Re: UPDATE: Nextcloud-16.0.1

Fri, 17 May 2019 12:33:38 -0700 

On Fri, May 17, 2019 at 06:11:08PM +0200, Bruno Flueckiger wrote:
> @@ -48,23 +48,27 @@ server "domain.tld" {
>               key "/etc/ssl/private/domain.tld_private.pem"
>       }
> 
> +     directory index index.php
> +
>       # First deny access to the specified files
> -     location "/.ht*"                { block }
> -     location "/.user*"              { block }
> -     location "/3rdparty*"           { block }
> -     location "/README"              { block }
> -     location "/autotest*"           { block }
> -     location "/build*"              { block }
> -     location "/config*"             { block }
> -     location "/console*"            { block }
> -     location "/data*"               { block }
> -     location "/db_*"                { block }
> -     location "/indie*"              { block }
> -     location "/issue*"              { block }
> -     location "/lib*"                { block }
> -     location "/occ*"                { block }
> -     location "/templates*"          { block }
> -     location "/tests*"              { block }
> +     location "/nextcloud/.ht*"      { block }
> +     location "/nextcloud/.user*"    { block }
> +     location "/nextcloud/3rdparty*" { block }
> +     location "/nextcloud/AUTHORS"   { block }
> +     location "/nextcloud/COPYING"   { block }
> +     location "/nextcloud/config*"   { block }
> +     location "/nextcloud/console*"  { block }
> +     location "/nextcloud/data*"     { block }
> +     location "/nextcloud/lib*"      { block }
> +     location "/nextcloud/occ*"      { block }
> +
> +     location "/.well-known/caldav" {
> +             block return 301 "https://$SERVER_NAME/nextcloud/remote.php/dav";
> +        }
> +
> +        location "/.well-known/carddav" {
> +             block return 301 "https://$SERVER_NAME/nextcloud/remote.php/dav";
> +        }
> 
>       location "/*.php*" {
>               root "/nextcloud"

It is possible to run nextcloud with a block-by-default ruleset policy.
For example:

        block drop

        # Ensure that no '*.php*' files can be fetched from these directories
        location "/nextcloud/config/*" {
                block drop
        }
        location "/nextcloud/data/*" {
                block drop
        }

        # Note that this matches "*.php*" anywhere in the request path.
        location "/nextcloud/*.php*" {
                root "/nextcloud"
                request strip 1
                fastcgi socket "/run/php-fpm.sock"
                pass
        }

        location "/nextcloud/apps/*" {
                root "/nextcloud"
                request strip 1
                pass
        }

        location "/nextcloud/core/*" {
                root "/nextcloud"
                request strip 1
                pass
        }

        location "/nextcloud/settings/*" {
                root "/nextcloud"
                request strip 1
                pass
        }

        location "/nextcloud" {
                block return 301 "$DOCUMENT_URI/index.php"
        }

        location "/nextcloud/" {
                block return 301 "$DOCUMENT_URI/index.php"
        }

Reply via email to