You know, when the user, authenticated or not, has the ability to upload files on your server for public access.
First of all, the web developer must assure that the uploaded file is in the list of allowed file types. That's the easy part, but what if we want to prevent server side execution of the newly uploaded file?
If we have to deal only with images, there are techniques to check the file type and extension, and even server side image processing tools that can help.
|
| Designed by Freepik |
Here comes in handy the NGINX (Web Server) used directly or as a proxy for the Apache Web Server.
And the solution is very simple.
Instruct NGINX to serve static files from your desired locations and thus prevents their execution
Just add this lines to the NGINX configuration for your site (host):server {
...
#serve desired files as static and thus prevents their execution
location ~ ^/(public_assets|another_public_assets|private_files/public_files)/ {
root /var/www/example.com/public_html;
access_log off;
log_not_found off;
expires max;
}
...
}
The excerpt above instruct the NGINX server to directly serve the files (bypassing any another file handling) from within the declared locations (public_assets and another_public_assets and private_files/public_files).
Take a look at the private_files/public_files location, this rule is only for the "public_files" sub-folder, not for the entire "private_files" folder which would (and should) be protected for direct access.
The "root" part is the document root declared for the example.com host.
Take a look at the private_files/public_files location, this rule is only for the "public_files" sub-folder, not for the entire "private_files" folder which would (and should) be protected for direct access.
The "root" part is the document root declared for the example.com host.