You know, when the user, authenticated or not, has the ability to upload files on your server for public access.
First of all, the web developer must assure that the uploaded file is in the list of allowed file types. That's the easy part, but what if we want to prevent server side execution of the newly uploaded file?
If we have to deal only with images, there are techniques to check the file type and extension, and even server side image processing tools that can help.
|
Designed by Freepik |
Here comes in handy the NGINX (Web Server) used directly or as a proxy for the Apache Web Server.
And the solution is very simple.
Instruct NGINX to serve static files from your desired locations and thus prevents their execution
Just add this lines to the NGINX configuration for your site (host):server { ... #serve desired files as static and thus prevents their execution location ~ ^/(public_assets|another_public_assets|private_files/public_files)/ { root /var/www/example.com/public_html; access_log off; log_not_found off; expires max; } ... }
Take a look at the private_files/public_files location, this rule is only for the "public_files" sub-folder, not for the entire "private_files" folder which would (and should) be protected for direct access.
The "root" part is the document root declared for the example.com host.