From 37f442064b61beece7fe2a2271e412e5a5c75ab2 Mon Sep 17 00:00:00 2001
From: Pierre Ozoux <pierre@ozoux.net>
Date: Fri, 25 Oct 2019 14:46:46 +0200
Subject: [PATCH] Updates nginx.conf to match upstream.

And fixes this CVE:
https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/
---
 nginx.conf | 33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

diff --git a/nginx.conf b/nginx.conf
index c192d78..002a1b0 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -40,28 +40,27 @@ http {
     client_max_body_size 1G;
     fastcgi_buffers 64 4K;
 
-    gzip off;
-
-    index index.php;
-    error_page 403 /core/templates/403.php;
-    error_page 404 /core/templates/404.php;
+    gzip off; # handled at haproxy level
  
     location / {
-        rewrite ^ /index.php$uri;
+        rewrite ^ /index.php;
     }
-
-    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+    
+    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
         deny all;
     }
-    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+    
+    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
         deny all;
     }
 
-    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
-        include fastcgi_params;
+    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
         fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        try_files $fastcgi_script_name =404;
+        set $path_info $fastcgi_path_info;
+        include fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param PATH_INFO $path_info;
         fastcgi_param HTTPS on;
         #Avoid sending the security headers twice
         fastcgi_param modHeadersAvailable true;
@@ -71,15 +70,15 @@ http {
         fastcgi_request_buffering off;
     }
 
-    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
         try_files $uri/ =404;
         index index.php;
     }
 
     # Adding the cache control header for js and css files
     # Make sure it is BELOW the PHP block
-    location ~ \.(?:css|js|woff|svg|gif)$ {
-        try_files $uri /index.php$uri$is_args$args;
+    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+        try_files $uri /index.php$request_uri;
         add_header Cache-Control "public, max-age=15778463";
         # Add headers to serve security related headers (It is intended to
         # have those duplicated to the ones above)
@@ -98,8 +97,8 @@ http {
         access_log off;
     }
 
-    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
-        try_files $uri /index.php$uri$is_args$args;
+    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+        try_files $uri /index.php$request_uri;
         # Optional: Don't log access to other assets
         access_log off;
     }
-- 
GitLab