From 9c2d6891c1882296621ce272ed84d8150d5e2df2 Mon Sep 17 00:00:00 2001 From: alloylab Date: Wed, 14 Jan 2026 09:36:38 -0600 Subject: [PATCH 01/10] Update PHP base opertating systems. Add Alpine 3.23 support (#638) PHP repo no longer has images available for alpine3.21 for latest minor versions, this removes 3.21 if its no longer available and adds 3.23 if available --- scripts/conf/php-versions-base-config.yml | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/scripts/conf/php-versions-base-config.yml b/scripts/conf/php-versions-base-config.yml index 373f0897..9b3a614e 100644 --- a/scripts/conf/php-versions-base-config.yml +++ b/scripts/conf/php-versions-base-config.yml @@ -35,42 +35,43 @@ php_versions: - minor: "8.1" base_os: - name: alpine3.21 + - name: alpine3.22 - name: bookworm - name: trixie patch_versions: - # - 8.1.28 # Pull latest from Official PHP source + # - 8.1.34 # Pull latest from Official PHP source - minor: "8.2" base_os: - - name: alpine3.21 - name: alpine3.22 + - name: alpine3.23 - name: bookworm - name: trixie patch_versions: - # - 8.2.18 # Pull latest from Official PHP source + # - 8.2.30 # Pull latest from Official PHP source - minor: "8.3" base_os: - - name: alpine3.21 - name: alpine3.22 + - name: alpine3.23 - name: bookworm - name: trixie patch_versions: - # - 8.3.6 # Pull latest from Official PHP source + # - 8.3.29 # Pull latest from Official PHP source - minor: "8.4" base_os: - - name: alpine3.21 - name: alpine3.22 + - name: alpine3.23 - name: bookworm - name: trixie patch_versions: - # - 8.4.1 # Pull latest from Official PHP source + # - 8.4.16 # Pull latest from Official PHP source - minor: "8.5" base_os: - - name: alpine3.21 - name: alpine3.22 + - name: alpine3.23 - name: bookworm - name: trixie patch_versions: - # - 8.5.0 # Pull latest from Official PHP source + # - 8.5.1 # Pull latest from Official PHP source operating_systems: - family: alpine @@ -103,6 +104,10 @@ operating_systems: version: alpine3.22 number: 3.22 nginx_version: 1.28.0-r1 + - name: "Alpine 3.23" + version: alpine3.23 + number: 3.23 + nginx_version: 1.28.0-r1 - family: debian default: true versions: From 02605421cab86ed8d58ed138ff01613319d18cc5 Mon Sep 17 00:00:00 2001 From: Jay Rogers Date: Wed, 14 Jan 2026 09:41:22 -0600 Subject: [PATCH 02/10] Update PHP extension installer version to 2.9.27 --- .../local/bin/docker-php-serversideup-install-php-ext-installer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/usr/local/bin/docker-php-serversideup-install-php-ext-installer b/src/common/usr/local/bin/docker-php-serversideup-install-php-ext-installer index 2d7ddac4..a3c3cfc0 100644 --- a/src/common/usr/local/bin/docker-php-serversideup-install-php-ext-installer +++ b/src/common/usr/local/bin/docker-php-serversideup-install-php-ext-installer @@ -11,7 +11,7 @@ script_name="docker-php-serversideup-install-php-ext-installer" ############ # Environment variables ############ -PHP_EXT_INSTALLER_VERSION="2.9.18" +PHP_EXT_INSTALLER_VERSION="2.9.27" ############ # Main From 7f2836a89c06aaa44e5f9d6f451965aff66d7b67 Mon Sep 17 00:00:00 2001 From: Jay Rogers Date: Wed, 14 Jan 2026 10:05:58 -0600 Subject: [PATCH 03/10] Update NGINX version to 1.28.1 --- scripts/conf/php-versions-base-config.