Resolved Security risk with nginx in Plesk

[Azurel]

Why security risk? You can't protect static files with nginx!

I have edit the title. Old title was: Its impossible to use location with file types in "Additional nginx directives"

Plesk Onyx Version 17.0.17 Update #29

in plesk "nginx.conf" is this code for every domain:

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

server {
location / {
}

location @fallback {
}

// NOTICE: it should be ~* not only ~ (this is a issue in plesk too! ~* means case-insensitive regular expression match)
location ~ ^/(.*\.(ac3|avi|bmp|bz2|css|cue|dat|doc|docx|dts|eot|exe|flv|gif|gz|htm|html|ico|img|iso|jpeg|jpg|js|mkv|mp3|mp4|mpeg|mpg|ogg|pdf|png|ppt|pptx|qt|rar|rm|svg|swf|tar|tgz|ttf|txt|wav|woff|woff2|xls|xlsx|zip))$ {
try_files $uri @fallback;
}

include "/var/www/vhosts/system/cdn.example.com/conf/vhost_nginx.conf";
}

When I use in "last_nginx.conf" somthing like this

location ~* /myfolder1/(a|b|c)/ {
deny all;
return 403;
}

and this is a path to a "jpg" file, this code will be ignored.


Main issue here is, that plesk stops all important commands to set deny, expires or add_header and so on for static file types. I think here is a extra directive for static file types necessary, thats include as nested include in location like

location ~* ^/(.*\.(ac3|avi|bmp|bz2|css|cue|dat|doc|docx|dts|eot|exe|flv|gif|gz|htm|html|ico|img|iso|jpeg|jpg|js|mkv|mp3|mp4|mpeg|mpg|ogg|pdf|png|ppt|pptx|qt|rar|rm|svg|swf|tar|tgz|ttf|txt|wav|woff|woff2|xls|xlsx|zip))$ {
try_files $uri @fallback;

include "/var/www/vhosts/system/cdn.example.com/conf/vhost_nginx_filetypes.conf";
}

So I can for every domain set a custom location directive for this static file types.


Is it possible with a workaround? I need this urgently.

 

[UFHH01]

Hi Azurel,

even that you re-wrote the content of your post, it is nothing more than the already correctly placed thread:

=> https://talk.plesk.com/threads/unable-to-block-folders-in-plesk-with-nginx.343896/
​

... where you are asking for help for NGINX - rewrites. This is a double post/thread and you should avoid that pls.

 

[Azurel]

Please read the description of "Open topics"

Discuss random topics and interests unrelated to Plesk products

This here is a related issue to onyx, not a simple question how to set location in nginx. So I don't understand why this is marked as solved.

 

[UFHH01]

Hi Azurel,

So I don't understand why this is marked as solved.

You now edited/modified your previous thread, so this thread is no longer to be declared as double thread/post.

 

[Azurel]

So its impossible with nginx in plesk(onyx) to set a location for static files? Is here a short tutorial/example how I can modify "nginx.conf" permanently, so I can include my custom nested "include"-line?

 

[IgorG]

So its impossible with nginx in plesk(onyx) to set a location for static files? Is here a short tutorial/example how I can modify "nginx.conf" permanently, so I can include my custom nested "include"-line?

You can do it with Changing Virtual Hosts Settings Using Configuration Templates

For vhost's nginx you need to customize /usr/local/psa/admin/conf/templates/default/nginxDomainVhost.php template.

 

[Azurel]

Thanks, but that help me not so much, when I change the template I must create for every subscription that needed conf-file for include and think here is a problem with create new subscription, when the conf-file is missing. Is here a way to create this needed conf-file with plesk automatically?

I vote that plesk make this changes in nginx.conf. No changes in GUI are needed, a blank conf-file thats nested included for static files would help so much. Actual you can't nothing do with static files served with nginx in plesk. Thats a major issue for nginx users.

 

[Azurel]

I have updated the title, because I think this is a security risk too and need fixed asap.

Its impossible to protect static files with plesk and nginx. So anybody have free access to static files in protected folders.I think the most users have no idea that the protection failed.

 

[G J Piper]

I think you just need to remove any static file types you want protected from the list of files in the "Serve static files directly by nginx" field, then make another location in the "Additional nginx directives" field like this:

location ~* ^/(.*\.(filetypes|you|want|protected))$ {
deny all;
}

If there are common file types listed in both locations, nginx will only pick one location to accept config settings from, so it is ignoring your previous attempts at blocking the files.

 

[Azurel]

Thanks, but I think that is wrong. When you remove the file types in "Serve static files directly by nginx", than its served by apache and not nginx anymore. In my case, the files are private images and documents. Remove it in "Serve static files directly by nginx", so nginx make no sense to use anymore.

 

[G J Piper]

Thanks, but I think that is wrong. When you remove the file types in "Serve static files directly by nginx", than its served by apache and not nginx anymore. In my case, the files are private images and documents. Remove it in "Serve static files directly by nginx", so nginx make no sense to use anymore.

You are only removing the file types from the location block that is created using "Serve static files directly by nginx" to be re-added to the second location block you would create manually using my code in the "Additional nginx directives" above where nginx will indeed handle them. You can block access to any file using nothing but nginx, and Apache won't even see the request. If this were not so, then using nginx alone, without Apache, would render a person unable to restrict access to files or folders.

Apache will only handle files that nginx settings don't. When nginx denies a request, it never even gets to Apache.

Trust me -- I'm using this exact method to restrict access to WordPress's wp-login.php files so only certain IP addresses can even hit it.

 

[Azurel]

I'm not sure to understand it fully and your example is not what I want. It should not block filetypes generally, it should block access for specific folders.
You mean remove images (as example) from "Serve static files directly by nginx". So nginx.conf will remove it from location for @fallback and add in "Additional nginx directives" a new block then with this?

location ~* ^/(.*\.(jpeg|jpg|png))$ {
      try_files $uri @fallback;
   
     location ~* /no_access_folder/ {
          deny all;
          return 403;
     }
}

This should serves images (jpg and png) to block access. Interessting, I never thought on this possibility. I will try it.

EDIT: That fixed this issue.Plesk should make a "hint" for this way.

 

[G J Piper]

There is also some information possibly relevant to what you are trying to do on this page:
how to restrict access to directory and subdirs

Instead of removing the file types, then, you might try just this in the "Additional nginx directives" section:

location ^~ /(dir1|dir2|dir3) {
deny all;
return 403;
}

 

[Azurel]

That not working. I described that problem in start post. The location in nginx.conf catch this request first and location after this have no chance.

 

[G J Piper]

Ok I found your solution. It is pretty specific, though... mine wasn't working because of the "or" mods in the code. Here is what should work:

Put this code into the "Additional nginx directives" field, substituting your directory:

location ^~ /protected/directoryname {
deny all;
return 403;
}

Even if you try to add multiple directories by using this, it will not work:

location ^~ /(protected|doesntwork) {
deny all;
return 403;
}

(Updated -- no need to remove any filetypes from the static file types handled list)