Update nginx templates as php files where still executable (hestiacp#2338)

jaapmarcus · Alexandros Ioannides · web-flow · commit 1f7c02602c7b · 2022-01-10T09:26:00.000+01:00
* Update Wordpress
* Update Drupal-Composer
* Update Drupal-Social
* Update Drupal
* Update Joomla
* Update Moodle
* Update Thunder

In all cases prevent execution of .php files

Co-authored-by: Alexandros Ioannides &lt;alex@focus-net.net&gt;
diff --git a/install/deb/templates/web/nginx/php-fpm/drupal-composer.stpl b/install/deb/templates/web/nginx/php-fpm/drupal-composer.stpl
@@ -30,21 +30,11 @@ server {
         access_log off;
     }
 
-    location ~ \..*/.*\.php$ {
-        deny all;
-        return 404;
-    }
-
     location ~ ^/sites/.*/private/ {
         deny all;
         return 404;
     }
 
-    location ~ ^/sites/[^/]+/files/.*\.php$ {
-        deny all;
-        return 404;
-    }
-
     location ~ /\.(?!well-known\/) {
         deny all;
         return 404;
@@ -57,7 +47,17 @@ server {
             expires 30d;
             fastcgi_hide_header "Set-Cookie";
         }
-
+        
+        location ~ \..*/.*\.php$ {
+            deny all;
+            return 404;
+        }
+        
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+            return 404;
+        }
+        
         location ~ [^/]\.php(/|$)|^/update.php {
             fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
diff --git a/install/deb/templates/web/nginx/php-fpm/drupal-composer.tpl b/install/deb/templates/web/nginx/php-fpm/drupal-composer.tpl
@@ -25,20 +25,11 @@ server {
         access_log off;
     }
 
-    location ~ \..*/.*\.php$ {
-        deny all;
-        return 404;
-    }
-
     location ~ ^/sites/.*/private/ {
         deny all;
         return 404;
     }
 
-    location ~ ^/sites/[^/]+/files/.*\.php$ {
-        deny all;
-        return 404;
-    }
 
     location ~ /\.(?!well-known\/) {
         deny all;
@@ -53,6 +44,16 @@ server {
             expires 30d;
             fastcgi_hide_header "Set-Cookie";
         }
+        
+        location ~ \..*/.*\.php$ {
+            deny all;
+            return 404;
+        }
+        
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+            return 404;
+        }
 
         location ~ [^/]\.php(/|$)|^/update.php {
             fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
diff --git a/install/deb/templates/web/nginx/php-fpm/drupal-social.stpl b/install/deb/templates/web/nginx/php-fpm/drupal-social.stpl
@@ -30,21 +30,11 @@ server {
         access_log off;
     }
 
-    location ~ \..*/.*\.php$ {
-        deny all;
-        return 404;
-    }
-
     location ~ ^/sites/.*/private/ {
         deny all;
         return 404;
     }
 
-    location ~ ^/sites/[^/]+/files/.*\.php$ {
-        deny all;
-        return 404;
-    }
-
     location ~ /\.(?!well-known\/) {
         deny all;
         return 404;
@@ -57,6 +47,16 @@ server {
             expires 30d;
             fastcgi_hide_header "Set-Cookie";
         }
+        
+        location ~ \..*/.*\.php$ {
+            deny all;
+            return 404;
+        }
+        
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+            return 404;
+        }
 
         location ~ [^/]\.php(/|$)|^/update.php {
             fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
diff --git a/install/deb/templates/web/nginx/php-fpm/drupal-social.tpl b/install/deb/templates/web/nginx/php-fpm/drupal-social.tpl
@@ -25,21 +25,11 @@ server {
         access_log off;
     }
 
-    location ~ \..*/.*\.php$ {
-        deny all;
-        return 404;
-    }
-
     location ~ ^/sites/.*/private/ {
         deny all;
         return 404;
     }
 
-    location ~ ^/sites/[^/]+/files/.*\.php$ {
-        deny all;
-        return 404;
-    }
-
     location ~ /\.(?!well-known\/) {
         deny all;
         return 404;
@@ -53,6 +43,16 @@ server {
             expires 30d;
             fastcgi_hide_header "Set-Cookie";
         }
+        
+        location ~ \..*/.*\.php$ {
+            deny all;
+            return 404;
+        }
+        
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+            return 404;
+        }
 
         location ~ [^/]\.php(/|$)|^/update.php {
             fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
diff --git a/install/deb/templates/web/nginx/php-fpm/drupal.stpl b/install/deb/templates/web/nginx/php-fpm/drupal.stpl
@@ -34,22 +34,12 @@ server {
         deny all;
         return 404;
     }
-
-    location ~ \..*/.*\.php$ {
-        deny all;
-        return 404;
-    }
-
+    
     location ~ ^/sites/.*/private/ {
         deny all;
         return 404;
     }
 
