Non-critical web server security observations & suggestions (Nginx)

LeeH

Two Nginx-specific suggestions I have for others, based on the forum launch I'm working on right now:

1) Categories can be accessed directly by ID in addition to name. Not a vulnerability or anything, since categories to which a viewer doesn't have access return a log-in page for guests or a blue "Permission Problem" page for logged-in users, but it still gives nosey folks insight into your forum's structure and can show the presence of hidden forums.

Workaround - deny access to URLs which contain /categories/ followed by a number. For Nginx, this is done with a simple location directive:

location ~* /categories/([0-9]|[1-9][0-9]|[1-9][0-9][0-9])$ {
return 404;
}

2) The /conf directory is by default located inside the webroot, and config.php contains your mysql account name and password. I don't believe the default .htaccess file locks down /conf, and in any case, Nginx doesn't use .htaccess files.

Workaround - deny access to /conf by declaring it internal, which still lets the web server access it but prevents files from being served from that location:

location ^~ /conf/ {
internal;
}

I'll eventually blog my configuration in detail, but wanted to share these two with the community before it slipped my mind!

x00

config as to most files have

if (!defined('APPLICATION')) exit();

but not harm in making sure.

Make sure to set the default 404 to /dashboard/home/filenotfound for consistency sake.

x00

config as to most files have

if (!defined('APPLICATION')) exit();

but not harm in making sure.

Make sure to set the default 404 to /dashboard/home/filenotfound for consistency sake.

LeeH

Ah, see, I'm php-stupid, so I wasn't sure that's what that line did. Thanks for explaining!

But, still, definitely a good idea to make sure. And, yep, error page consistency is one of those things that makes you look like you are a good site admin and know what you're doing!!

error_page 404 /dashboard/home/filenotfound;
error_page 403 =404 /dashboard/home/filenotfound;

(Yeah, serving a "not found" in place of a "forbidden" kind of violates RFC 2616, but I prefer obscurity over holding up a flag that says "Something interesting is here but you can't see it!!")