I just used this to hide my php.ini file, so I’m guessing it would work for user.ini or any file for that matter.
I added this to my .htaccess file:
<Files php.ini>
Order allow,deny
Deny from all
</Files>
Thread Starter
spiros
(@spiros)
I use nginx server via cpnginx so it would not work.
Hi @spiros,
Please see this article from our documentation explaining how to proceed in order to block access to specific files when a site uses the NGINX web server.
Thread Starter
spiros
(@spiros)
Hi,
I have added
location ~ \.user\.ini$ {
deny all;
}
to my vhost template, restarted NGINX and PHP-FPM, but still the .user.ini file gets downloaded.
Just above the template had
# Disable direct access to .ht files and folders
location ~ /\.ht {
deny all;
}
The guys from cpnginx.com who provide the Cpanel plugin, when emphasized the security risk that this entails, responded:
This is not an issue related to cpnginx. You may need to contact your server support to resolve the issue.
[…]
Kindly note that we do not provide any customization support on cPnginx. We suggest you to contact your server support team to do the task or you can purchase our cPanel Proactive enterprise plan from the following link https://syslint.com/cpanel-server-management/ so that we can check it from our end whether it is possible or not.
They do not sound like very security-proactive to me for their product.
-
This reply was modified 8 years, 3 months ago by
spiros.
Hi @spiros,
It might also matter where in the file you place the directive; if there’s a location block before this one that also matches, NGINX will use that –as discussed here.
Thread Starter
spiros
(@spiros)
Here are some of the other blocks containing “location” above the place where I put it. I am at a loss really about this. I could forward the file if you want.
server {
listen ${IP}:80;
%if HAVE_DEDICATED_IP == '0':
server_name ${DOMAIN} www.${DOMAIN};
% endif
%if HAVE_DEDICATED_IP == '1':
server_name ${DOMAIN} www.${DOMAIN} ${IP} www.${IP};
% endif
root ${DOCROOT};
index index.php index.php5 index.php4 index.php3 index.perl index.pl index.cgi index.phtml index.shtml index.xhtml index.html index.htm index.wml Default.html Default.htm default.html default.htm home.html home.htm;
location = /favicon.ico {
log_not_found off;
}
% if TYPE == "main" and USERDIR_STATUS == "1":
# userdir enabled
location ~ ^/~${USER}(/.*)?$ {
alias ${DOCROOT}/$2;
autoindex on;
try_files $uri $uri/ @userdirproxy;
}
location @userdirproxy {
proxy_pass http://${IP}:${APACHE_HTTP_PORT};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
% endif
% if TYPE == "addon" or TYPE == "parked":
access_log /usr/local/apache/domlogs/${PARENT_DOMAIN} combined;
access_log /usr/local/apache/domlogs/${PARENT_DOMAIN}-bytes_log bytes_log;
%else:
access_log /usr/local/apache/domlogs/${DOMAIN} combined;
access_log /usr/local/apache/domlogs/${DOMAIN}-bytes_log bytes_log;
% endif
# Disable direct access to .php files in the following on a wordpress site
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
referer_hash_bucket_size 512;
# Run Staic file directly from nginx
location ~* ^.+.(${STATIC_FILES})$ {
expires 30d;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
# Disable direct access to .ht files and folders
location ~ /\.ht {
deny all;
}
# Access all cpanel services
location ~* ^/(cpanel|webmail|whm|bandwidth|img-sys|java-sys|mailman/archives|pipermail|sys_cpanel|cgi-sys|mailman) {
proxy_pass http://${IP}:${APACHE_HTTP_PORT};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
% if MOD_FLV == "1":
# Enabled FLV streaming
location ~ .flv$ {
flv;
}
% endif
%if MOD_MP4 == "1":
# Enabled MP4 streaming
location ~ .mp4$ {
mp4;
mp4_buffer_size 4M;
mp4_max_buffer_size 10M;
}
Hi @spiros,
Sorry about the delayed response.
Have you tried moving the “.ini” rule up to the top?
Thread Starter
spiros
(@spiros)
This is what worked:
# Disable direct access to .user.ini files and folders
location ~ /\.us {
deny all;
}
I added this in 2 locations below this (protects .htaccess files):
# Disable direct access to .ht files and folders
location ~ /\.ht {
deny all;
}
