PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 11:09:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

refactor: update nginx config for new structure

Browse Source 
- Updated posterg.conf with new directory structure
- Document root: /var/www/posterg/public
- Explicitly deny access to: /src, /templates, /config, /storage, /tests, /scripts, /docs
- Added structure diagram in comments
- Updated deploy scripts security checks
- Replaced outdated posterg.conf.reference

All non-public directories outside webroot for security.
Defense-in-depth: explicit deny rules even though paths outside /public.
This commit is contained in:
Théophile Gervreau-Mercier
2026-02-12 12:20:31 +01:00
parent 87971f9c23
commit 942a93a3ad
7 changed files with 469 additions and 227 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
config/bootstrap.php
View File

@@ -1,4 +1,5 @@
<?php <?php
/** /**
* Simple configuration for website * Simple configuration for website
*/ */
@@ -24,7 +25,8 @@ if (php_sapi_name() === 'cli-server') {
} }
// Simple helper function for including templates // Simple helper function for including templates
function include_template($name) { function include_template($name)
{
$path = APP_ROOT . '/templates/' . $name; $path = APP_ROOT . '/templates/' . $name;
if (file_exists($path)) { if (file_exists($path)) {
include $path; include $path;

10
nginx/README.md
View File

@@ -44,9 +44,13 @@ No additional SSL setup is needed on this server.
### File Access Protection ### File Access Protection
- Database files (`.db`) - **BLOCKED** - Database files (`.db`) - **BLOCKED**
- Sensitive files (`.md`, `.sql`, `.env`) - **BLOCKED** - Sensitive files (`.md`, `.sql`, `.env`) - **BLOCKED**
- Shared directory - **BLOCKED** - `/src` directory (PHP source) - **BLOCKED**
- Tests directory - **BLOCKED** - `/templates` directory (PHP templates) - **BLOCKED**
- Cache directory - **BLOCKED** - `/config` directory (configuration) - **BLOCKED**
- `/storage` directory (databases) - **BLOCKED**
- `/tests` directory - **BLOCKED**
- `/scripts` directory - **BLOCKED**
- `/docs` directory - **BLOCKED**
- Hidden files (`.git`, etc.) - **BLOCKED** - Hidden files (`.git`, etc.) - **BLOCKED**
### Rate Limiting ### Rate Limiting

8
nginx/deploy-production-new.sh
View File

@@ -35,10 +35,10 @@ echo "✓ Set directory permissions to 755"
find /var/www/posterg -type f -exec chmod 644 {} \; find /var/www/posterg -type f -exec chmod 644 {} \;
echo "✓ Set file permissions to 644" echo "✓ Set file permissions to 644"
# Make database directory writable by group # Make storage directory writable by group
if [ -d "/var/www/posterg/database" ]; then if [ -d "/var/www/posterg/storage" ]; then
chmod 775 /var/www/posterg/database chmod 775 /var/www/posterg/storage
echo "✓ Made database directory group-writable (775)" echo "✓ Made storage directory group-writable (775)"
fi fi
# Fix database file permissions # Fix database file permissions

4
nginx/deploy-production.sh
View File

@@ -176,5 +176,7 @@ echo ""
echo "🔒 Security Checks:" echo "🔒 Security Checks:"
echo " • Database blocked: curl -I http://localhost/storage/posterg.db" echo " • Database blocked: curl -I http://localhost/storage/posterg.db"
echo " • MD files blocked: curl -I http://localhost/README.md" echo " • MD files blocked: curl -I http://localhost/README.md"
echo " • Shared blocked: curl -I http://localhost/shared/Database.php" echo " • Source blocked: curl -I http://localhost/src/Database.php"
echo " • Templates blocked: curl -I http://localhost/templates/header.php"
echo " • Config blocked: curl -I http://localhost/config/bootstrap.php"
echo "" echo ""

99
nginx/posterg.conf
View File

@@ -1,6 +1,7 @@
# Nginx configuration for Post-ERG thesis website (Production) # Nginx configuration for Post-ERG thesis website (Production)
# Based on existing default config with security enhancements # Updated for new directory structure
# Place this in /etc/nginx/sites-available/posterg # Place this in /etc/nginx/sites-available/posterg
# Then symlink: ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/
# Rate limiting zones # Rate limiting zones
limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m; limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
@@ -14,6 +15,19 @@ server {
server_name posterg.erg.be www.posterg.erg.be; server_name posterg.erg.be www.posterg.erg.be;
# Document root points to /public (only web-accessible files)
# Project structure: /var/www/posterg/
# /config - Configuration (outside webroot)
# /docs - Documentation (outside webroot)
# /nginx - Server configs (outside webroot)
# /public - Web root ← THIS DIRECTORY
# /admin - Admin interface
# /assets - CSS, fonts, icons
# /scripts - Deployment scripts (outside webroot)
# /src - PHP source classes (outside webroot)
# /storage - SQLite databases (outside webroot)
# /templates - PHP templates (outside webroot)
# /tests - Test suites (outside webroot)
root /var/www/posterg/public; root /var/www/posterg/public;
# Add index.php to the list # Add index.php to the list
@@ -23,7 +37,7 @@ server {
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
# X-XSS-Protection intentionally omitted — deprecated and counterproductive in modern browsers. # X-XSS-Protection intentionally omitted — deprecated and counterproductive in modern browsers.
# CSP (Content-Security-Policy) is the correct mitigation (see item #11). # CSP (Content-Security-Policy) is the correct mitigation.
add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
@@ -45,51 +59,84 @@ server {
log_not_found off; log_not_found off;
} }
# Deny access to sensitive files # Deny access to sensitive files and extensions
location ~* \.(md|txt|sql|sh|json|gitignore)$ { location ~* \.(md|txt|sql|sh|json|gitignore|git|env|db-journal)$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to SQLite database files
location ~* \.db$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to log files
location ~* \.log$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to directories outside webroot (defense-in-depth)
# These paths shouldn't be accessible anyway since they're outside /public
# but we deny explicitly for additional security
location ^~ /storage/ {
deny all; deny all;
} }
# Deny access to database directory location ^~ /src/ {
location ^~ /database/ {
deny all; deny all;
} }
# Deny access to shared/ directory (PHP includes only) location ^~ /templates/ {
location ^~ /shared/ {
deny all; deny all;
} }
# Deny access to data directory location ^~ /config/ {
location ^~ /data/ { deny all;
}
location ^~ /tests/ {
deny all;
}
location ^~ /scripts/ {
deny all;
}
location ^~ /docs/ {
deny all; deny all;
} }
# Admin panel - password protected # Admin panel - password protected
location ^~ /admin/ { location ^~ /admin/ {
# HTTP Basic Authentication # HTTP Basic Authentication (first layer)
auth_basic "Admin Access - Post-ERG"; auth_basic "Admin Access - Post-ERG";
auth_basic_user_file /etc/nginx/.htpasswd-posterg; auth_basic_user_file /etc/nginx/.htpasswd-posterg;
# Rate limiting for admin # Rate limiting for admin
limit_req zone=admin burst=5 nodelay; limit_req zone=admin burst=5 nodelay;
# Content-Security-Policy — ported from public/admin/.htaccess which nginx ignores (item #6). # Content-Security-Policy - Tighter policy for admin
# Tighter policy for admin: no external sources, no object embedding.
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always; add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
# Disable directory listing (nginx default is off; explicit for defence-in-depth, item #6) # Disable directory listing
autoindex off; autoindex off;
# Allow access to public assets without authentication # PHP handling for admin (AdminAuth provides second layer)
location ~ ^/admin/(css|js|images)/ {
auth_basic off;
}
# PHP handling for admin
location ~ \.php$ { location ~ \.php$ {
include snippets/fastcgi-php.conf; include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock; fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
# Security parameters
fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
# Timeouts
fastcgi_read_timeout 120;
fastcgi_send_timeout 120;
} }
# Additional security headers for admin # Additional security headers for admin
@@ -106,7 +153,7 @@ server {
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock; fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
} }
# PHP files handler # PHP files handler (public pages)
location ~ \.php$ { location ~ \.php$ {
# Rate limiting for general PHP requests # Rate limiting for general PHP requests
limit_req zone=general burst=20 nodelay; limit_req zone=general burst=20 nodelay;
@@ -141,15 +188,7 @@ server {
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
} }
# Deny access to log files — public/admin/.htaccess had this rule but Apache # Deny access to .htaccess files
# .htaccess directives are silently ignored by nginx (item #6).
location ~* \.log$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to .htaccess files (if Apache's document root concurs with nginx's)
location ~ /\.ht { location ~ /\.ht {
deny all; deny all;
} }

