use crate::state::Framework;
pub fn nginx_try_files(fw: Framework) -> &'static str {
match fw {
Framework::Drupal => "$uri /index.php?$query_string",
_ => "$uri $uri/ /index.php?$query_string",
}
}
pub fn nginx_security(fw: Framework) -> &'static str {
match fw {
Framework::Grav => {
r#" location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
location ~* /user/(accounts|config|env)/.*$ { return 403; }
location ~* /user/data/.*\.(jpe?g|png|gif|webp|avif|bmp|ico|mp4|webm|ogg|ogv|mov|mp3|wav|m4a|flac|pdf)$ { try_files $uri =404; }
location ~* /user/data/.*$ { return 403; }
location ~* /(system|vendor)/.*\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ { return 403; }
location ~* /user/.*\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ { return 403; }
location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
location ~ /\.env(\.|$) { return 403; }
"#
}
_ => "",
}
}
pub fn caddy_security(fw: Framework) -> &'static str {
match fw {
Framework::Grav => {
"\t@reeve_grav_dirs path_regexp (?i)^/(\\.git|cache|bin|logs|backups?|tests)/\n\
\t@reeve_grav_userconf path_regexp (?i)^/user/(accounts|config|env)/\n\
\t@reeve_grav_userdata {\n\
\t\tpath_regexp (?i)^/user/data/\n\
\t\tnot path_regexp (?i)\\.(jpe?g|png|gif|webp|avif|bmp|ico|mp4|webm|ogg|ogv|mov|mp3|wav|m4a|flac|pdf)$\n\
\t}\n\
\t@reeve_grav_sys path_regexp (?i)^/(system|vendor)/.*\\.(txt|xml|md|html|htm|shtml|shtm|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$\n\
\t@reeve_grav_userscripts path_regexp (?i)^/user/.*\\.(txt|md|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$\n\
\t@reeve_grav_rootfiles path_regexp (?i)/(LICENSE\\.txt|composer\\.lock|composer\\.json|nginx\\.conf|web\\.config|htaccess\\.txt|\\.htaccess)$\n\
\t@reeve_grav_dotenv path_regexp \\.env(\\..+)?$\n\
\trespond @reeve_grav_dirs 403\n\
\trespond @reeve_grav_userconf 403\n\
\trespond @reeve_grav_userdata 403\n\
\trespond @reeve_grav_sys 403\n\
\trespond @reeve_grav_userscripts 403\n\
\trespond @reeve_grav_rootfiles 403\n\
\trespond @reeve_grav_dotenv 403\n"
}
_ => "",
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn grav_security_blocks_sensitive_and_allows_media() {
let n = nginx_security(Framework::Grav);
assert!(n.contains("/user/(accounts|config|env)/"));
assert!(n.contains("flac|pdf)$ { try_files"));
let c = caddy_security(Framework::Grav);
assert!(c.contains("path_regexp (?i)^/user/(accounts|config|env)/"));
assert!(c.contains("not path_regexp")); assert!(c.contains("respond @reeve_grav_userconf 403"));
}
#[test]
fn generic_has_no_security_rules() {
assert_eq!(nginx_security(Framework::Generic), "");
assert_eq!(caddy_security(Framework::Generic), "");
}
}