Merge pull request hestiacp#1592 from hestiacp/security/1589-hide-hidden-files

ScIT-Raphael · web-flow · commit a2ce6ca8564e · 2021-01-28T07:44:08.000+01:00
Hide hidden files by default
diff --git a/install/deb/templates/web/nginx/php-fpm/cms_made_simple.stpl b/install/deb/templates/web/nginx/php-fpm/cms_made_simple.stpl
@@ -44,11 +44,10 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
-
     location /vstats/ {
         alias   %home%/%user%/web/%domain%/stats/;
         include %home%/%user%/web/%domain%/stats/auth.conf*;
diff --git a/install/deb/templates/web/nginx/php-fpm/cms_made_simple.tpl b/install/deb/templates/web/nginx/php-fpm/cms_made_simple.tpl
@@ -39,9 +39,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+   location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/codeigniter2.stpl b/install/deb/templates/web/nginx/php-fpm/codeigniter2.stpl
@@ -49,9 +49,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/codeigniter2.tpl b/install/deb/templates/web/nginx/php-fpm/codeigniter2.tpl
@@ -44,9 +44,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/codeigniter3.stpl b/install/deb/templates/web/nginx/php-fpm/codeigniter3.stpl
@@ -44,10 +44,10 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
-    }
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
+    }    
 
     location /vstats/ {
         alias   %home%/%user%/web/%domain%/stats/;
diff --git a/install/deb/templates/web/nginx/php-fpm/codeigniter3.tpl b/install/deb/templates/web/nginx/php-fpm/codeigniter3.tpl
@@ -40,9 +40,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/datalife_engine.stpl b/install/deb/templates/web/nginx/php-fpm/datalife_engine.stpl
@@ -115,9 +115,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/datalife_engine.tpl b/install/deb/templates/web/nginx/php-fpm/datalife_engine.tpl
@@ -1,4 +1,7 @@
-#=======================================================================#
+location ~ /\.(?!well-known\/) { 
+   deny all; 
+   return 404;
+}#=======================================================================#
 # Default Web Domain Template                                           #
 # DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
 #=======================================================================#
@@ -110,9 +113,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/default.stpl b/install/deb/templates/web/nginx/php-fpm/default.stpl
@@ -43,9 +43,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/default.tpl b/install/deb/templates/web/nginx/php-fpm/default.tpl
@@ -38,9 +38,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/dokuwiki.stpl b/install/deb/templates/web/nginx/php-fpm/dokuwiki.stpl
@@ -60,9 +60,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/dokuwiki.tpl b/install/deb/templates/web/nginx/php-fpm/dokuwiki.tpl
@@ -54,9 +54,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/drupal6.stpl b/install/deb/templates/web/nginx/php-fpm/drupal6.stpl
@@ -82,9 +82,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/drupal6.tpl b/install/deb/templates/web/nginx/php-fpm/drupal6.tpl
@@ -77,9 +77,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/joomla.stpl b/install/deb/templates/web/nginx/php-fpm/joomla.stpl
@@ -56,9 +56,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) {
+        deny all;
+        return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/joomla.tpl b/install/deb/templates/web/nginx/php-fpm/joomla.tpl
@@ -51,9 +51,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) {
+        deny all;
+        return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/laravel.stpl b/install/deb/templates/web/nginx/php-fpm/laravel.stpl
@@ -43,9 +43,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) {
+        deny all;
+        return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/laravel.tpl b/install/deb/templates/web/nginx/php-fpm/laravel.tpl
@@ -37,9 +37,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/magento.stpl b/install/deb/templates/web/nginx/php-fpm/magento.stpl
@@ -192,8 +192,9 @@ server {
     gzip_vary on;
 
     # Banned locations (only reached if the earlier PHP entry point regexes don't match)
-    location ~* (\.php$|\.htaccess$|\.git) {
-        deny all;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/magento.tpl b/install/deb/templates/web/nginx/php-fpm/magento.tpl
@@ -187,8 +187,9 @@ server {
     gzip_vary on;
 
