Score:0

Nginx Amplify "Regex location has no anchors in regex pattern". How to fix corresponding lines in Nginx virtual host?

mx flag

I am running Nginx with Nginx Amplify. In my Amplify>Analyzer>Static Analysis Section I am gettin the following errors:

Regex location has no anchors in regex pattern Regex location has a regex pattern without ^ or $. This is a configuration style that is prone to errors. It may also lead to a situation when requests partially matching the regex pattern are incorrectly routed to this location. Always use ^ or $ achor in a regex pattern.

Check the following files: /etc/nginx/conf.d/01-mail.example.com, line 27 /etc/nginx/conf.d/01-mail.example.com, line 89 /etc/nginx/sites-enabled/03-example2.com.conf, line 176 /etc/nginx/sites-enabled/03-example2.com.conf, line 199 /etc/nginx/sites-enabled/03-example2.com.conf, line 265

My 01-mail.example.com virtual host file looks like this:

server {
    # Restrict access to LAN & Work IP & Apartment IP's
    allow xxx.xxx.xx.x/24; #  LAN IP Address
    allow xxx.xx.xxx.xxx/32; # Work IP address
    allow xxx.xx.xxx.xxx/32; # Apt. IP Address
    deny all;
    #error_page 403 =444;

    # Begin Server Directives
    server_name mail.example.com;
    root /var/www/roundcube/;
    index index.php index.html index.htm;

    # Logs
    error_log /var/log/nginx/mail.example.com.error.log;
    access_log /var/log/nginx/mail.example.com.access.log;

    location / {
        try_files $uri $uri/ /index.php;
    }

    location ~ \.php$ {
        # Pass FastCGI to PHP7.4 with included settings in the snippet
        include snippets/fastcgi-php.conf;
    }

    location ~ /.well-known/acme-challenge {
        allow all;
    }
    location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
        deny all;
    }
    location ~ ^/(bin|SQL)/ {
        deny all;
    }
    # A long browser cache lifetime can speed up repeat visits to your page
    location ~ \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
        access_log off;
        log_not_found off;
        expires 360d;
    }

    listen *:443 ssl;
    http2 on;
    ssl_certificate /etc/letsencrypt/live/mail.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/ssl/private/dhparams4096.pem; # Managed by admin

    add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot

    ssl_trusted_certificate /etc/letsencrypt/live/mail.example.com/chain.pem; # managed by Certbot
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot

}
server {
    if ($host = mail.example.com) {
        return 301 https://$host$request_uri;
    }
    # managed by Certbot

    # Restrict access to LAN & Work IP & Apartment IP's
    allow xxx.xxx.xx.x/24; #  LAN IP Address
    allow xxx.xx.xxx.xxx/32; # Work IP address
    allow xxx.xx.xxx.xxx/32; # Apt. IP Address
    deny all;
    #error_page 403 =444;

    # Begin Server Directives
    listen *:80;
    server_name mail.example.com;
    root /var/www/roundcube/;
    index index.php index.html index.htm;

    error_log /var/log/nginx/mail.example.com.error.log;
    access_log /var/log/nginx/mail.example.com.error.log;

    location / {
        try_files $uri $uri/ /index.php;
    }

    location ~ \.php$ {
        #try_files $uri =404;
        # Pass FastCGI to PHP7.4 with included settings in the snippet
        include snippets/fastcgi-php.conf;
    }

    location ~ /.well-known/acme-challenge {
        allow all;
    }
    location = ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
        deny all;
    }
    location ~ ^/(bin|SQL)/ {
        deny all;
    }
    # LINUXBABE + Extra Extensions
    # A long browser cache lifetime can speed up repeat visits to your page
    location ~ \.(txt|flv|pdf|avi|mov|ppt|wmv|mp3|ogg|webm|aac|jpg|ogg|ogv|svgz|eot|otf|mp4|rss|atom|zip|tgz|gz|rar|bz2|doc|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|jpeg|gif|png|swf|jpeg|webp|svg|woff|woff2|ttf|css|js|ico|xml|otf|woff|woff2)$ {
        access_log off;
        log_not_found off;
        expires 1y;
    }
}

It seems the lines Amplify is referencing is:

location ~ /.well-known/acme-challenge {

on line 27, and ...

location ~ /.well-known/acme-challenge {

on line 89.

