Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Get Simple on NGINX Security
#1
Hi,

I'm new here but I'm using GetSimple a year ago. Migrating from apache to NGINX would be a nice idea but it seems Get Simple is not really secure on NGINX server. Get Simple relies on .htaccess to protect a folder. But .htaccess is not NGINX friendly and it will not work.

On the folder "/data/users/admin.xml" which is the top secret of your website will be able to access by other users.

I hope there will be a solution on this problem and you will take this seriously in order to others will benefit on this opensource project.
Reply
#2
Nginx has its own rewrite rules.
You can try to block the directory, by adding to nginx.conf file
Code:
location /data/users/ {
  deny all;
}

There are also methods to do a link rewrites, instead of apache's rewrite nginx uses try_files directive.

I can't guarantee this will work. I've never touched nginx.
Somebody posted long time ago some rewrite rules for nginx.
Maybe they will be still working.
Addons: blue business theme, Online Visitors, Notepad
Reply
#3
tested0002 Wrote:[I]t seems GetSimple is not really secure on nginx server. GetSimple relies on .htaccess to protect a folder. But .htaccess is not nginx friendly and it will not work.
Let me first say that it isn’t that GetSimple is insecure on nginx server software, it was just never made for it or tested to run on it. There is a difference there. It is like saying a program is a virus because it can mess up your Windows computer, even when the program was made to be run on Mac computers only.

With that out of the way, different users have been trying to get it to work on nginx. marrco has even published his configuration file which includes URL rewrites, and caching. It also includes XML access blocking:
Code:
location ~* \.xml$           { deny all; }
“Don’t forget the important ˚ (not °) on the a,” says the Unicode lover.
Help us test a key change for the core! ¶ Problems with GetSimple? Be sure to enable debug mode!
Reply
#4
Thank you for all your reply guys

this codes

Code:
location /data/users/ {
  deny all;
}

does its jobs perfectly.
Reply
#5
tested0002 Wrote:
Code:
location /data/users/ {
  deny all;
}

does its job perfectly.
Do note that this will only protect your user files. All other XML data will still be available.
“Don’t forget the important ˚ (not °) on the a,” says the Unicode lover.
Help us test a key change for the core! ¶ Problems with GetSimple? Be sure to enable debug mode!
Reply
#6
@tested0002 sample config updated to:

Code:
# this blocks direct access to XML files (but sitemap.xml) - they hold all the data
        location ~* \.xml$           { deny all; }
        location = /sitemap.xml { allow all; }

since in original apache .htaccess there is a deny for all xml files i think it's better to stick with that rule.
Reply




Users browsing this thread: 1 Guest(s)