     # Banned locations (only reached if the earlier PHP entry point regexes don't match)
-    location ~* (\.php$|\.htaccess$|\.git) {
-        deny all;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/modx.stpl b/install/deb/templates/web/nginx/php-fpm/modx.stpl
@@ -58,9 +58,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/modx.tpl b/install/deb/templates/web/nginx/php-fpm/modx.tpl
@@ -52,9 +52,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/moodle.stpl b/install/deb/templates/web/nginx/php-fpm/moodle.stpl
@@ -78,9 +78,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/moodle.tpl b/install/deb/templates/web/nginx/php-fpm/moodle.tpl
@@ -74,9 +74,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/no-php.stpl b/install/deb/templates/web/nginx/php-fpm/no-php.stpl
@@ -34,9 +34,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/no-php.tpl b/install/deb/templates/web/nginx/php-fpm/no-php.tpl
@@ -29,9 +29,9 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location /vstats/ {
diff --git a/install/deb/templates/web/nginx/php-fpm/odoo.stpl b/install/deb/templates/web/nginx/php-fpm/odoo.stpl
@@ -33,8 +33,9 @@ server {
     send_timeout            720;
 
     # Allow "Well-Known URIs" as per RFC 5785
-    location ~* ^/.well-known/ {
-        allow all;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location / {
@@ -56,11 +57,6 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
-    }
-
     location /vstats/ {
         alias   %home%/%user%/web/%domain%/stats/;
         include %home%/%user%/web/%domain%/stats/auth.conf*;
diff --git a/install/deb/templates/web/nginx/php-fpm/odoo.tpl b/install/deb/templates/web/nginx/php-fpm/odoo.tpl
@@ -28,8 +28,9 @@ server {
     send_timeout            720;
 
     # Allow "Well-Known URIs" as per RFC 5785
-    location ~* ^/.well-known/ {
-        allow all;
+    location ~ /\.(?!well-known\/) { 
+       deny all; 
+       return 404;
     }
 
     location / {
@@ -51,11 +52,6 @@ server {
         alias   %home%/%user%/web/%domain%/document_errors/;
     }
 
-    location ~* "/\.(htaccess|htpasswd)$" {
-        deny    all;
-        return  404;
-    }
-
     location /vstats/ {
         alias   %home%/%user%/web/%domain%/stats/;
         include %home%/%user%/web/%domain%/stats/auth.conf*;
diff --git a/install/deb/templates/web/nginx/php-fpm/opencart.stpl b/install/deb/templates/web/nginx/php-fpm/opencart.stpl
diff --git a/install/deb/templates/web/nginx/php-fpm/opencart.tpl b/install/deb/templates/web/nginx/php-fpm/opencart.tpl
diff --git a/install/deb/templates/web/nginx/php-fpm/osticket.stpl b/install/deb/templates/web/nginx/php-fpm/osticket.stpl
diff --git a/install/deb/templates/web/nginx/php-fpm/osticket.tpl b/install/deb/templates/web/nginx/php-fpm/osticket.tpl
diff --git a/install/deb/templates/web/nginx/php-fpm/owncloud.stpl b/install/deb/templates/web/nginx/php-fpm/owncloud.stpl
diff --git a/install/deb/templates/web/nginx/php-fpm/owncloud.tpl b/install/deb/templates/web/nginx/php-fpm/owncloud.tpl
diff --git a/install/deb/templates/web/nginx/php-fpm/piwik.stpl b/install/deb/templates/web/nginx/php-fpm/piwik.stpl
diff --git a/install/deb/templates/web/nginx/php-fpm/piwik.tpl b/install/deb/templates/web/nginx/php-fpm/piwik.tpl
diff --git a/install/deb/templates/web/nginx/php-fpm/pyrocms.stpl b/install/deb/templates/web/nginx/php-fpm/pyrocms.stpl
diff --git a/install/deb/templates/web/nginx/php-fpm/pyrocms.tpl b/install/deb/templates/web/nginx/php-fpm/pyrocms.tpl
diff --git a/install/deb/templates/web/nginx/php-fpm/sendy.stpl b/install/deb/templates/web/nginx/php-fpm/sendy.stpl
diff --git a/install/deb/templates/web/nginx/php-fpm/sendy.tpl b/install/deb/templates/web/nginx/php-fpm/sendy.tpl
diff --git a/install/deb/templates/web/nginx/php-fpm/wordpress.stpl b/install/deb/templates/web/nginx/php-fpm/wordpress.stpl
diff --git a/install/deb/templates/web/nginx/php-fpm/wordpress.tpl b/install/deb/templates/web/nginx/php-fpm/wordpress.tpl

