Answer the question
In order to leave comments, you need to log in
How to isolate directories in nginx?
Good day and night.
Nowhere can I find such a feature as in Apache, where in one line a function is written that prohibits listing and adding files to a directory higher than the registered directory in virtual hosts. I tried to create different users in the system itself and assign directories to them, but listing and adding files via upload works above the assigned hosts in nginx.
here is an example of one of the virtual hosts
server {
server_name ****.****net;
root /var/www/shop;
index index.php;
# add_header Access-Control-Allow-Origin *;
# serve static files directly
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
set_real_ip_from 192.168.0.102;
real_ip_header X-Real-IP;
location = /sitemap.xml {
rewrite ^(.*)$ /index.php?route=feed/google_sitemap break;
}
location = /googlebase.xml {
rewrite ^(.*)$ /index.php?route=feed/google_base break;
}
location / {
# This try_files directive is used to enable SEO-friendly URLs for OpenCart
try_files $uri $uri/ @opencart;
}
location @opencart {
rewrite ^/(.+)$ /index.php?_route_=$1 last;
}
location ~* \.php$ {
try_files $uri = 404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
# listen 443 ssl; # managed by Certbot
# ssl_certificate /etc/letsencrypt/live/****.****.net/fullchain.pem; # managed by Certbot
# ssl_certificate_key /etc/letsencrypt/live/****.****.net/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
server {
listen 80;
listen [::]:80;
return 301 https://$server_name;
server_name ****.****.net);
root /var/www/shop;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
server {
if ($host = ****.****.net) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 443;
server_name ****;
return 404; # managed by Certbot
}
Answer the question
In order to leave comments, you need to log in
Those. you have root /var/www/shop, and files are uploaded via php to /var/www?
At a minimum, in this case, check the owner and rights to the /var/www directory and from which user the nginx, php-fpm processes are running (should not be root).
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question