According to WHMCS security advisory 2020-01-28 the path to /vendor/ must be secured.
The say we can use this directive at the top of the server block, which looks legit:
location ^~ /vendor/ {
deny all;
return 403;
}
However, I’m not getting a 403 and the file they mention is still downloadable.
Here is their advice:
https://docs.whmcs.com/Nginx_Directory_Access_Restriction
The server of my server block is the stock one that appears when I deploy a new NGINX site.
I really don’t understand what’s going on. I’m almost 100% sure I had this working on another server but that server was decommissioned. I’m using latest Ubuntu 18.04 installed today.
The most obvious thing I see if make sure it’s at the top of the block, but it is.
server {
location ^~ /vendor/ {
deny all;
return 403;
}
server_name my.hidden.com www.my.hidden.com;
listen 1xx.1xx.1xx.1xx;
root /home/hidden/domains/my.hidden.com/public_html;
index index.html index.htm index.php;
access_log /var/log/virtualmin/my.hidden.com_access_log;
error_log /var/log/virtualmin/my.hidden.com_error_log;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME /home/hidden/domains/my.hidden.com/public_html$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT /home/hidden/domains/my.hidden.com/public_html;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS $https;
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/php-nginx/155483329731858.sock/socket;
}
listen 1xx.1xx.1xx.1xx:443 ssl;
ssl_certificate /home/hidden/domains/my.hidden.com/ssl.cert;
ssl_certificate_key /home/hidden/domains/my.hidden.com/ssl.key;
}