Nginx and ipv6

Hi,

I have a small server running nginx and hosting a dokuwiki site. For
security reason some directories of the dokuwiki install should be
accessed by the outside world so my nginx site file is like that :

server {

        listen   80; ## listen for ipv4

        server_name XXX;

        access_log  /var/log/nginx/xxx.access.log;
        error_log /var/log/nginx/xxx.error.log notice;
        rewrite_log on;
        root   /var/www/xxx;
        index doku.php;

        location ~ ^/(data|conf|bin|inc) {
                deny all;
        }

        location / {
                try_files $uri $uri/ @dokuwiki;
        }

        location @dokuwiki {
                rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
                rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1
last;
                rewrite ^/_export/([^/]+)/(.*)
/doku.php?do=export_$1&id=$2 last;
                rewrite ^/tag/(.*)
/doku.php?id=tag:$1&do=showtag&tag=tag:$1 last;
                rewrite ^/(.*) /doku.php?id=$1&$args last;
        }


        location ~ \.php$ {
                include /etc/nginx/fastcgi_params;
                fastcgi_param   SCRIPT_FILENAME
$document_root$fastcgi_script_name;
                fastcgi_pass    127.0.0.1:9000;
        }

Notice the fact that the directories data, conf, bin and inc are
denied.

With ipv4 only (like in the previous config file), everything works
great : the wiki is working great and the forbidden directories are well
protected.

Yesterday I made one change listen 80 → listen [::]:80 (to enable ipv6)
and all the forbidden directories are not protected anymore (anybody
with ipv4 or ipv6 can access them). Reverting to ipv4 (listen 80) fix
the problem.

I tried to change my configuration file that way

listen   80; ## listen for ipv4
listen   [::]:80 default ipv6only=on;

to have two explicit bind.

And if I force my browser to use ipv4 the directories are protected. If
my browser use ipv6 the directories are not protected anymore.

So I have many questions :

  • Is my configuration file wrong ?
  • Is there something wrong with ipv6 and nginx ?
  • Does anybody already had this problem ?

Thanks in advance.

Vlad

Posted at Nginx Forum:

Hello!

On Sat, Jan 15, 2011 at 08:57:06AM -0500, vlad59 wrote:

[…]

    location ~ ^/(data|conf|bin|inc) {
            deny all;
    }

[…]

to have two explicit bind.

And if I force my browser to use ipv4 the directories are protected. If
my browser use ipv6 the directories are not protected anymore.

So I have many questions :

  • Is my configuration file wrong ?
  • Is there something wrong with ipv6 and nginx ?
  • Does anybody already had this problem ?

Access module (allow/deny directives) supports ipv6 as of 0.8.22+.
If you are using older version - you have to upgrade.

Maxim D.

Maxim D. Wrote:

I tried to change my configuration file that way
protected anymore.
upgrade.

Maxim D.

Damn, sorry for the noise, next time I’ll try to RTFM a little more.

I’m using Debian Squeeze so revision 0.7.67. That explains everything,
I’ll upgrade this tomorrow.

Thanks a lot for your quick answer.

Vlad

Posted at Nginx Forum:

Hello Maxim,

Maxim D. Wrote:

Access module (allow/deny directives) supports
ipv6 as of 0.8.22+.
If you are using older version - you have to
upgrade.

Why not using something like “return 403;” instead of “deny all;” ?

Olivier

Posted at Nginx Forum: