Update nginx example to support assets better

- Enable viewing of draft assets - Disable viewing of .htaccess and .method - Enforce File.allowed_extensions (manually for now)
2024-10-22 14:05:37 +02:00 · 2018-11-14 15:01:20 -08:00 · 2018-11-14 15:01:20 -08:00 · 22ae0e4387
commit 22ae0e4387
parent df4d2bd838
1 changed files with 26 additions and 3 deletions
--- a/docs/en/00_Getting_Started/01_Installation/How_To/Configure_Nginx.md
+++ b/docs/en/00_Getting_Started/01_Installation/How_To/Configure_Nginx.md
@ -20,6 +20,7 @@ Especially be aware of [accidental php-execution](https://nealpoole.com/blog/201

 * It does not cover serving securely over HTTPS.
 * It uses the new filesystem layout (with `public` directory) introduced in version 4.1.0. If your installation has been upgraded to 4.1+ from an older version and you have not [upgraded to the public folder](/changelogs/4.1.0.md), see the version of this documentation for version 4.0.
+* The regular expression for allowed file types must be manually updated if the File.allowed_extensions list is updated.
 * The error pages for 502 (Bad Gateway) and 503 (Service Unavailable) need to be manually created and published in the CMS (assuming use of the silverstripe/errorpage module).

 ```nginx
@ -47,11 +48,33 @@ server {
  error_page 502 /assets/error-500.html;
  error_page 503 /assets/error-500.html;

-  location ^~ /assets/ {
+  # Support assets & resources #
+
+  # Never serve .gitignore, .htaccess, or .method
+  location ~ /\.(gitignore|htaccess|method)$ {
+      return 403;
+  }
+
+  # Handle allowed file types (see caveats)
+  # Pass unfound files to SilverStripe to check draft images
+  location ~ ^/assets/.*\.(?i:css|js|ace|arc|arj|asf|au|avi|bmp|bz2|cab|cda|csv|dmg|doc|docx|dotx|flv|gif|gpx|gz|hqx|ico|jpeg|jpg|kml|m4a|m4v|mid|midi|mkv|mov|mp3|mp4|mpa|mpeg|mpg|ogg|ogv|pages|pcx|pdf|png|pps|ppt|pptx|potx|ra|ram|rm|rtf|sit|sitx|tar|tgz|tif|tiff|txt|wav|webm|wma|wmv|xls|xlsx|xltx|zip|zipx)$ {
      sendfile on;
+      try_files $uri /index.php?$query_string;
+  }
+
+  # Allow the error pages. Fail with 404 Not found.
+  location ~ ^/assets/error-\d\d\d\.html$ {
      try_files $uri =404;
  }

+  # Fail all other assets requests as 404 Not found
+  # Could also use 403 Forbidden or 444 (nginx drops the connection)
+  location ~ ^/assets/ {
+      return 404;
+  }
+
+  # End of assets & resources support #
+
  location /index.php {
    fastcgi_buffer_size 32k;
    fastcgi_busy_buffers_size 64k;