My 03-example2.com.conf virtual host file looks like this:

server {
    listen 80;
    server_name example2.com www.example2.com;
    return 301 https://$host$request_uri;
}

server {
    listen *:443 ssl;
    http2 on;
    server_name example2.com www.example2.com;
    root /var/www/example2.com/;

    ##
    # SECURITY HEADERS
    ##

    # Strict Transport Security Response Header
    # Use "always" Paramater to help prevent MITM attacks.
    # ADMIN Note: Including the Preload Paramerter will cause web browsers to cache this header
    # permanently in their browser code for about two months. Use only if you want to permanently
    # commit this header to your site. If you change it, it will take a long time for changes to
    # be reflected in the web browsers.
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

    # Content Security Policy (CSP)
    #add_header Content-Security-Policy "frame-ancestors 'self';";
    # https://gabriel.nu/tutorials/Ubuntu-20.04-NGINX-LEMP-secure-web-server-for-WordPress-DIY.html
    add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
    #add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'";
    # https://walterebert.com/blog/using-csp-wordpress/
    #add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: http: https: *.gravatar.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com; font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com;" always;
    # https://nowherelan.com/2018/12/27/secure-your-wordpress-site-with-the-content-security-policy-csp-http-header-in-apache/
    #add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: http: https: *.gravatar.com *.wp.com *.wordpress.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' http: https: *.wp.com *.wordpress.com; style-src 'self' 'unsafe-inline' http: https: fonts.googleapis.com *.wp.com *.wordpress.com; font-src 'self' data: http: https: fonts.googleapis.com themes.googleusercontent.com *.wp.com *.wordpress.com; frame-src 'self' 'unsafe-inline' 'unsafe-eval' http: https: *.wp.com *.wordpress.com"

    # Secure MIME Types with X-Content-Type-Options. Below line adds the X-Frame-Options header in Nginx.
    add_header X-Content-Type-Options "nosniff" always;

    # Referrer Policy
    #add_header Referrer-Policy "strict-origin";
    # https://gabriel.nu/tutorials/Ubuntu-20.04-NGINX-LEMP-secure-web-server-for-WordPress-DIY.html
    add_header Referrer-Policy "no-referrer-when-downgrade" always;

    # Permissions Policy
    add_header Permissions-Policy "geolocation=(), autoplay=(), encrypted-media=(), midi=(), usb=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(self), payment=(self)";

    # X-FastCGI-Cache
    # This line adds the X-FastCGI-Cache header in the HTTP response. It can be used to validate whether
    # the request has been served from the FastCGI cache or not.
    # ADMIN Note: Linuxbabe originally had this directive in "location ~ \.php$ {", however, we don't use it
    # there because it invalidates any other currently used headers and only implements itself.
    add_header X-FastCGI-Cache $upstream_cache_status always;

    # Clear Site Data
    # When we use a webpage, we can leave various pieces of data in the browser that we’d like to clear
    # out if the user logs out or deletes their account. Clear Site Data gives us a reliable way to do
    # that.
    # ADMIN Note: We decided to enable it globally on all pages via:
    add_header Clear-Site-Data "*";

    # X-Frame Options
    # Prevent click jacking by adding an X-Frame-Options header
    add_header x-frame-options "SAMEORIGIN" always;

    # X-SSS Protections
    # Enable X-XSS-Protection header in Nginx
    add_header X-XSS-Protection "1; mode=block" always;

    # LINUXBABE
    # If you allow people to upload files, or are concerned about intruders using a different flaw to get
    # files onto your server AND the content on your domain should not be accessed via other websites
    # possibly trying to impersonate you, then yes X-Permitted-Cross-Domain-Policies "none" will provide a
    # security benefit. The attack is less relevant these days, as any user of modern software first
    # needs to be tricked into allowing Flash or active PDF content.
    # If your website is just a regular website with nothing that requires a login to access, then you don't need it.
    # https://www.linuxbabe.com/ubuntu/install-wordpress-ubuntu-20-04-nginx-mariadb-php7-4-lemp
    # https://security.stackexchange.com/questions/166024/does-the-x-permitted-cross-domain-policies-header-have-any-benefit-for-my-websit
    add_header X-Permitted-Cross-Domain-Policies none;

    # LINUXBABE (User recommendation)
    # Ignore Cache Control
    # Keep fastcgi working if it's not getting hits
    # ADMIN Note: Only use this if fastcgi cache status is not getting hits
    #fastcgi_ignore_headers Cache-Control Expires Set-Cookie;

    ##
    # SSL
    ##

    # Certificate Path (signed)
    ssl_certificate /etc/letsencrypt/live/example2.com/fullchain.pem; # Managed by ADMIN
    # Certificate Path (intermediate)
    ssl_certificate_key /etc/letsencrypt/live/example2.com/privkey.pem; # Managed by ADMIN
    # Certificate Path (Chain of trust of OCSP response using Root CA and intermediate certificates)
    ssl_trusted_certificate /etc/letsencrypt/live/example2.com/chain.pem; # Managed by ADMIN
    # Perfect Forward Secrecy (Diffie Hellman 4096) Path
    ssl_dhparam /etc/ssl/private/dhparams4096.pem; # Managed by ADMIN

    # Mozilla Modern Compatibilty
    # Strict Settings with OCSP stapling turned on for A+ Rating at ssllabs.com
    ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLERequires nginx >= 1.13.0 else use TLSv1.2 # Dropping TLSv1.1 for modern compatability.
    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_prefer_server_ciphers on;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m; # About 40000 sessions
    ssl_session_tickets off;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1;

    ##
    # LOGS
    ##

    # ADMIN Note: Adding "if=$log_ip" to the end of access log lines will exclude your own ip address from access logs to prevent skewing data

    # Access Log (Netdata)
    access_log /var/log/nginx/example2.com.access.log netdata if=$log_ip;
    # Access Log (Amplify)
    access_log /var/log/nginx/example2.com.access.log apm if=$log_ip;
    # Error Log
    error_log /var/log/nginx/example2.com.error.log warn;

    ##
    # PAGESPEED
    ##

    # ADMIN Note: Pagespeed is broken on Nginx v1.25.1 and up, so we should comment all of it out here and in the "nginx.conf" file

    # Settings per this virtual host
    # Enable Pagespeed module
    #pagespeed on;
    #pagespeed Domain http*://*.example2.com;

    # Settings per all virtual hosts
    #include /etc/nginx/pagespeed.conf;

    ##
    # LOCATION DIRECTIVES 1
    ##

    index index.php index.html index.htm index.nginx-debian.html;

    # ADMIN
    # https://serverfault.com/questions/1137324/difference-between-3-similar-nginx-location-directives-provided-in-three-separat/1137342#1137342
    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    ### BEGIN: "Converter for Media" Wordpress Plugin
    set $ext_avif ".avif";
    if ($http_accept !~* "image/avif") {
        set $ext_avif "";
    }

    set $ext_webp ".webp";
    if ($http_accept !~* "image/webp") {
        set $ext_webp "";
    }

    location ~ /wp-content/(?<path>.+)\.(?<ext>jpe?g|png|gif|webp)$ {
        add_header Vary Accept;
        expires 365d;
        try_files
            /wp-content/uploads-webpc/$path.$ext$ext_avif
            /wp-content/uploads-webpc/$path.$ext$ext_webp
            $uri =404;
    }
    ### END: "Converter for Media" Wordpress Plugin

    # ADMIN
    # https://serverfault.com/questions/755662/nginx-disable-htaccess-and-hidden-files-but-allow-well-known-directory
    # location ~ /.well-known {
    location ~ /\.well-known {
        allow all;
    }

    # ADMIN
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    # ADMIN
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # LINUXBABE
    location ~ ^/wp-json/ {
        rewrite ^/wp-json/(.*?)$ /?rest_route=/$1 last;
    }

    # LINUXBABE
    location ~ /wp-sitemap.*\.xml {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    # LINUXBABE
    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;

