Hello, I made a file named deny.conf
it blocks access to . files and .git
Code
Deny all attempts to access hidden files/folders such as .git, .htaccess, .htpasswd, .DS_Store (Mac), etc…
location ~ /. {
deny all;
access_log off;
log_not_found off;
}
Deny yaml, twig, markdown, ini file access
location ~* /.+.(markdown|md|twig|yaml|yml|ini)$ {
deny all;
access_log off;
log_not_found off;
}
Deny all grunt, package files
location ~* (Gruntfile|package).(js|json|jsonc)$ {
deny all;
access_log off;
log_not_found off;
}
Deny all composer files
location ~* composer. {
deny all;
access_log off;
log_not_found off;
}
because my websites, currently users can see them, hestiacp has no protection against.
I would like to know how do I add as standard to nginx and that in future updates the system will not be replaced or removed.
Because I added it to my nginx.conf, but after the update my include disappeared and I had to do it again.
eris
2
Currently all “default” / system templates will get overwritten on default…
Currently we block all .xxx files except .well-known for LE
hs1
4
You can hide .user.ini (and other files) from view by creating a per domain nginx.ssl.conf_my.conf
in /home/username/conf/web/yourdomain.com
I block views to .user.ini with the following content;
Block .user.ini view
location ~ /.user.ini {return 404;}
You can also include many instructions for Security Headers in this same file e.g;
Security Headers
add_header X-Frame-Options “SAMEORIGIN” always;
add_header X-XSS-Protection “1; mode=block” always;
add_header X-Content-Type-Options “nosniff” always;
add_header Referrer-Policy “no-referrer-when-downgrade” always;
add_header Permissions-Policy “camera=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(self), payment=(self)” always;
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;
add_header Expect-CT “enforce; max-age=3600” always;
Hope this helps, BTW forgot to mention, “this .conf file will NOT be overwritten on upgrade”…
1 Like