From 7c9c5d9b57f6316a100fe69fda5be219a4bcb9b4 Mon Sep 17 00:00:00 2001 From: Julien Virey Date: Sat, 9 Sep 2023 07:11:36 +0200 Subject: [PATCH 1/7] Allow .well-known directory (pki validation / letsencrypt) --- basics/installation/advanced/nginx.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/basics/installation/advanced/nginx.md b/basics/installation/advanced/nginx.md index 568b22ff44..8714b15520 100644 --- a/basics/installation/advanced/nginx.md +++ b/basics/installation/advanced/nginx.md @@ -85,9 +85,9 @@ server { } } - # .htaccess, .DS_Store, .htpasswd, etc. - location ~ /\. { - deny all; + # .htaccess, .DS_Store, .htpasswd, etc., but keep .well-known available + location ~* /\.(?!well-known\/) { + deny all; } # Source code directories. From ad2decbafadd2fed4722aaaa230565121920ecbf Mon Sep 17 00:00:00 2001 From: Julien Virey Date: Mon, 11 Sep 2023 14:47:21 +0200 Subject: [PATCH 2/7] Files in .well-known should be served as plain text --- basics/installation/advanced/nginx.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/basics/installation/advanced/nginx.md b/basics/installation/advanced/nginx.md index 8714b15520..4087aba845 100644 --- a/basics/installation/advanced/nginx.md +++ b/basics/installation/advanced/nginx.md @@ -90,6 +90,11 @@ server { deny all; } + # files in .well-known should be served as plain text. + location ~* ^/\.well-known\/ { + default_type text/plain; + } + # Source code directories. location ~ ^/(app|bin|cache|classes|config|controllers|docs|localization|override|src|tests|tools|translations|var|vendor)/ { deny all; From e6eabd4a83d7e1a465cf3ffcc168e21e9206114a Mon Sep 17 00:00:00 2001 From: Julien Virey Date: Tue, 12 Sep 2023 11:49:39 +0200 Subject: [PATCH 3/7] Revert "Files in .well-known should be served as plain text" This reverts commit ad2decbafadd2fed4722aaaa230565121920ecbf. --- basics/installation/advanced/nginx.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/basics/installation/advanced/nginx.md b/basics/installation/advanced/nginx.md index 4087aba845..8714b15520 100644 --- a/basics/installation/advanced/nginx.md +++ b/basics/installation/advanced/nginx.md @@ -90,11 +90,6 @@ server { deny all; } - # files in .well-known should be served as plain text. - location ~* ^/\.well-known\/ { - default_type text/plain; - } - # Source code directories. location ~ ^/(app|bin|cache|classes|config|controllers|docs|localization|override|src|tests|tools|translations|var|vendor)/ { deny all; From c2708319445254a0d228348b778e2f14d2292951 Mon Sep 17 00:00:00 2001 From: Julien Virey Date: Tue, 12 Sep 2023 11:49:46 +0200 Subject: [PATCH 4/7] Revert "Allow .well-known directory (pki validation / letsencrypt)" This reverts commit 7c9c5d9b57f6316a100fe69fda5be219a4bcb9b4. --- basics/installation/advanced/nginx.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/basics/installation/advanced/nginx.md b/basics/installation/advanced/nginx.md index 8714b15520..568b22ff44 100644 --- a/basics/installation/advanced/nginx.md +++ b/basics/installation/advanced/nginx.md @@ -85,9 +85,9 @@ server { } } - # .htaccess, .DS_Store, .htpasswd, etc., but keep .well-known available - location ~* /\.(?!well-known\/) { - deny all; + # .htaccess, .DS_Store, .htpasswd, etc. + location ~ /\. { + deny all; } # Source code directories. From a5976b596b795c0a066e8942a119e0709787eb34 Mon Sep 17 00:00:00 2001 From: Julien Virey Date: Tue, 12 Sep 2023 11:55:32 +0200 Subject: [PATCH 5/7] Doc: nginx configuration for well-known dir --- scale/webservers/nginx.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/scale/webservers/nginx.md b/scale/webservers/nginx.md index 17b35e5427..3f264e4bb7 100644 --- a/scale/webservers/nginx.md +++ b/scale/webservers/nginx.md @@ -106,3 +106,20 @@ server { ... } ``` + +### Allow usage of `.well-known` directory (letsencrypt/pki validation, apple pay) + +The `.well-known` directory is a resource documented in [RFC 8615](https://datatracker.ietf.org/doc/html/rfc8615) and used by [many services](https://en.m.wikipedia.org/wiki/Well-known_URI). +If you need an external access to the `.well-known` directory, you can update you nginx configuration to use: + +```nginx +# .htaccess, .DS_Store, .htpasswd, etc., but keep .well-known available + location ~* /\.(?!well-known\/) { + deny all; + } + +# files in .well-known should be served as plain text. +location ~* ^/\.well-known\/ { + default_type text/plain; +} +``` From e550ba32ba120e6da54eab4c54f5a391f1238a7f Mon Sep 17 00:00:00 2001 From: Julien Virey Date: Tue, 12 Sep 2023 11:57:02 +0200 Subject: [PATCH 6/7] Fix formating --- scale/webservers/nginx.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scale/webservers/nginx.md b/scale/webservers/nginx.md index 3f264e4bb7..6db97647b6 100644 --- a/scale/webservers/nginx.md +++ b/scale/webservers/nginx.md @@ -114,9 +114,9 @@ If you need an external access to the `.well-known` directory, you can update yo ```nginx # .htaccess, .DS_Store, .htpasswd, etc., but keep .well-known available - location ~* /\.(?!well-known\/) { - deny all; - } +location ~* /\.(?!well-known\/) { + deny all; +} # files in .well-known should be served as plain text. location ~* ^/\.well-known\/ { From 35b1b2cc2241ee56e454805ee764c048a8f71004 Mon Sep 17 00:00:00 2001 From: Thomas NARES Date: Tue, 12 Sep 2023 14:11:43 +0200 Subject: [PATCH 7/7] Update scale/webservers/nginx.md --- scale/webservers/nginx.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scale/webservers/nginx.md b/scale/webservers/nginx.md index 6db97647b6..b752dd8dfd 100644 --- a/scale/webservers/nginx.md +++ b/scale/webservers/nginx.md @@ -107,7 +107,7 @@ server { } ``` -### Allow usage of `.well-known` directory (letsencrypt/pki validation, apple pay) +### Allow usage of `.well-known` directory (Let's Encrypt / PKI validation, Apple Pay) The `.well-known` directory is a resource documented in [RFC 8615](https://datatracker.ietf.org/doc/html/rfc8615) and used by [many services](https://en.m.wikipedia.org/wiki/Well-known_URI). If you need an external access to the `.well-known` directory, you can update you nginx configuration to use: