# block content | |
location ~ ^/content/(.*).(txt|md|mdown)$ { | |
rewrite ^/content/(.*).(txt|md|mdown)$ /error redirect; | |
} | |
# block all files in the site folder from being accessed directly | |
location ~ ^/site/(.*)$ { | |
rewrite ^/site/(.*)$ /error redirect; | |
} | |
# block all files in the kirby folder | |
location ~ ^/kirby/(.*)$ { | |
rewrite ^/kirby/(.*)$ /error redirect; | |
} | |
# site links | |
location / { | |
try_files $uri $uri/ /index.php?$uri&$args; | |
} | |
# panel links | |
location /panel { | |
try_files $uri $uri/ /panel/index.php?$uri&$args; | |
} | |
# deny access to .htaccess files | |
location ~ /\.ht { | |
deny all; | |
} |
Ok, I replaced my first draft with your suggestions but removed the q= to avoid broken queries containing a q var. It works well for me this way.
I've found that (for whatever reason) the above statements for blocking direct access to certain parts of kirby didn't work for me -but these does:
# block content
rewrite ^/content/(.*).(txt|md|mdown)$ /error redirect;
# block all files in the site and kirby folder from being accessed directly
rewrite ^/(site|kirby)/(.*)$ /error redirect;
# site links
location / {
try_files $uri $uri/ /index.php?$uri&$args;
}
# panel links
location /panel {
try_files $uri $uri/ /panel/index.php?$uri&$args;
}
# Prevent clients from accessing hidden files (starting with a dot)
# This is particularly important if you store .htpasswd files in the site hierarchy
location ~ (?:^|/)\. {
deny all;
}
# Prevent clients from accessing to backup/config/source files
location ~ (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
deny all;
}
Instead of redirecting, which hints that the folders and files actually exists, i've added last
which behave just like if an URL just gets miss-spelled - and I've also added that folders like /kirby doesn't hints its existence by redirecting to /kirby/
# Don't hint these as folders
rewrite ^/(content|site|kirby)$ /error last;
# block content
rewrite ^/content/(.*).(txt|md|mdown)$ /error last;
# block all files in the site and kirby folder from being accessed directly
rewrite ^/(site|kirby)/(.*)$ /error last;
# site links
location / {
try_files $uri $uri/ /index.php?$uri&$args;
}
# panel links
location /panel {
try_files $uri $uri/ /panel/index.php?$uri&$args;
}
# Prevent clients from accessing hidden files (starting with a dot)
# This is particularly important if you store .htpasswd files in the site hierarchy
location ~ (?:^|/)\. {
deny all;
}
# Prevent clients from accessing to backup/config/source files
location ~ (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
deny all;
}
I think we're about getting to a point where Kirby can be either shipped, documented or both with a NginX config instruction with these basic security precautions 👍
Okay, so a pretty important change here.
Kirby Routes (for example Plugin Assets) won't work properly with the above Nginx configs, as they're using try_files
just in the root instead of from the root, like
location / {
autoindex off;
try_files $uri $uri/ /index.php?$uri&$args;
}
..of cause had to be this
location ~ / {
autoindex off;
try_files $uri $uri/ /index.php?$uri&$args;
}
also location /panel
should probably be location ~ /panel
and be defined before the new more general # site links section for the panel to work.
Also see https://forum.getkirby.com/t/plugin-assets-wont-load-kirby-routes-on-nginx/4318/8
So to sum it all up
# Don't hint these as folders
rewrite ^/(content|site|kirby)$ /error last;
# block content
rewrite ^/content/(.*).(txt|md|mdown)$ /error last;
# block all files in the site and kirby folder from being accessed directly
rewrite ^/(site|kirby)/(.*)$ /error last;
# removes trailing slashes (prevents SEO duplicate content issues)
if (!-d $request_filename) {
rewrite ^/(.+)/$ /$1 permanent;
}
# panel links
location ~ /panel {
try_files $uri $uri/ /panel/index.php?$uri&$args;
}
# site links
location ~ / {
try_files $uri $uri/ /index.php?$uri&$args;
}
# Prevent clients from accessing hidden files (starting with a dot)
# This is particularly important if you store .htpasswd files in the site hierarchy
location ~ (?:^|/)\. {
deny all;
}
# Prevent clients from accessing to backup/config/source files
location ~ (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
deny all;
}
Hey @JimmyRittenborg, thanks for your improvements on this nginx config. How would all this look if Kirby is installed in a subdirectory of my domain? Do I have to add the dir-name in every rule or is there a simpler way? (Wrapping everything in location ~ /subdir { .. }
doesn't seem to work :(
Dennis
Hi all. Ive been searching and searching. Finally ended up here with this answer.
I have a nginx server configured on localhost and kirby running. For the most part it runs fine but ive encounterd a little annoying detail. It doesnt seem to work with a few specific links:
localhost:8080/panel/ - works
localhost:8080/panel - does not work
Any body an idea on why this would be failing?
# site links
location / {
autoindex off;
try_files $uri $uri/ /index.php?$uri&$args;
}
# panel links
location /panel {
try_files $uri $uri/ /panel/index.php?$uri&$args;
}
Edit:
The redirect in nginx does work in some way. but it directs to localhost/panel instead of localhost:8080/panel.
@JimmyRittenborg Are you able to share your full .conf file including the above code? I'm new to nginx and struggling to see how this comes together with things like error pages and fastcgi. Many thanks in advance.
@wottpal can you share what you did for a sub-directory configuration. I couldn't get panel to work on nginx running on AWS
Is there a nginx config for kirby 3?
Oh, I just saw your comment. Is there a reason you used the ?q=$uri&$args line only for site links?