    # LINUXBABE
    location = /50x.html {
        root /var/www/html;
    }

    # ADMIN
    # DISALLOW ACCESS of /xmlrpc.php
    # EXCEPT FROM internal IP's and Home & Apartment IP's.
    #location ^~ /xmlrpc.php$ {
        #allow xxx.xxx.xx.x/24; #   LAN IP Address
        #allow xxx.xxx.xx.x/32; # Home IP address
        #allow xxx.xxx.xx.x/32; # Apt. IP Address
        #deny all;
        # Pass FastCGI to PHP7.4 with included settings in the snippet
        #include snippets/fastcgi-php.conf;
    #}

    # ADMIN
    # DISALLOW ACCESS of /admin
    # EXCEPT FROM internal IP's and Home & Apartment IP's
    location ^~ /admin/ {
        #satify all;
        allow xxx.xxx.xx.x/24; #   LAN IP Address
        allow xxx.xxx.xx.x/32; # Home IP address
        allow xxx.xxx.xx.x/32; # Apt. IP Address
        deny all;
        # Require basic auth login for allowed IP's
        auth_basic "You Don't belong here. Get out!";
        auth_basic_user_file /etc/nginx/basic_auth/auth.admin;
        # Pass FastCGI to PHP7.4 with included settings in the snippet
        include snippets/fastcgi-php.conf;
    }

    # ADMIN
    # DISALLOW ACCESS of /wp-login.php
    # EXCEPT FROM internal IP's and Home & Apartment IP's.
    #location ^~ /wp-login.php {
        #allow xxx.xxx.xx.x/24; #   LAN IP Address
        #allow xxx.xxx.xx.x; # Home IP address
        #allow xxx.xxx.xx.x; # Apt. IP Address
        #deny all;
        # Require basic auth login for allowed IP's
        #auth_basic "You Don't belong here. Get out!";
        #auth_basic_user_file /etc/nginx/basic_auth/auth.wp-login;
        # Pass FastCGI to PHP7.4 with included settings in the snippet
        #include snippets/fastcgi-php.conf;
    #}

    # ADMIN
    # DISALLOW ACCESS of PHP In Upload Folder
    location /wp-content/uploads/ {
        location ~ \.php$ {
            deny all;
        }
    }

    # ADMIN
    # DISALLOW ACCESS of hidden files
    location ~ /\. {
        access_log off;
        log_not_found off;
        deny all;
    }

    ##
    # BEGIN: CACHE / SKIP CACHE
    ##

    # LINUXBABE
    # https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
    # Don't Skip Cache by Default
    set $skip_cache 0;

    # LINUXBABE
    # https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
    # POST requests should always go to PHP
    if ($request_method = POST) {
        set $skip_cache 1;
    }

    # LINUXBABE
    # URLs containing query strings should always go to PHP
    # ADMIN Note: You might want to be sure to turn off query strings in H-code wordpress theme, and other themes
    # https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
    if ($query_string != "") {
        set $skip_cache 1;
    }

    # LINUXBABE
    # Don't cache uris containing the following segments
    # https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
    # https://easyengine.io/wordpress-nginx/tutorials/plugins/woocommerce/
    # https://docs.cleavr.io/guides/woocommerce/
    if ($request_uri ~* "/wp-admin/|/wp-json/|/login/|/register/|/shopping-cart.*|.*add-to-cart.*|.*empty-cart.*|/cart.*|/checkout.*|/addons.*|/my-account.*|/wishlist.*|/xmlrpc.php|wp-.*.php|^/feed/*|/tag/.*/feed/*|index.php|/.*sitemap.*\.(xml|xsl)") {
        set $skip_cache 1;
    }

    # LINUXBABE
    # Don't use the cache for logged in users or recent commenters
    # https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
    if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
        set $skip_cache 1;
    }

    # LINUXBABE
    # Cache Bypass for specified IP's
    # Test the upstream (PHP-FPM and MariaDB) response time. By adding the following
    # lines we tell Nginx to bypass the FastCGI cache for our own public and local IP addresses.
    # Skip the fastCGI Cache for "Apartment Public IP|Work Public IP|Apartment LAN Subdomain".
    # https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
    #if ($remote_addr ~* "xxx.xxx.xx.x|108.231.125.254|xxx.xxx.xx.x|192.168.25..*") {
    #    set $skip_cache 1;
    #}

