PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-07 03:29:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

refactor: update nginx config for new structure

Browse Source 
- Updated posterg.conf with new directory structure
- Document root: /var/www/posterg/public
- Explicitly deny access to: /src, /templates, /config, /storage, /tests, /scripts, /docs
- Added structure diagram in comments
- Updated deploy scripts security checks
- Replaced outdated posterg.conf.reference

All non-public directories outside webroot for security.
Defense-in-depth: explicit deny rules even though paths outside /public.
This commit is contained in:
Théophile Gervreau-Mercier
2026-02-12 12:20:31 +01:00
parent 87971f9c23
commit 942a93a3ad
7 changed files with 469 additions and 227 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
nginx/posterg.conf
View File

@@ -1,6 +1,7 @@
# Nginx configuration for Post-ERG thesis website (Production)
# Based on existing default config with security enhancements
# Updated for new directory structure
# Place this in /etc/nginx/sites-available/posterg
# Then symlink: ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/
# Rate limiting zones
limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
@@ -14,6 +15,19 @@ server {
server_name posterg.erg.be www.posterg.erg.be;
# Document root points to /public (only web-accessible files)
# Project structure: /var/www/posterg/
# /config - Configuration (outside webroot)
# /docs - Documentation (outside webroot)
# /nginx - Server configs (outside webroot)
# /public - Web root ← THIS DIRECTORY
# /admin - Admin interface
# /assets - CSS, fonts, icons
# /scripts - Deployment scripts (outside webroot)
# /src - PHP source classes (outside webroot)
# /storage - SQLite databases (outside webroot)
# /templates - PHP templates (outside webroot)
# /tests - Test suites (outside webroot)
root /var/www/posterg/public;
# Add index.php to the list
@@ -23,7 +37,7 @@ server {
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
# X-XSS-Protection intentionally omitted — deprecated and counterproductive in modern browsers.
# CSP (Content-Security-Policy) is the correct mitigation (see item #11).
# CSP (Content-Security-Policy) is the correct mitigation.
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
@@ -45,51 +59,84 @@ server {
log_not_found off;
}
# Deny access to sensitive files
location ~* \.(md|txt|sql|sh|json|gitignore)$ {
# Deny access to sensitive files and extensions
location ~* \.(md|txt|sql|sh|json|gitignore|git|env|db-journal)$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to SQLite database files
location ~* \.db$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to log files
location ~* \.log$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to directories outside webroot (defense-in-depth)
# These paths shouldn't be accessible anyway since they're outside /public
# but we deny explicitly for additional security
location ^~ /storage/ {
deny all;
}
# Deny access to database directory
location ^~ /database/ {
location ^~ /src/ {
deny all;
}
# Deny access to shared/ directory (PHP includes only)
location ^~ /shared/ {
location ^~ /templates/ {
deny all;
}
# Deny access to data directory
location ^~ /data/ {
location ^~ /config/ {
deny all;
}
location ^~ /tests/ {
deny all;
}
location ^~ /scripts/ {
deny all;
}
location ^~ /docs/ {
deny all;
}
# Admin panel - password protected
location ^~ /admin/ {
# HTTP Basic Authentication
# HTTP Basic Authentication (first layer)
auth_basic "Admin Access - Post-ERG";
auth_basic_user_file /etc/nginx/.htpasswd-posterg;
# Rate limiting for admin
limit_req zone=admin burst=5 nodelay;
# Content-Security-Policy — ported from public/admin/.htaccess which nginx ignores (item #6).
# Tighter policy for admin: no external sources, no object embedding.
# Content-Security-Policy - Tighter policy for admin
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
# Disable directory listing (nginx default is off; explicit for defence-in-depth, item #6)
# Disable directory listing
autoindex off;
# Allow access to public assets without authentication
location ~ ^/admin/(css|js|images)/ {
auth_basic off;
}
# PHP handling for admin
# PHP handling for admin (AdminAuth provides second layer)
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
# Security parameters
fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
# Timeouts
fastcgi_read_timeout 120;
fastcgi_send_timeout 120;
}
# Additional security headers for admin
@@ -106,7 +153,7 @@ server {
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
}
# PHP files handler
# PHP files handler (public pages)
location ~ \.php$ {
# Rate limiting for general PHP requests
limit_req zone=general burst=20 nodelay;
@@ -141,15 +188,7 @@ server {
try_files $uri $uri/ =404;
}
# Deny access to log files — public/admin/.htaccess had this rule but Apache
# .htaccess directives are silently ignored by nginx (item #6).
location ~* \.log$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to .htaccess files (if Apache's document root concurs with nginx's)
# Deny access to .htaccess files
location ~ /\.ht {
deny all;
}