288
nginx/posterg.conf.reference
View File

@@ -1,4 +1,5 @@
# Nginx configuration for Post-ERG thesis website # Nginx configuration for Post-ERG thesis website (Production)
# Updated for new directory structure
# Place this in /etc/nginx/sites-available/posterg # Place this in /etc/nginx/sites-available/posterg
# Then symlink: ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/ # Then symlink: ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/
@@ -7,28 +8,41 @@ limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m; limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=admin:10m rate=10r/m; limit_req_zone $binary_remote_addr zone=admin:10m rate=10r/m;
# Server block - HTTP (redirect to HTTPS in production) # Main server block
server { server {
listen 80; listen 80 default_server;
listen [::]:80; listen [::]:80 default_server;
server_name posterg.erg.be www.posterg.erg.be; server_name posterg.erg.be www.posterg.erg.be;
# Redirect all HTTP to HTTPS (uncomment in production) # Document root points to /public (only web-accessible files)
# return 301 https://$server_name$request_uri; # Project structure: /var/www/posterg/
# /config - Configuration (outside webroot)
# For development/testing, allow HTTP # /docs - Documentation (outside webroot)
root /var/www/html; # /nginx - Server configs (outside webroot)
index index.php index.html; # /public - Web root ← THIS DIRECTORY
# /admin - Admin interface
# /assets - CSS, fonts, icons
# /scripts - Deployment scripts (outside webroot)
# /src - PHP source classes (outside webroot)
# /storage - SQLite databases (outside webroot)
# /templates - PHP templates (outside webroot)
# /tests - Test suites (outside webroot)
root /var/www/posterg/public;
# Add index.php to the list
index index.php index.html index.htm;
# Security headers # Security headers
add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always; # X-XSS-Protection intentionally omitted — deprecated and counterproductive in modern browsers.
# CSP (Content-Security-Policy) is the correct mitigation.
add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# Disable server tokens # Server tokens already disabled in nginx.conf
server_tokens off; # server_tokens off;
# Max upload size (for thesis files) # Max upload size (for thesis files)
client_max_body_size 100M; client_max_body_size 100M;
@@ -38,84 +52,118 @@ server {
access_log /var/log/nginx/posterg_access.log; access_log /var/log/nginx/posterg_access.log;
error_log /var/log/nginx/posterg_error.log warn; error_log /var/log/nginx/posterg_error.log warn;
# Block common attack patterns # Block access to hidden files (except .well-known for Let's Encrypt)
location ~ /\. { location ~ /\.(?!well-known).* {
deny all; deny all;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
location ~ \.(git|env|db-journal)$ { # Deny access to sensitive files and extensions
location ~* \.(md|txt|sql|sh|json|gitignore|git|env|db-journal)$ {
deny all; deny all;
access_log off; access_log off;
log_not_found off; log_not_found off;
} }
# Deny access to sensitive files # Deny access to SQLite database files
location ~* \.(md|txt|sql|sh|json)$ {
deny all;
}
# Deny access to database files
location ~* \.db$ { location ~* \.db$ {
deny all; deny all;
access_log off;
log_not_found off;
} }
# Deny access to shared/ directory (PHP includes only) # Deny access to log files
location /shared/ { location ~* \.log$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to directories outside webroot (defense-in-depth)
# These paths shouldn't be accessible anyway since they're outside /public
# but we deny explicitly for additional security
location ^~ /storage/ {
deny all; deny all;
} }
# Deny access to tests directory location ^~ /src/ {
location /tests/ {
deny all; deny all;
} }
# Deny access to cache directory location ^~ /templates/ {
location /cache/ { deny all;
}
location ^~ /config/ {
deny all;
}
location ^~ /tests/ {
deny all;
}
location ^~ /scripts/ {
deny all;
}
location ^~ /docs/ {
deny all; deny all;
} }
# Admin panel - password protected # Admin panel - password protected
location /formulaire/ { location ^~ /admin/ {
alias /var/www/html/formulaire/; # HTTP Basic Authentication (first layer)
# HTTP Basic Authentication
auth_basic "Admin Access - Post-ERG"; auth_basic "Admin Access - Post-ERG";
auth_basic_user_file /etc/nginx/.htpasswd-posterg; auth_basic_user_file /etc/nginx/.htpasswd-posterg;
# Rate limiting for admin # Rate limiting for admin
limit_req zone=admin burst=5 nodelay; limit_req zone=admin burst=5 nodelay;
# PHP handling # Content-Security-Policy - Tighter policy for admin
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
