Directory traversal fix for nginx config

Greg

4/20/23, 1:31 PM

I discovered that my website has this issue and I wasn't able to fix this. I tried several things like to checking if parent prefixed locations for Nginx alias directives end with a directory separator , but no luck so far. Merge_slashes on - is the default setting. I've read about AppArmour or SELinux. Is that the way to go? I have Ubuntu 18. In other words, I'm able to download this file http://mywebsite.com///etc/passwd and I want to avoid this. Any help is appreciate. Here is my config:

server {
  listen 80;
  server_name
    .mysite.com;

 return 301 https://mysite.com$request_uri;
}

server {

server_name
  www.mysite.com;
    listen 443 ssl http2;
    ssl_prefer_server_ciphers On;
    ssl_session_cache shared:SSL:10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers '......
    ssl_certificate          /...crt;
    ssl_certificate_key      /..key;

    return 301 https://mysite.com$request_uri;
}
server {

server_name
  mysite.com;
    listen 443 ssl http2;
    ssl_prefer_server_ciphers On;
    ssl_session_cache shared:SSL:10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers '...
    ssl_certificate          /...crt;
    ssl_certificate_key      /.....key;

    add_header x-frame-options "SAMEORIGIN" always;
    add_header x-xss-protection "1; mode=block" always;
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; $

    root /var/www/www.mysite.com;
    index index.php;

  client_max_body_size 10M;
  access_log /var/log/nginx/mysite.com.log;
  error_log /var/log/nginx/mysite.com.error.log error;

location / {
    try_files $uri $uri/ /index.php;
}

location /shopping/ {
        index index.php index.html index.htm;
        rewrite ^/shop/wp-json/(.*?)$ /shopping/index.php?rest_route=/$1 last;
        try_files $uri $uri/ /shop/index.php?q=$uri&$args;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires 24h;
        log_not_found off;
}

    location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;

 }
location ~\.(log|save|htaccess|json|csv|txt|xls)$ {
     deny all;
     error_page 403 =404 / ;
 }
    location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
}

206

0 + 0

nginx

Lou_is

4/20/23, 2:52 PM

This looks more like a nginx configuration question than a security question. Serverfault might be a more appropriate location.

Greg

4/21/23, 7:33 AM

OK, Thanks! I will post answer here if I will find it!

AlexD

4/23/23, 4:10 PM

Does this answer your question? [Directory traversal fix for nginx config](https://serverfault.com/questions/1087875/directory-traversal-fix-for-nginx-config)

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Directory traversal fix for nginx config

TH: การแก้ไขการแวะผ่านไดเรกทอรีสำหรับการกำหนดค่า nginx

RO: Remediere de traversare a directorului pentru configurația nginx

RU: Исправление обхода каталога для конфигурации nginx

VI: Sửa lỗi duyệt thư mục cho cấu hình nginx

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.