Forum: NGINX Only allow certain file extensions?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Rt Ibmer (Guest)
on 2009-02-25 08:07
(Received via mailing list)
What is the best way to enforce that nginx only serves content to a list
of known good extensions (like .php, .css, .xml, .jpg etc) and does a
deny all on all other page types?

I was thinking of using a location block for this, like so:

location NOT ~* regex_with_valid_extensions {
        access_log  /deny.log   main;
        deny all;
    }

But I wasn't sure how to do a NOT (make the regex match if the regex was
false. Also I was thinking perhaps there is a better way?

In summary I have two rules.  Rule #1 is that certain known bad
extensions I want blocked, for example .xyz.  Rule #2 is that I want to
allow only good known extensions, like .htm, .css, .jpg, .gif etc.

So I want my rule to be that it cannot match the denied extension(s) and
it must also pass the allowed extensions.

I know it is a bit repetitive because since .xyz would not be in the
allowed extensions then it would by default be blocked.  But just to be
certain I'd like it to work this way.

Any suggestions on the best approach to do this, without then messing up
the subsequently location blocks from matching?

Thank you!
Igor S. (Guest)
on 2009-02-25 08:47
(Received via mailing list)
On Tue, Feb 24, 2009 at 09:58:46PM -0800, Rt Ibmer wrote:

>
> In summary I have two rules.  Rule #1 is that certain known bad extensions I want 
blocked, for example .xyz.  Rule #2 is that I want to allow only good known extensions, 
like .htm, .css, .jpg, .gif etc.
>
> So I want my rule to be that it cannot match the denied extension(s) and it must also 
pass the allowed extensions.
>
> I know it is a bit repetitive because since .xyz would not be in the allowed extensions 
then it would by default be blocked.  But just to be certain I'd like it to work this way.
>
> Any suggestions on the best approach to do this, without then messing up the 
subsequently location blocks from matching?


     location / {
         ...
     }

     location ~ \.(htm|css|jpg|gif)$ {
         ...
     }

     location ~ \.php$ {
         ...
     }

     location ~ \.[^\.]+$ {
         deny all;
     }
Atif G. (Guest)
on 2009-02-26 01:05
(Received via mailing list)
On Wed, Feb 25, 2009 at 7:34 AM, Igor S. <removed_email_address@domain.invalid> 
wrote:

>
>
>     location ~ \.(htm|css|jpg|gif)$ {
>         ...
>     }
>
> Igor, Is it case sensitive?
I have been bitten by it before :-)
Igor S. (Guest)
on 2009-02-26 09:02
(Received via mailing list)
On Wed, Feb 25, 2009 at 11:54:20PM +0100, Atif G. wrote:

> On Wed, Feb 25, 2009 at 7:34 AM, Igor S. <removed_email_address@domain.invalid> wrote:
>
> >
> >
> >     location ~ \.(htm|css|jpg|gif)$ {
> >         ...
> >     }
> >
> > Igor, Is it case sensitive?

Yes.
Use "~*" for case insensitive regex.

BTW, I did not see the origianl email. Just the answer:
This topic is locked and can not be replied to.