-    location ~ ^/sites/[^/]+/files/.*\.php$ {
-        deny all;
-        return 404;
-    }
-
     location ~ /vendor/.*\.php$ {
         deny all;
         return 404;
@@ -67,7 +57,17 @@ server {
             expires 30d;
             fastcgi_hide_header "Set-Cookie";
         }
-
+        
+        location ~ \..*/.*\.php$ {
+            deny all;
+            return 404;
+        }
+        
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+            return 404;
+        }
+        
         location ~ [^/]\.php(/|$)|^/update.php {
             fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
diff --git a/install/deb/templates/web/nginx/php-fpm/drupal.tpl b/install/deb/templates/web/nginx/php-fpm/drupal.tpl
@@ -30,21 +30,11 @@ server {
         return 404;
     }
 
-    location ~ \..*/.*\.php$ {
-        deny all;
-        return 404;
-    }
-
     location ~ ^/sites/.*/private/ {
         deny all;
         return 404;
     }
 
-    location ~ ^/sites/[^/]+/files/.*\.php$ {
-        deny all;
-        return 404;
-    }
-
     location ~ /vendor/.*\.php$ {
         deny all;
         return 404;
@@ -63,6 +53,16 @@ server {
             expires 30d;
             fastcgi_hide_header "Set-Cookie";
         }
+        
+        location ~ \..*/.*\.php$ {
+            deny all;
+            return 404;
+        }
+        
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+            return 404;
+        }
 
         location ~ [^/]\.php(/|$)|^/update.php {
             fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
diff --git a/install/deb/templates/web/nginx/php-fpm/joomla.stpl b/install/deb/templates/web/nginx/php-fpm/joomla.stpl
@@ -34,18 +34,18 @@ server {
         deny all;
         return 404;
     }
-
-    location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
-        deny all;
-        return 404;
-    }
-
     location / {
         try_files $uri $uri/ /index.php?$args;
         location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
             expires 30d;
             fastcgi_hide_header "Set-Cookie";
         }
+        
+        location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
+            deny all;
+            return 404;
+        }
+        
 
         location ~ [^/]\.php(/|$) {
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
diff --git a/install/deb/templates/web/nginx/php-fpm/joomla.tpl b/install/deb/templates/web/nginx/php-fpm/joomla.tpl
@@ -30,17 +30,17 @@ server {
         return 404;
     }
 
-    location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
-        deny all;
-        return 404;
-    }
-
     location / {
         try_files $uri $uri/ /index.php?$args;
         location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
             expires 30d;
             fastcgi_hide_header "Set-Cookie";
         }
+        
+        location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
+            deny all;
+            return 404;
+        }
 
         location ~ [^/]\.php(/|$) {
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
diff --git a/install/deb/templates/web/nginx/php-fpm/moodle.stpl b/install/deb/templates/web/nginx/php-fpm/moodle.stpl
@@ -37,10 +37,6 @@ server {
         deny all;
     }
 
-    location ~ \..*/.*\.php$ {
-        return 403;
-    }
-
     # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
@@ -51,6 +47,10 @@ server {
             expires     max;
             fastcgi_hide_header "Set-Cookie";
         }
+        
+        location ~ \..*/.*\.php$ {
+            return 403;
+        }
 
         location ~ [^/]\.php(/|$) {
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
diff --git a/install/deb/templates/web/nginx/php-fpm/moodle.tpl b/install/deb/templates/web/nginx/php-fpm/moodle.tpl
@@ -33,10 +33,6 @@ server {
         deny all;
     }
 
-    location ~ \..*/.*\.php$ {
-        return 403;
-        }
-
     # No no for private
     location ~ ^/sites/.*/private/ {
         return 403;
@@ -47,6 +43,10 @@ server {
             expires     max;
             fastcgi_hide_header "Set-Cookie";
         }
+        
+        location ~ \..*/.*\.php$ {
+        return 403;
+        }
 
         location ~ [^/]\.php(/|$) {
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
diff --git a/install/deb/templates/web/nginx/php-fpm/thunder.stpl b/install/deb/templates/web/nginx/php-fpm/thunder.stpl
@@ -25,21 +25,11 @@ server {
         access_log off;
     }
 
-    location ~ \..*/.*\.php$ {
-        deny all;
-        return 404;
-    }
-
     location ~ ^/sites/.*/private/ {
         deny all;
         return 404;
     }
 
-    location ~ ^/sites/[^/]+/files/.*\.php$ {
-        deny all;
-        return 404;
-    }
-
     location ~ /\.(?!well-known\/) {
         deny all;
         return 404;
@@ -53,6 +43,16 @@ server {
             fastcgi_hide_header "Set-Cookie";
         }
 
+        location ~ \..*/.*\.php$ {
+            deny all;
+            return 404;
+        }
+
+        location ~ ^/sites/[^/]+/files/.*\.php$ {
+            deny all;
+            return 404;
+        }
+        
         location ~ [^/]\.php(/|$)|^/update.php {
             fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
diff --git a/install/deb/templates/web/nginx/php-fpm/thunder.tpl b/install/deb/templates/web/nginx/php-fpm/thunder.tpl
diff --git a/install/deb/templates/web/nginx/php-fpm/wordpress.stpl b/install/deb/templates/web/nginx/php-fpm/wordpress.stpl
diff --git a/install/deb/templates/web/nginx/php-fpm/wordpress.tpl b/install/deb/templates/web/nginx/php-fpm/wordpress.tpl