Original file line number	Diff line number	Diff line change
`@@ -44,11 +44,10 @@ server {`
`44`	`44`	`alias %home%/%user%/web/%domain%/document_errors/;`
`45`	`45`	`}`
`46`	`46`
`47`		`- location ~* "/\.(htaccess\|htpasswd)$" {`
`48`		`- deny all;`
`49`		`- return 404;`
	`47`	`+ location ~ /\.(?!well-known\/) {`
	`48`	`+ deny all;`
	`49`	`+ return 404;`
`50`	`50`	`}`
`51`		`-`
`52`	`51`	`location /vstats/ {`
`53`	`52`	`alias %home%/%user%/web/%domain%/stats/;`
`54`	`53`	`include %home%/%user%/web/%domain%/stats/auth.conf*;`
Original file line number	Diff line number	Diff line change
`@@ -39,9 +39,9 @@ server {`
`39`	`39`	`alias %home%/%user%/web/%domain%/document_errors/;`
`40`	`40`	`}`
`41`	`41`
`42`		`- location ~* "/\.(htaccess\|htpasswd)$" {`
`43`		`- deny all;`
`44`		`- return 404;`
	`42`	`+ location ~ /\.(?!well-known\/) {`
	`43`	`+ deny all;`
	`44`	`+ return 404;`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`location /vstats/ {`
Original file line number	Diff line number	Diff line change
`@@ -49,9 +49,9 @@ server {`
`49`	`49`	`alias %home%/%user%/web/%domain%/document_errors/;`
`50`	`50`	`}`
`51`	`51`
`52`		`- location ~* "/\.(htaccess\|htpasswd)$" {`
`53`		`- deny all;`
`54`		`- return 404;`
	`52`	`+ location ~ /\.(?!well-known\/) {`
	`53`	`+ deny all;`
	`54`	`+ return 404;`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`location /vstats/ {`
Original file line number	Diff line number	Diff line change
`@@ -44,9 +44,9 @@ server {`
`44`	`44`	`alias %home%/%user%/web/%domain%/document_errors/;`
`45`	`45`	`}`
`46`	`46`
`47`		`- location ~* "/\.(htaccess\|htpasswd)$" {`
`48`		`- deny all;`
`49`		`- return 404;`
	`47`	`+ location ~ /\.(?!well-known\/) {`
	`48`	`+ deny all;`
	`49`	`+ return 404;`
`50`	`50`	`}`
`51`	`51`
`52`	`52`	`location /vstats/ {`
Original file line number	Diff line number	Diff line change
`@@ -40,9 +40,9 @@ server {`
`40`	`40`	`alias %home%/%user%/web/%domain%/document_errors/;`
`41`	`41`	`}`
`42`	`42`
`43`		`- location ~* "/\.(htaccess\|htpasswd)$" {`
`44`		`- deny all;`
`45`		`- return 404;`
	`43`	`+ location ~ /\.(?!well-known\/) {`
	`44`	`+ deny all;`
	`45`	`+ return 404;`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`location /vstats/ {`
Original file line number	Diff line number	Diff line change
`@@ -115,9 +115,9 @@ server {`
`115`	`115`	`alias %home%/%user%/web/%domain%/document_errors/;`
`116`	`116`	`}`
`117`	`117`
`118`		`- location ~* "/\.(htaccess\|htpasswd)$" {`
`119`		`- deny all;`
`120`		`- return 404;`
	`118`	`+ location ~ /\.(?!well-known\/) {`
	`119`	`+ deny all;`
	`120`	`+ return 404;`
`121`	`121`	`}`
`122`	`122`
`123`	`123`	`location /vstats/ {`
Original file line number	Diff line number	Diff line change
`@@ -43,9 +43,9 @@ server {`
`43`	`43`	`alias %home%/%user%/web/%domain%/document_errors/;`
`44`	`44`	`}`
`45`	`45`
`46`		`- location ~* "/\.(htaccess\|htpasswd)$" {`
`47`		`- deny all;`
`48`		`- return 404;`
	`46`	`+ location ~ /\.(?!well-known\/) {`
	`47`	`+ deny all;`
	`48`	`+ return 404;`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`location /vstats/ {`
Original file line number	Diff line number	Diff line change
`@@ -38,9 +38,9 @@ server {`
`38`	`38`	`alias %home%/%user%/web/%domain%/document_errors/;`
`39`	`39`	`}`
`40`	`40`
`41`		`- location ~* "/\.(htaccess\|htpasswd)$" {`
`42`		`- deny all;`
`43`		`- return 404;`
	`41`	`+ location ~ /\.(?!well-known\/) {`
	`42`	`+ deny all;`
	`43`	`+ return 404;`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`location /vstats/ {`