I have a media folder on URL example.com/media/ and I want to deny users running scripts in my server. My server app is nginx and in How to deny script execution inside writable directories I couldn't find anything special about specific URL. This is my nginx server config:
# sites-avalaible/default
server {
listen 80;
listen 443 ssl;
server_name www.example.com example.com;
ssl_certificate /var/www/example/ssl/ssl.crt;
ssl_certificate_key /var/www/example/ssl/ssl.key;
location /static {
alias /var/www/example/static;
expires 7d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location /media {
alias /var/www/example/media;
# limit download speed after 5mb download
limit_rate_after 5m;
limit_rate 120k;
limit_req zone=lh burst=5 nodelay;
}
location / {
proxy_pass http://127.0.0.1:8000;
}
}
I want to deny running any executable stuff in my media URL in which users can upload their files to server. How can I do that? For example when user navigates to example.com/media/bomb.py nginx return 404 error page. I've also changed media folder executing permissions but I need to do it for nginx in order to stop viewing script files.
First of all, when there is no other configuration in nginx, it simply reads the file from the filesystem, and then sends it out to the client via TCP connection.
So, in your case, if you had a
bomb.pyin your media directory, your users would just receive the file, it would not be executed.Second, your upload script should check allowable upload file types, so that no such files can even be uploaded.
Finally, one answer to your actual question. You can provide a more specific
locationdirective for the media directory, which allows only certain extensions to be processed with that. Other requests go vialocation /directive.This location directive will serve files via the block only if the filename is in
/media/directory, has at least one character that is not.and has an extension of gif / jpg / png.