nginx 配置的目录遍历修复

tag-icon tag-icon nginx security web-server
nginx 配置的目录遍历修复

我发现我的网站有这个问题,但我无法修复它。我尝试了几种方法,比如检查 Nginx 别名指令的父前缀位置是否以目录分隔符结尾,但到目前为止还没有成功。Merge_slashes on - 是默认设置。我读过关于 AppArmour 或 SELinux 的文章。这是可行的方法吗?我有 Ubuntu 18。换句话说,我可以下载这个文件http://example.com///etc/passwd我想避免这种情况。任何帮助都非常感谢。这是我的配置:

         server {
  listen 80;
  server_name
    .example.com;

 return 301 https://example.com$request_uri;
}

server {

server_name
  www.example.com;
    listen 443 ssl http2;
    ssl_prefer_server_ciphers On;
    ssl_session_cache shared:SSL:10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers '......
    ssl_certificate          /...crt;
    ssl_certificate_key      /..key;

    return 301 https://example.com$request_uri;
}
server {

server_name
  example.com;
    listen 443 ssl http2;
    ssl_prefer_server_ciphers On;
    ssl_session_cache shared:SSL:10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers '...
    ssl_certificate          /...crt;
    ssl_certificate_key      /.....key;

    add_header x-frame-options "SAMEORIGIN" always;
    add_header x-xss-protection "1; mode=block" always;
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; $

    root /var/www/www.example.com;
    index index.php;

  client_max_body_size 10M;
  access_log /var/log/nginx/example.com.log;
  error_log /var/log/nginx/example.com.error.log error;

location / {
    try_files $uri $uri/ /index.php;
}

location /shopping/ {
        index index.php index.html index.htm;
        rewrite ^/shop/wp-json/(.*?)$ /shopping/index.php?rest_route=/$1 last;
        try_files $uri $uri/ /shop/index.php?q=$uri&$args;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires 24h;
        log_not_found off;
}

    location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;

 }
location ~\.(log|save|htaccess|json|csv|txt|xls)$ {
     deny all;
     error_page 403 =404 / ;
 }
    location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
}

答案1

nginx 配置没有问题。一些开发人员以神秘的方式创建了一份副本/ect/passw/var/www/www.example.com/etc/passwd这就是为什么我可以浏览/下载它,以及为什么我的 PCI 扫描仪失败。很抱歉占用了您的时间!

相关内容