Deny running scripts in nginx for specific url

Question

I have a media folder on URL example.com/media/ and I want to deny users running scripts in my server. My server app is nginx and in How to deny script execution inside writable directories I couldn't find anything special about specific URL. This is my nginx server config:

# sites-avalaible/default
server {
        listen  80;
        listen  443 ssl;
        server_name     www.example.com example.com;
        ssl_certificate /var/www/example/ssl/ssl.crt;
        ssl_certificate_key     /var/www/example/ssl/ssl.key;
        location /static  {
                alias   /var/www/example/static;
                expires 7d;
                add_header Pragma public;
                add_header Cache-Control "public, must-revalidate, proxy-revalidate";

        }
        location /media  {
                alias  /var/www/example/media;
                # limit download speed after 5mb download
                limit_rate_after 5m;
                limit_rate 120k;
                limit_req zone=lh burst=5 nodelay;
        }
        location / {
                proxy_pass      http://127.0.0.1:8000;
        }
}

I want to deny running any executable stuff in my media URL in which users can upload their files to server. How can I do that? For example when user navigates to example.com/media/bomb.py nginx return 404 error page. I've also changed media folder executing permissions but I need to do it for nginx in order to stop viewing script files.

Your current configuration already do not allow script execution in media directory. You don't need to do anything — Alexey Ten, Mar 09 '14 at 14:33

Harikrishnan · Answer 1 · 2016-02-03T03:32:18.297

3

This will disable all php and py script execution inside media directory. Like this you can disable any other script.

 location /media/ { 
    location ~ .*\.(php)?$ 
    { 
      deny all; 
    } 
    location ~ .*\.(py)?$ 
    { 
      deny all; 
    }
 }

edited Feb 03 '16 at 03:32

answered Mar 09 '14 at 12:32

Harikrishnan

9,688
11
84
127

1

Good example of wrapping a regex location with a prefix location. This will allow the config to scale without blocking other regex locations. – Cole Tierney Jul 29 '15 at 22:58
How do I reverse it, so allow only jpg|png|gif and deny everything else? – eozzy Aug 27 '16 at 07:05
location ~* \.(jpg|png|gif) { } location / { deny all; } – Harikrishnan Aug 27 '16 at 07:22

Cole Tierney · Answer 2 · 2016-08-28T01:52:45.440

1

Edit: If support for other script types are added later, it would be safer to only serve recognized media types and deny the rest:

location ^~ /media/ {
    location ~ \.(?:jpg|png|gif)$ {}
    return 403; # or 404
}

edited Aug 28 '16 at 01:52

answered Mar 09 '14 at 13:00

Cole Tierney

9,571
1
27
35

How do I reverse it, so allow only `jpg|png|gif` and deny everything else? – eozzy Aug 27 '16 at 06:49
Try this: `location /media/ {location ~ ^/media/.*\.(?:jpg|png|gif)$ {} return 403;}` – Cole Tierney Aug 27 '16 at 13:12
Even better: `location ^~ /media/ {location ~ ^/media/.*\.(?:jpg|png|gif)$ {} return 403;}` – Cole Tierney Aug 27 '16 at 13:40
1

One more: `location ^~ /media/ {location ~ \.(?:jpg|png|gif)$ {} return 403;}` – Cole Tierney Aug 27 '16 at 13:52
I'm glad you asked! It's a better way to approach the problem. – Cole Tierney Aug 28 '16 at 01:01
Any chance you can help with this: http://serverfault.com/questions/799298/rewrite-rule-for-nginx-opencart ? I have the regex, just can't get it right. – eozzy Aug 29 '16 at 16:07

score -2 · Answer 3 · answered Jul 29 '15 at 17:33

-2

Location for media to prevent execution of php

location ^~ /media/ {}

answered Jul 29 '15 at 17:33

AnmolNagpal

387
2
8

Deny running scripts in nginx for specific url

3 Answers3

Location for media to prevent execution of php