Whitelist urls instead of blacklist

2024-11-24 05:03:05 +00:00 · 2016-06-10 01:11:46 +08:00 · 2016-06-10 01:11:46 +08:00 · fe0376bb42
commit fe0376bb42
parent efcdac82e3
2 changed files with 7 additions and 15 deletions
--- a/.htaccess
+++ b/.htaccess
@ -12,19 +12,16 @@
    RewriteEngine On
    RewriteBase /

-    # Deny access to framework directories
-    RewriteRule ^(app|bootstrap|config|database|resources|storage|tests|vendor|node_modules)/ - [R=404,L,NC]
-
-    # And dot files/folders (for example .env)
-    RedirectMatch 404 /\..*$
-
    # Redirect Trailing Slashes...
    RewriteRule ^(.*)/$ /$1 [L,R=301]

+    # Whitelist only index.php, robots.txt, and those start with public/ or api/
+    RewriteRule ^(?!($|index\.php|robots\.txt|(public|api)/)) - [R=404,L]
+
    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
-    RewriteRule ^ index.php [L]
+    RewriteRule .* index.php [L]

    # https://github.com/tymondesigns/jwt-auth/wiki/Authentication
    RewriteCond %{HTTP:Authorization} ^(.*)
--- a/nginx.conf.example
+++ b/nginx.conf.example
@ -4,14 +4,9 @@ server {
  root          /var/www/koel;
  index         index.php;

-  # Deny access to dotfiles
-  location ~ /\. {
-    deny        all;
-  }
-
-  # Deny access to framework directories
-  location ~ /(app|bootstrap|config|database|resources|storage|tests|vendor|node_modules)/ {
-    deny        all;
+  # Whitelist only index.php, robots.txt, and those start with public/ or api/
+  if ($request_uri !~ ^/$|index\.php|robots\.txt|api/|public/) {
+    return 404;
  }

  location /media/ {