On Thu, 01 Feb 2024 at 13:57:35 +0100, Clemens Gößnitzer wrote:
> I value the amazing work you are doing to keep www/nextcloud in a
> really good shape. Thank you for that!
>
> I have three suggestions to possibly improve the provided httpd.conf
> example:
>
> 1.) block more locations
> 2.) use block return 403 together with errdocs redirect
> 3.) only allow needed .php files
>
> 1.)
> According to
> https://github.com/nextcloud/server/blob/master/.htaccess#L91, 3rdparty
> and lib should be blocked as well. The example already does that for
> config and data.
>
> 2.)
> Instead of doing "block drop", one could alternatively use "block
> return 403". With an error document similar to the provided index.html
> from nextcloud, a simple redirect to index.php could be provided, too,
> when returning 403. This could also be done for the global server
> configuration. Thus, the user would always get redirected to index.php
> if he requests an invalid URL.
>
> 3.)
> It seems like index.php, remote.php and status.php (potentially
> cron.php for web-based cron) are the only php files which need to be
> parsed by php-fpm socket via fcgi. Thus, instead of matching all php
> files in the path (with "*.php*"), one could restrict php fcgi
> functionality to just these three (four) files.
>
> Change 3.) would even make change 1) unnecessary, since then there is
> no danger of fetching random php files with the glob, and these block
> drop could be replaced by a block drop/return 403 in the global server
> configuration.
>
> If you like these ideas, I will provide a patch.
>
> Thanks.
>
Hi, it was discussed many times about put a super tweaked httpd.conf but the
idea of the example it's just that, an example, if you think your version could
be better or more secure and you tested it, please send a diff and I will try
it.
Thanks!
--
%gonzalo
No comments:
Post a Comment