securing PrivateBin installation, by moving unneccessary bits out of the web root, making image support read-only operation, consistent white spaces in nginx config

2025-07-02 07:05:42 +00:00 · 2018-08-01 16:33:51 +02:00
parent 503f526328
commit 7be188fda2
3 changed files with 38 additions and 32 deletions
--- a/privatebin/rootfs/nginx/sites-enabled/nginx.conf
+++ b/privatebin/rootfs/nginx/sites-enabled/nginx.conf
@ -1,33 +1,33 @@
 server {
-        listen 8888;
-        root /privatebin;
-        index index.php index.html;
+    listen 8888;
+    root /srv;
+    index index.php;

-        location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ {
-            expires 30d;
-            access_log off;
-	}
+    location ~* \.(jpg|jpeg|gif|css|png|js|map|woff|woff2|ttf|svg|eot)$ {
+        expires 30d;
+        access_log off;
+    }

-        location ~ ^/(data|cfg|tmp) {                                        
-            deny all;                                                        
-        }                                                                    
-                                                                             
-        location ~* /(.*)\.(?:markdown|md|twig|yaml|yml|ht|htaccess|ini)$ {  
-            deny all;                                                        
-        } 
-    
-        location ~ /\. {
-            deny all;
-        }
+    location ~ ^/(data|cfg|tmp) {
+        deny all;
+    }

-        location / {
-	    try_files $uri $uri/ /index.php;
-        }
+    location ~* /(.*)\.(?:markdown|md|twig|yaml|yml|ht|htaccess|ini)$ {
+        deny all;
+    }

-	location ~ \.php$ {
-            fastcgi_index index.php;
-            fastcgi_pass unix:/php/run/php-fpm.sock;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            include /nginx/conf/fastcgi_params;
-	}
+    location ~ /\. {
+        deny all;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.php;
+    }
+
+    location ~ \.php$ {
+        fastcgi_index index.php;
+        fastcgi_pass unix:/php/run/php-fpm.sock;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        include /nginx/conf/fastcgi_params;
+    }
 }
--- a/privatebin/rootfs/usr/local/bin/run.sh
+++ b/privatebin/rootfs/usr/local/bin/run.sh
@ -6,5 +6,5 @@ sed -i -e "s/<UPLOAD_MAX_SIZE>/$UPLOAD_MAX_SIZE/g" /nginx/conf/nginx.conf /php/e
       -e "s/<PHP_MIN_SPARE_SERVERS>/$PHP_MIN_SPARE_SERVERS/g" /php/etc/php-fpm.conf \
       -e "s/<PHP_MAX_SPARE_SERVERS>/$PHP_MAX_SPARE_SERVERS/g" /php/etc/php-fpm.conf

-chown -R $UID:$GID /privatebin /nginx /php /tmp /etc/s6.d
+chown -R $UID:$GID /privatebin/data /nginx /php /tmp /etc/s6.d
 exec su-exec $UID:$GID /bin/s6-svscan /etc/s6.d