infra/ansible-role-nginx
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'feature/disallow_dotfiles' into 'master'

Browse source 
disallow access to dotfiles besides .well-known by default

Closes infra/documentation#115

See merge request infra/ansible/roles/nginx!2
This commit is contained in:
psy 2022-03-19 10:32:12 +00:00
commit 3ef51e3be1
3 changed files with 13 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -102,6 +102,9 @@ key: ~
# SSL certificat, mutally exclusive with letsencrypt option # SSL certificat, mutally exclusive with letsencrypt option
crt: ~ crt: ~
# Disallow access to dotfiles besides .well-known by default
disallow_dotfiles: True
``` ```
**locationconfig**: **locationconfig**:

1
defaults/main.yml
View file

@ -45,6 +45,7 @@ nginx_vhosts_defaults:
add_proxy_headers: {} add_proxy_headers: {}
hide_proxy_headers: {} hide_proxy_headers: {}
backend: ~ backend: ~
disallow_dotfiles: True
nginx_streams_defaults: nginx_streams_defaults:
listen: listen:

9
templates/vhost.conf.j2
View file

@ -86,6 +86,15 @@ server {
} }
{% endfor %} {% endfor %}
{% if vhost.disallow_dotfiles %}
# disallow every path starting with a dot except .well-known/
location ~ /\.(?!well-known\/).* {
deny all;
}
{% endif %}
{% if vhost.auth.enable %} {% if vhost.auth.enable %}
auth_basic "restricted area"; auth_basic "restricted area";
auth_basic_user_file {{ vhost.auth.path }}; auth_basic_user_file {{ vhost.auth.path }};