    ##
    # END: CACHE / SKIP CACHE
    ##

    # LINUXBABE
    # Google Sitemaps / Yoast SEO Rules:
    # If you use the Yoast SEO or Google XML Sitemap plugins to generate sitemap, then
    # you need to move the Yoast/Google XML rewrite rules here, below the skip cache rules (below this line).
    # https://www.linuxbabe.com/nginx/setup-nginx-fastcgi-cache
    # Rules:

    ##
    # LOCATION DIRECTIVES 2
    ##

    # LINUXBABE
    # Pass Fastcgi to PHP
    location ~ \.php$ {
        # Pass FastCGI to PHP7.4 with included settings in the snippet
        include snippets/fastcgi-php.conf;
        # FastCGI Cache
        #fastcgi_cache off;
        fastcgi_cache example2.com;
        fastcgi_cache_valid 200 301 302 12h;
        fastcgi_cache_use_stale error timeout updating invalid_header http_500 http_503;
        fastcgi_cache_min_uses 1;
        fastcgi_cache_lock on;
        # Tell Nginx to send requests to upstream PHP-FPM server, instead of trying to find files in the
        # cache. If the value of $skip_cache is 1, then the first directive tells Nginx to send request
        # to upstream PHP-FPM server, instead of trying to find files in the cache.
        # ADMIN Note: fastcgi_cache_bypass $skip_cache and fastcgi_no_cache $skip_cache should be
        # uncommented if using google XML sitemap plugin, or Yoast SEO Plugin, or if you want to
        # enable the skip cache rules above.
        fastcgi_cache_bypass $skip_cache;
        # This directive tells Nginx not to cache the response.
        fastcgi_no_cache $skip_cache;
    }

    ##
    # NGINX CACHE PURGING in WORDPRESS with Nginx_Cache_Purge MODULE
    ##

    # Cache Purge
    # This enables the ngx_http_cache_purge_module.so module to work with Nginx Helper in Wordpress.
    # Cache Purging should be restricted to allowed IP addresses.
    # If not set, an attacker may be able to wipe your nginx fastcgi cache using simple GET requests. # (Linuxbabe User Comment).
    # This location block enables cache purge but restricts it to your ip address and to your loopback address.
    # Note: This is broken and we haven't tried to fix it. So, we are using wordpress Nginx Helper cache purge instead. Comment this out.
    #location ~ /purge(/.*) {
        #allow 127.0.0.1; # Server Loopback Address
        #allow xxx.xxx.xx.x; # Server IPv4 address
        #deny all;
        # Enable http-cache-purge module in nginx for above IP addresses
        #fastcgi_cache_purge example2.com "$scheme$request_method$host$1";
    #}

    # LINUXBABE (+ ADMIN Extra Extensions)
    # Speed up repeat visits to your page with a long browser cache lifetime
    location ~ \.(txt|flv|pdf|avi|mov|ppt|wmv|mp3|ogg|webm|aac|jpg|ogg|ogv|svgz|eot|otf|mp4|rss|atom|zip|tgz|gz|rar|bz2|doc|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|jpeg|gif|png|swf|jpeg|webp|svg|woff|woff2|ttf|css|js|ico|xml|otf|woff|woff2)$ {
        access_log off;
        log_not_found off;
        expires 1y;
    }
}

It seems the lines Amplify is referencing is:

location ~ /\.well-known {

on line 176,

location ~ /wp-sitemap.*\.xml {

on line 199, and

location ~ /\. {

on line 265.

What should I find and replace in each of the corresponding lines to satisfy Amplify's recommended suggestions?

ws flag
Does this answer your question? [Nginx Amplify "Regex location has no regex pattern". How to fix lines in Nginx?](https://serverfault.com/questions/1137615/nginx-amplify-regex-location-has-no-regex-pattern-how-to-fix-lines-in-nginx)
DanRan avatar
mx flag
@cymcbean, No it does not. The link you posted has a different warning from Amplify then the warnings in this post from Amplify.
jp flag
The error message says what you need to do.
DanRan avatar
mx flag
@AlexD If I understood what the error message was telling me, I wouldn't have asked the question. Thanks bro!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.