Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with Facebook Sign In with Google Sign In with OpenID Sign In with Twitter
Support for Vanilla Forums Cloud product

In this Discussion

Follow Us

Non-critical web server security observations & suggestions (Nginx)

edited March 2012 in Feedback

Two Nginx-specific suggestions I have for others, based on the forum launch I'm working on right now:

1) Categories can be accessed directly by ID in addition to name. Not a vulnerability or anything, since categories to which a viewer doesn't have access return a log-in page for guests or a blue "Permission Problem" page for logged-in users, but it still gives nosey folks insight into your forum's structure and can show the presence of hidden forums.

Workaround - deny access to URLs which contain /categories/ followed by a number. For Nginx, this is done with a simple location directive:

location ~* /categories/([0-9]|[1-9][0-9]|[1-9][0-9][0-9])$ { return 404; }

2) The /conf directory is by default located inside the webroot, and config.php contains your mysql account name and password. I don't believe the default .htaccess file locks down /conf, and in any case, Nginx doesn't use .htaccess files.

Workaround - deny access to /conf by declaring it internal, which still lets the web server access it but prevents files from being served from that location:

location ^~ /conf/ { internal; }

I'll eventually blog my configuration in detail, but wanted to share these two with the community before it slipped my mind!

Best Answer

  • x00x00 MVP
    edited March 2012 Answer ✓

    config as to most files have

    if (!defined('APPLICATION')) exit();

    but not harm in making sure.

    Make sure to set the default 404 to /dashboard/home/filenotfound for consistency sake.


  • LeeHLeeH
    edited March 2012

    Ah, see, I'm php-stupid, so I wasn't sure that's what that line did. Thanks for explaining! :D

    But, still, definitely a good idea to make sure. And, yep, error page consistency is one of those things that makes you look like you are a good site admin and know what you're doing!!

    error_page 404 /dashboard/home/filenotfound; error_page 403 =404 /dashboard/home/filenotfound;

    (Yeah, serving a "not found" in place of a "forbidden" kind of violates RFC 2616, but I prefer obscurity over holding up a flag that says "Something interesting is here but you can't see it!!")

Sign In or Register to comment.