From 81f7b5337c016562cccbe3cdd94fcbda1ca329f9 Mon Sep 17 00:00:00 2001 From: psy Date: Sat, 19 Mar 2022 10:32:12 +0000 Subject: [PATCH 1/3] disallow access to dotfiles besides .well-known by default --- README.md | 3 +++ defaults/main.yml | 1 + templates/vhost.conf.j2 | 9 +++++++++ 3 files changed, 13 insertions(+) diff --git a/README.md b/README.md index 5f2e89b..8c1d5a7 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,9 @@ key: ~ # SSL certificat, mutally exclusive with letsencrypt option crt: ~ + +# Disallow access to dotfiles besides .well-known by default +disallow_dotfiles: True ``` **locationconfig**: diff --git a/defaults/main.yml b/defaults/main.yml index a7c56a1..86ffecf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -45,6 +45,7 @@ nginx_vhosts_defaults: add_proxy_headers: {} hide_proxy_headers: {} backend: ~ + disallow_dotfiles: True nginx_streams_defaults: listen: diff --git a/templates/vhost.conf.j2 b/templates/vhost.conf.j2 index bbffbec..255d316 100644 --- a/templates/vhost.conf.j2 +++ b/templates/vhost.conf.j2 @@ -86,6 +86,15 @@ server { } {% endfor %} + + {% if vhost.disallow_dotfiles %} + # disallow every path starting with a dot except .well-known/ + location ~ /\.(?!well-known\/).* { + deny all; + } + {% endif %} + + {% if vhost.auth.enable %} auth_basic "restricted area"; auth_basic_user_file {{ vhost.auth.path }}; From 1a90bb657aefc982b1ccc4055acf92f12c83c68a Mon Sep 17 00:00:00 2001 From: Julian Rother Date: Wed, 3 Aug 2022 22:33:40 +0200 Subject: [PATCH 2/3] Add date_timezone php.ini option --- defaults/main.yml | 1 + templates/php-fpm/php.ini.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 86ffecf..e9ce644 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -76,3 +76,4 @@ phpinidefault: post_max_size: 64M upload_max_filesize: 64M memory_limit: 128M + date_timezone: UTC diff --git a/templates/php-fpm/php.ini.j2 b/templates/php-fpm/php.ini.j2 index 7a2c89c..9430046 100644 --- a/templates/php-fpm/php.ini.j2 +++ b/templates/php-fpm/php.ini.j2 @@ -925,7 +925,7 @@ cli_server.color = On [Date] ; Defines the default timezone used by the date functions ; http://php.net/date.timezone -date.timezone = "UTC" +date.timezone = "{{ phpini.date_timezone }}" ; http://php.net/date.default-latitude ;date.default_latitude = 31.7667 From 5a3a51e1be9ffcfa26b90c9b6b5a07243270c384 Mon Sep 17 00:00:00 2001 From: Julian Rother Date: Thu, 17 Nov 2022 19:57:28 +0100 Subject: [PATCH 3/3] Add force_forwarded_ssl_header vhost/location option This is a workaround for running an application behind two layers of reverse proxies with the outer one terminating ssl. In this case the inner proxy receives requests with plain http and sets X-Forwarded-Proto, X-Forwarded-Ssl and X-Url-Scheme to "http", although the original requests used https. This breaks some applications. Ideally we would use a mechanism similar to real_ip_from and just forward the proto/ssl/scheme headers if the request came from a trusted proxy, but this workaround is much simpler. --- defaults/main.yml | 1 + templates/vhost.conf.j2 | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index e9ce644..6234341 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -46,6 +46,7 @@ nginx_vhosts_defaults: hide_proxy_headers: {} backend: ~ disallow_dotfiles: True + force_forwarded_ssl_header: False nginx_streams_defaults: listen: diff --git a/templates/vhost.conf.j2 b/templates/vhost.conf.j2 index 255d316..9b968a8 100644 --- a/templates/vhost.conf.j2 +++ b/templates/vhost.conf.j2 @@ -53,9 +53,15 @@ server { proxy_set_header Host {{ location.host|d(vhost.host) }}; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + {% if not location.force_forwarded_ssl_header|d(vhost.force_forwarded_ssl_header) %} proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Ssl $https; proxy_set_header X-Url-Scheme $scheme; + {% else %} + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Url-Scheme https; + {% endif %} # add custom proxy headers {% for header in vhost.add_proxy_headers if header %}