Hi,
I have a small server running nginx and hosting a dokuwiki site. For
security reason some directories of the dokuwiki install should be
accessed by the outside world so my nginx site file is like that :
server {
listen 80; ## listen for ipv4
server_name XXX;
access_log /var/log/nginx/xxx.access.log;
error_log /var/log/nginx/xxx.error.log notice;
rewrite_log on;
root /var/www/xxx;
index doku.php;
location ~ ^/(data|conf|bin|inc) {
deny all;
}
location / {
try_files $uri $uri/ @dokuwiki;
}
location @dokuwiki {
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1
last;
rewrite ^/_export/([^/]+)/(.*)
/doku.php?do=export_$1&id=$2 last;
rewrite ^/tag/(.*)
/doku.php?id=tag:$1&do=showtag&tag=tag:$1 last;
rewrite ^/(.*) /doku.php?id=$1&$args last;
}
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}
Notice the fact that the directories data, conf, bin and inc are
denied.
With ipv4 only (like in the previous config file), everything works
great : the wiki is working great and the forbidden directories are well
protected.
Yesterday I made one change listen 80 → listen [::]:80 (to enable ipv6)
and all the forbidden directories are not protected anymore (anybody
with ipv4 or ipv6 can access them). Reverting to ipv4 (listen 80) fix
the problem.
I tried to change my configuration file that way
listen 80; ## listen for ipv4
listen [::]:80 default ipv6only=on;
to have two explicit bind.
And if I force my browser to use ipv4 the directories are protected. If
my browser use ipv6 the directories are not protected anymore.
So I have many questions :
- Is my configuration file wrong ?
- Is there something wrong with ipv6 and nginx ?
- Does anybody already had this problem ?
Thanks in advance.
Vlad
Posted at Nginx Forum: