NGINX location ^~ deny all ignored and not returning 403

eugenevdm.host · April 12, 2020, 2:23pm

According to WHMCS security advisory 2020-01-28 the path to /vendor/ must be secured.

The say we can use this directive at the top of the server block, which looks legit:

location ^~ /vendor/ {
    deny all;
    return 403;
 }

However, I’m not getting a 403 and the file they mention is still downloadable.
Here is their advice:
https://docs.whmcs.com/Nginx_Directory_Access_Restriction

The server of my server block is the stock one that appears when I deploy a new NGINX site.

I really don’t understand what’s going on. I’m almost 100% sure I had this working on another server but that server was decommissioned. I’m using latest Ubuntu 18.04 installed today.

The most obvious thing I see if make sure it’s at the top of the block, but it is.

    server {
        location ^~ /vendor/ {
            deny all;
            return 403;
        }
        server_name my.hidden.com www.my.hidden.com;
        listen 1xx.1xx.1xx.1xx;
        root /home/hidden/domains/my.hidden.com/public_html;
        index index.html index.htm index.php;
        access_log /var/log/virtualmin/my.hidden.com_access_log;
        error_log /var/log/virtualmin/my.hidden.com_error_log;
        fastcgi_param GATEWAY_INTERFACE CGI/1.1;
        fastcgi_param SERVER_SOFTWARE nginx;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_param REQUEST_METHOD $request_method;
        fastcgi_param CONTENT_TYPE $content_type;
        fastcgi_param CONTENT_LENGTH $content_length;
        fastcgi_param SCRIPT_FILENAME /home/hidden/domains/my.hidden.com/public_html$fastcgi_script_name;
        fastcgi_param SCRIPT_NAME $fastcgi_script_name;
        fastcgi_param REQUEST_URI $request_uri;
        fastcgi_param DOCUMENT_URI $document_uri;
        fastcgi_param DOCUMENT_ROOT /home/hidden/domains/my.hidden.com/public_html;
        fastcgi_param SERVER_PROTOCOL $server_protocol;
        fastcgi_param REMOTE_ADDR $remote_addr;
        fastcgi_param REMOTE_PORT $remote_port;
        fastcgi_param SERVER_ADDR $server_addr;
        fastcgi_param SERVER_PORT $server_port;
        fastcgi_param SERVER_NAME $server_name;
        fastcgi_param HTTPS $https;
        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_pass unix:/var/php-nginx/155483329731858.sock/socket;
        }
        listen 1xx.1xx.1xx.1xx:443 ssl;
        ssl_certificate /home/hidden/domains/my.hidden.com/ssl.cert;
        ssl_certificate_key /home/hidden/domains/my.hidden.com/ssl.key;
}

Ilia · April 12, 2020, 3:24pm

Hi,

What about:

location ~ /vendor/ {
        deny all;
        return 403;
}

eugenevdm.host · April 12, 2020, 7:43pm

Thank you @Ilia that worked! Would you be so kind to tell me what the difference is between:

^

and

~

or tell me where I can find some documentation about those symbols?

Ilia · April 12, 2020, 10:48pm

 ^~ - Best Non RegEx Match (Carat-Tilde Sign)

When this modifier is used, the matching URL will use this configuration. Basically, this configuration will be used as the prefix match, but this will not perform any further regular expression match even if one is available.

location ^~ /img/ { }

system · May 12, 2020, 10:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.