fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-04 01:01:41 +09:00
Code Issues Projects Releases Packages Wiki Activity

Improve precision and security of .htaccess and nginx configuration

Browse source 
- Block direct access to HTML and XML files in all modules, themes, etc.
- Block direct access to environment information in files/env/*
- Block direct access to dotfiles and other developer resources
- Block direct access to cache store
- Block PHP execution in upload directory (for additional protection)
- Ensure consitency between Apache and nginx rewrite rules
- Remove redundant rewrite rules
This commit is contained in:
Kijin Sung 2016-06-18 13:16:02 +09:00
parent 0f82bc6d57
commit e2828ed155
2 changed files with 26 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

20
.htaccess
View file

@ -1,21 +1,17 @@
RewriteEngine On RewriteEngine On
# reserve Rhymix Layout Template Source File (*.html) # block direct access to templates, XML schema files, config files, dotfiles, environment, etc.
RewriteRule ^(common|layouts|m.layouts)/(.+)\.html$ - [L,F] RewriteCond %{REQUEST_URI} !/modules/editor/(skins|styles)/
# reserve Rhymix Template Source Files (*.html) RewriteRule ^(addons|common|files/ruleset|(m\.)?layouts|modules|plugins|themes|widgets|widgetstyles)/.+\.(html|xml)$ - [L,F]
RewriteCond %{REQUEST_URI} !/modules/editor/ RewriteRule ^files/(attach|config|cache/store)/.+\.php$ - [L,F]
RewriteRule /(skins|m.skins)/(.+)\.html$ - [L,F] RewriteRule ^files/env/ - [L,F]
RewriteRule ^(\.|codeception\.|composer\.|Gruntfile\.js|package\.json|CONTRIBUTING|COPYRIGHT|LICENSE|README) - [L,F]
# conf, query, schema
RewriteRule ^(modules|addons|widgets)/(.+)/(conf|queries|schemas)/(.+)\.xml$ ./index.php [L]
# static files # static files
RewriteCond %{SCRIPT_FILENAME} !-f RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule ^(.+)/files/(member_extra_info|attach|cache|faceOff)/(.*) ./files/$2/$3 [L] RewriteRule ^(.+)/(addons|files|layouts|m\.layouts|modules|widgets|widgetstyles)/(.*) ./$2/$3 [L]
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule ^(.+)/(files|modules|widgets|widgetstyles|layouts|m.layouts|addons)/(.*) ./$2/$3 [L]
# rss , blogAPI # rss, blogAPI
RewriteRule ^(rss|atom)$ ./index.php?module=rss&act=$1 [L] RewriteRule ^(rss|atom)$ ./index.php?module=rss&act=$1 [L]
RewriteRule ^([a-zA-Z0-9_]+)/(rss|atom|api)$ ./index.php?mid=$1&act=$2 [L] RewriteRule ^([a-zA-Z0-9_]+)/(rss|atom|api)$ ./index.php?mid=$1&act=$2 [L]
RewriteRule ^([a-zA-Z0-9_]+)/([a-zA-Z0-9_]+)/(rss|atom|api)$ ./index.php?vid=$1&mid=$2&act=$3 [L] RewriteRule ^([a-zA-Z0-9_]+)/([a-zA-Z0-9_]+)/(rss|atom|api)$ ./index.php?vid=$1&mid=$2&act=$3 [L]

26
common/manual/server_config/rhymix-nginx.conf
View file

@ -1,12 +1,22 @@
# conf, query, schema, skins, layouts, m.layouts # block direct access to templates, XML schemas, config files, dotfiles, environment info, etc.
rewrite ^/(modules|addons|widgets|(m\.)?layouts)/(.+)\.(html|xml)$ /index.php last; location ~ ^/modules/editor/(skins|styles)/.+\.html$ {
# pass
}
location ~ ^/(addons|common|files/ruleset|(m\.)?layouts|modules|plugins|themes|widgets|widgetstyles)/.+\.(html|xml)$ {
return 403;
}
location ~ ^/files/(attach|config|cache/store)/.+\.php$ {
return 403;
}
location ~ ^/files/env/ {
return 403;
}
location ~ ^/(\.|codeception\.|composer\.|Gruntfile\.js|package\.json|CONTRIBUTING|COPYRIGHT|LICENSE|README) {
return 403;
}
# reserve setting files # fix incorrect relative URLs (for legacy support)
rewrite ^/files/config/(.+)\.php$ /index.php last; rewrite ^/(.+)/(addons|files|layouts|m\.layouts|modules|widgets|widgetstyles)/(.*) /$2/$3 last;
# static files
rewrite ^/(.+)/files/(member_extra_info|attach|cache|faceOff)/(.*) /files/$2/$3 last;
rewrite ^/(.+)/(files|modules|widgets|widgetstyles|layouts|m.layouts|addons)/(.*) /$2/$3 last;
# rss, blogAPI # rss, blogAPI
rewrite ^/(rss|atom)$ /index.php?module=rss&act=$1 last; rewrite ^/(rss|atom)$ /index.php?module=rss&act=$1 last;