我发现我的网站有这个问题,但我无法修复它。我尝试了几种方法,比如检查 Nginx 别名指令的父前缀位置是否以目录分隔符结尾,但到目前为止还没有成功。Merge_slashes on - 是默认设置。我读过关于 AppArmour 或 SELinux 的文章。这是可行的方法吗?我有 Ubuntu 18。换句话说,我可以下载这个文件http://example.com///etc/passwd我想避免这种情况。任何帮助都非常感谢。这是我的配置:
server {
listen 80;
server_name
.example.com;
return 301 https://example.com$request_uri;
}
server {
server_name
www.example.com;
listen 443 ssl http2;
ssl_prefer_server_ciphers On;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers '......
ssl_certificate /...crt;
ssl_certificate_key /..key;
return 301 https://example.com$request_uri;
}
server {
server_name
example.com;
listen 443 ssl http2;
ssl_prefer_server_ciphers On;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers '...
ssl_certificate /...crt;
ssl_certificate_key /.....key;
add_header x-frame-options "SAMEORIGIN" always;
add_header x-xss-protection "1; mode=block" always;
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; $
root /var/www/www.example.com;
index index.php;
client_max_body_size 10M;
access_log /var/log/nginx/example.com.log;
error_log /var/log/nginx/example.com.error.log error;
location / {
try_files $uri $uri/ /index.php;
}
location /shopping/ {
index index.php index.html index.htm;
rewrite ^/shop/wp-json/(.*?)$ /shopping/index.php?rest_route=/$1 last;
try_files $uri $uri/ /shop/index.php?q=$uri&$args;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires 24h;
log_not_found off;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location ~\.(log|save|htaccess|json|csv|txt|xls)$ {
deny all;
error_page 403 =404 / ;
}
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
答案1
nginx 配置没有问题。一些开发人员以神秘的方式创建了一份副本/ect/passw
, /var/www/www.example.com/etc/passwd
这就是为什么我可以浏览/下载它,以及为什么我的 PCI 扫描仪失败。很抱歉占用了您的时间!