menu

Questions & Answers

Nginx disallowing access to a folder

I have set up a folder within a website's root folder that I do not want to be accessible via browser (or any other means than PHP). This folder is used to store sensitive documents that users upload and are only downloadable via authenticated users via PHP. I've been doing this on IIS for nearly a decade but with being less familiar with Linux, I would appreciate a second pair of eyes.

On the new server I'm using Nginx and the config came with the following:

location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
    {
        return 404;
    }

I've added to the end of this:

..README.md|\foldername

Via browser the folder throws a 404 error and if I directly access a dummy file that I know is in the directory, I also get a 404.

As above, with not being as familiar with Linux and Nginx this is more of a double check. Have I denied access to the folder correctly and is that a secure way of doing so?

Ideally, the only access I want to that folder is PHP uploading a file or PHP downloading a file and for there to be no other way anyone could access the contents of the directory.

Thank you in advance for any advice.

Comments:
2023-01-21 00:05:05
See how Nginx chooses a location, so it's impossible to audit the security of your location without seeing it within context of the entire server block. Personally, I would move the folder outside the document root, then you don't need an Nginx rule at all.
2023-01-21 00:05:05
Thank you for your reply Richard. I've followed your suggestion and setup open_basedir to allow the specific folder outside of the document root.
Answers(0) :