Nginx Security – Disable Directory Browsing Not Working

djangonginxSecurity

I have a Django application in production and my web server is Nginx.

My application is located at /home/rouizi/blog and let say my domain name is example.com.
I want to prevent that users can read my files that are located inside the blog folder.

For instance, with my actual configuration, if someone access exemple.com/manage.py he can see the content of that file. I want instead to show him a 404 not found error.

Here is my nginx configuration:

/etc/nginx/nginx.conf

user www-data;
worker_processes auto;

pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 1024;
}

http {
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        types_hash_max_size 2048;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        include /etc/nginx/conf.d/*.conf;

       add_header    X-Content-Type-Options nosniff;
       add_header    X-Frame-Options SAMEORIGIN;
       add_header    X-XSS-Protection "1; mode=block";

       server_tokens off;
       keepalive_timeout 75;
}

/etc/nginx/conf.d/example.conf

server {
    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen         80;
    server_name    example.com www.example.com;
    return         301 https://example.com$request_uri;
}

server {
    listen                          443 ssl http2 default_server;
    listen                          [::]:443 ssl http2 default_server;
    
    #  ssl stuff

    server_name                     example.com www.example.com;
    root                            /home/rouizi/blog/;
    index                           index.html;

    location /static {
        alias /home/rouizi/blog/staticfiles/;
     }

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect off;
        if (!-f $request_filename) {
            proxy_pass http://127.0.0.1:8000;
            break;
        }
    }

    gzip             on;
    gzip_comp_level  3;
    gzip_types       text/plain text/css application/javascript image/*;
}

What I tried so far:

I added the directive autoindex on; and reload nginx. Not worked

I added an empty index.html file inside the blog directory and reload nginx. Not worked

How can I solve this problem ?

Edit

I found that If I put my ip address instead of my domain name in the server_name directive the directory browsing is disabled:

/etc/nginx/conf.d/example.conf

# ...

server {
    # ...
    #  ssl stuff

    server_name                     139.151.187.143;
    
    # ...

}

Just like that if I go to exemple.com/manage.py or other files I get a 404 not found error from my Dango application. But also static and media files are no longer served.

Anyone can explain why ? Is this reloated to my DNS hosting provider ?

Best Answer

Serving anything other than the files specifically copied to a static folder is not typically what you want for Django-powered applications.

The typical setup works like this:

everything in /static gets handled by the web server (this is what the location /static {} block is about: the alias points to the directory where the django collectstatic commands places static files)
similar handling of a /media location, as necessary
everything else gets forwarded to the wsgi application (meaning your program files are not directly accessed by the nginx server)

What you want it probably remove the root /home/rouizi/blog/; and unconditionally (not inside a if (!-f $request_filename) { block) forward requests to your wsgi application.

Related Solutions

Nginx – Properly setting up a “default” nginx server for https

I managed to configure a shared dedicated hosting on a single IP with nginx. Default HTTP and HTTPS serving a 404 for unknown domains incoming.

1 - Create a default zone

As nginx is loading vhosts in ascii order, you should create a 00-default file/symbolic link into your /etc/nginx/sites-enabled.

2 - Fill the default zone

Fill your 00-default with default vhosts. Here is the zone i am using:

server {
    server_name _;
    listen       80  default_server;
    return       404;
}


server {
    listen 443 ssl;
    server_name _;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    return       404;
}

3 - Create self signed certif, test, and reload

You will need to create a self signed certificate into /etc/nginx/ssl/nginx.crt.

Create a default self signed certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Just a reminder:

Test the nginx configuration before reloading/restarting : nginx -t
Reload a enjoy: sudo service nginx reload

Hope it helps.

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

You could have multiple server blocks. So just add new server block for domains that need HSTS.

server {
    listen xx.xx.xxx.xxx:443 ssl default_server;

    # all ssl stuff
    # and other directives
}

server {
    listen xx.xx.xxx.xxx:443 ssl;
    server_name example.com other.example.com;

    # all ssl stuff
    # and other directives with HSTS enabled
}

Here first block will handle all https connections except example.com and other.example.com.

And you don't need ssl on directive if you have ssl flag in listen.

EDIT

There is another solution with only one server block:

map $scheme:$host $hsts_header {
    default "";
    https:example.com "max-age=31536000";
    https:other.example.com "max-age=31536000";
}

server {
    server_tokens off;

    listen xx.xx.xxx.xxx:80;
    listen xx.xx.xxx.xxx:443 ssl;

    ssl_certificate /etc/ssl/foo.crt;
    ssl_certificate_key /etc/ssl/private/foo.key;

    ssl_session_timeout 10m;

    # ... other ssl stuff

    location / {
        proxy_pass http://127.0.0.1:81;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header Host $host;
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security $hsts_header;
    }
}

We use map to define HSTS header value and use the fact, than nginx will not add header with empty value.

Best Answer

Related Solutions

Nginx – Properly setting up a “default” nginx server for https

Nginx/Apache: set HSTS only if X-Forwarded-Proto is https

Related Topic