# Disable directory listing
autoindex off;
# PHP handling for admin (AdminAuth provides second layer)
location ~ \.php$ { location ~ \.php$ {
include snippets/fastcgi-php.conf; include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $request_filename;
# Security parameters
fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
# Timeouts
fastcgi_read_timeout 120;
fastcgi_send_timeout 120;
} }
# Additional security for admin # Additional security headers for admin
add_header X-Robots-Tag "noindex, nofollow" always; add_header X-Robots-Tag "noindex, nofollow" always;
# Try to serve file, otherwise 404
try_files $uri $uri/ =404;
} }
# Search endpoint - rate limiting # Search endpoint - rate limiting
location /search.php { location = /search.php {
limit_req zone=search burst=10 nodelay; limit_req zone=search burst=10 nodelay;
include snippets/fastcgi-php.conf; include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
} }
# Public PHP files # PHP files handler (public pages)
location ~ \.php$ { location ~ \.php$ {
# Rate limiting for general PHP requests
limit_req zone=general burst=20 nodelay; limit_req zone=general burst=20 nodelay;
include snippets/fastcgi-php.conf; include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
# Security parameters # Security parameters
fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M"; fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
fastcgi_param PHP_ADMIN_VALUE "open_basedir=/var/www/html:/tmp";
# Timeouts # Timeouts
fastcgi_read_timeout 120; fastcgi_read_timeout 120;
fastcgi_send_timeout 120; fastcgi_send_timeout 120;
@@ -128,156 +176,20 @@ server {
access_log off; access_log off;
} }
# Root location # PDF files (thesis documents)
location ~* \.pdf$ {
expires 7d;
add_header Cache-Control "public";
add_header Content-Disposition "inline";
}
# Root location - try files or 404
location / { location / {
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
} }
# Deny access to specific file types in data directories # Deny access to .htaccess files
location ~* /data/.*\.(php|sh|py)$ { location ~ /\.ht {
deny all;
}
}
# Server block - HTTPS (production)
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name posterg.erg.be www.posterg.erg.be;
root /var/www/html;
index index.php index.html;
# SSL certificates (Let's Encrypt)
# Run: certbot --nginx -d posterg.erg.be -d www.posterg.erg.be
ssl_certificate /etc/letsencrypt/live/posterg.erg.be/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/posterg.erg.be/privkey.pem;
# SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
# Security headers (HTTPS)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# Disable server tokens
server_tokens off;
# Max upload size
client_max_body_size 100M;
client_body_timeout 120s;
# Logging
access_log /var/log/nginx/posterg_ssl_access.log;
error_log /var/log/nginx/posterg_ssl_error.log warn;
# Block common attack patterns
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location ~ \.(git|env|db-journal)$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to sensitive files
location ~* \.(md|txt|sql|sh|json)$ {
deny all;
}
# Deny access to database files
location ~* \.db$ {
deny all;
}
# Deny access to shared/ directory
location /shared/ {
deny all;
}
# Deny access to tests directory
location /tests/ {
deny all;
}
# Deny access to cache directory
location /cache/ {
deny all;
}
# Admin panel - password protected
location /formulaire/ {
alias /var/www/html/formulaire/;
# HTTP Basic Authentication
auth_basic "Admin Access - Post-ERG";
auth_basic_user_file /etc/nginx/.htpasswd-posterg;
# Rate limiting
limit_req zone=admin burst=5 nodelay;
# PHP handling
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
# Security headers
add_header X-Robots-Tag "noindex, nofollow" always;
}
# Search endpoint - rate limiting
location /search.php {
limit_req zone=search burst=10 nodelay;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
# Public PHP files
location ~ \.php$ {
limit_req zone=general burst=20 nodelay;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
# Security parameters
fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
fastcgi_param PHP_ADMIN_VALUE "open_basedir=/var/www/html:/tmp";
# Timeouts
fastcgi_read_timeout 120;
fastcgi_send_timeout 120;
}
# Static files caching
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|otf)$ {
expires 30d;
add_header Cache-Control "public, immutable";
access_log off;
}
# Root location
location / {
try_files $uri $uri/ =404;
}
# Deny access to script files in data directories
location ~* /data/.*\.(php|sh|py)$ {
deny all; deny all;
} }
} }

283
nginx/posterg.conf.reference.old Normal file
View File

@@ -0,0 +1,283 @@
# Nginx configuration for Post-ERG thesis website
# Place this in /etc/nginx/sites-available/posterg
# Then symlink: ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/
# Rate limiting zones
limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=admin:10m rate=10r/m;
# Server block - HTTP (redirect to HTTPS in production)
server {
listen 80;
listen [::]:80;
server_name posterg.erg.be www.posterg.erg.be;
# Redirect all HTTP to HTTPS (uncomment in production)
# return 301 https://$server_name$request_uri;
# For development/testing, allow HTTP
root /var/www/html;
index index.php index.html;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# Disable server tokens
server_tokens off;
# Max upload size (for thesis files)
client_max_body_size 100M;
client_body_timeout 120s;
# Logging
access_log /var/log/nginx/posterg_access.log;
error_log /var/log/nginx/posterg_error.log warn;
# Block common attack patterns
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location ~ \.(git|env|db-journal)$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to sensitive files
location ~* \.(md|txt|sql|sh|json)$ {
deny all;
}
# Deny access to database files
location ~* \.db$ {
deny all;
}
# Deny access to shared/ directory (PHP includes only)
location /shared/ {
deny all;
}
# Deny access to tests directory
location /tests/ {
deny all;
}
# Deny access to cache directory
location /cache/ {
deny all;
}
# Admin panel - password protected
location /formulaire/ {
alias /var/www/html/formulaire/;
# HTTP Basic Authentication
auth_basic "Admin Access - Post-ERG";
auth_basic_user_file /etc/nginx/.htpasswd-posterg;
# Rate limiting for admin
limit_req zone=admin burst=5 nodelay;
# PHP handling
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
# Additional security for admin
add_header X-Robots-Tag "noindex, nofollow" always;
}
# Search endpoint - rate limiting
location /search.php {
limit_req zone=search burst=10 nodelay;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
# Public PHP files
location ~ \.php$ {
limit_req zone=general burst=20 nodelay;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
# Security parameters
fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
fastcgi_param PHP_ADMIN_VALUE "open_basedir=/var/www/html:/tmp";
# Timeouts
fastcgi_read_timeout 120;
fastcgi_send_timeout 120;
}
# Static files caching
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|otf)$ {
expires 30d;
add_header Cache-Control "public, immutable";
access_log off;
}
# Root location
location / {
try_files $uri $uri/ =404;
}
# Deny access to specific file types in data directories
location ~* /data/.*\.(php|sh|py)$ {
deny all;
}
}
# Server block - HTTPS (production)
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name posterg.erg.be www.posterg.erg.be;
root /var/www/html;
index index.php index.html;
# SSL certificates (Let's Encrypt)
# Run: certbot --nginx -d posterg.erg.be -d www.posterg.erg.be
ssl_certificate /etc/letsencrypt/live/posterg.erg.be/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/posterg.erg.be/privkey.pem;
# SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
# Security headers (HTTPS)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# Disable server tokens
server_tokens off;
# Max upload size
client_max_body_size 100M;
client_body_timeout 120s;
# Logging
access_log /var/log/nginx/posterg_ssl_access.log;
error_log /var/log/nginx/posterg_ssl_error.log warn;
# Block common attack patterns
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location ~ \.(git|env|db-journal)$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to sensitive files
location ~* \.(md|txt|sql|sh|json)$ {
deny all;
}
# Deny access to database files
location ~* \.db$ {
deny all;
}
# Deny access to shared/ directory
location /shared/ {
deny all;
}
# Deny access to tests directory
location /tests/ {
deny all;
}
# Deny access to cache directory
location /cache/ {
deny all;
}
# Admin panel - password protected
location /formulaire/ {
alias /var/www/html/formulaire/;
# HTTP Basic Authentication
auth_basic "Admin Access - Post-ERG";
auth_basic_user_file /etc/nginx/.htpasswd-posterg;
# Rate limiting
limit_req zone=admin burst=5 nodelay;
# PHP handling
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
# Security headers
add_header X-Robots-Tag "noindex, nofollow" always;
}
# Search endpoint - rate limiting
location /search.php {
limit_req zone=search burst=10 nodelay;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
# Public PHP files
location ~ \.php$ {
limit_req zone=general burst=20 nodelay;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
# Security parameters
fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
fastcgi_param PHP_ADMIN_VALUE "open_basedir=/var/www/html:/tmp";
# Timeouts
fastcgi_read_timeout 120;
fastcgi_send_timeout 120;
}
# Static files caching
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|otf)$ {
expires 30d;
add_header Cache-Control "public, immutable";
access_log off;
}
# Root location
location / {
try_files $uri $uri/ =404;
}
# Deny access to script files in data directories
location ~* /data/.*\.(php|sh|py)$ {
deny all;
}
}