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/scripts/conf/php-versions-base-config.yml b/scripts/conf/php-versions-base-config.yml index 9b3a614e..03394995 100644 --- a/scripts/conf/php-versions-base-config.yml +++ b/scripts/conf/php-versions-base-config.yml @@ -95,31 +95,31 @@ operating_systems: - name: "Alpine 3.20" version: alpine3.20 number: 3.20 - nginx_version: 1.28.0-r1 + nginx_version: 1.28.1-r1 - name: "Alpine 3.21" version: alpine3.21 number: 3.21 - nginx_version: 1.28.0-r1 + nginx_version: 1.28.1-r1 - name: "Alpine 3.22" version: alpine3.22 number: 3.22 - nginx_version: 1.28.0-r1 + nginx_version: 1.28.1-r1 - name: "Alpine 3.23" version: alpine3.23 number: 3.23 - nginx_version: 1.28.0-r1 + nginx_version: 1.28.1-r1 - family: debian default: true versions: - name: "Debian Bullseye" version: bullseye number: 11 - nginx_version: 1.28.0-1~bullseye + nginx_version: 1.28.1-1~bullseye - name: "Debian Bookworm" version: bookworm number: 12 - nginx_version: 1.28.0-1~bookworm + nginx_version: 1.28.1-1~bookworm - name: "Debian Trixie" version: trixie number: 13 - nginx_version: 1.28.0-1~trixie + nginx_version: 1.28.1-1~trixie From 7a1b6b983bdc4180de27e02e4a05572480f8ef66 Mon Sep 17 00:00:00 2001 From: Marcel Arns <38068686+marns93@users.noreply.github.com> Date: Thu, 15 Jan 2026 20:21:00 +0100 Subject: [PATCH 04/10] Refactor and improve security headers, file blocks, etc (#631) * Fix blocking .well-known path for FrankenPHP * Remove specific endpoint checks because the whole folder should be allowed * Enhance security configurations across Apache, NGINX, and Caddy by implementing best practices for HTTP headers and file access restrictions. Added protections against clickjacking, MIME type sniffing, and sensitive file exposure while allowing necessary access to well-known URIs as per RFC 8615. --------- Co-authored-by: Jay Rogers <3174134+jaydrogers@users.noreply.github.com> Co-authored-by: Jay Rogers --- .../etc/apache2/conf-available/security.conf | 137 ++++++++---------- .../etc/nginx/server-opts.d/security.conf | 49 +++++-- .../frankenphp/etc/frankenphp/Caddyfile | 34 +++-- 3 files changed, 120 insertions(+), 100 deletions(-) diff --git a/src/variations/fpm-apache/etc/apache2/conf-available/security.conf b/src/variations/fpm-apache/etc/apache2/conf-available/security.conf index 43957f47..990648e7 100644 --- a/src/variations/fpm-apache/etc/apache2/conf-available/security.conf +++ b/src/variations/fpm-apache/etc/apache2/conf-available/security.conf @@ -1,98 +1,77 @@ +## +# Security Configuration +## + +# This configuration follows security best practices from: # -# Disable access to the entire file system except for the directories that -# are explicitly allowed later. +# H5BP Server Configs (Apache) +# https://github.com/h5bp/server-configs-apache # -# This currently breaks the configurations that come with some web application -# Debian packages. +# OWASP Secure Headers Project +# https://owasp.org/www-project-secure-headers/ # -# -# AllowOverride None -# Require all denied -# - +# RFC 8615 - Well-Known URIs +# https://www.rfc-editor.org/rfc/rfc8615 +# +# ############################################################################## -# Changing the following options will not really affect the security of the -# server, but might make attacks slightly more difficult in some cases. +# ------------------------------------------------------------------------------ +# | Server Software Information | +# ------------------------------------------------------------------------------ -# -# ServerTokens -# This directive configures what you return as the Server HTTP response -# Header. The default is 'Full' which sends information about the OS-Type -# and compiled in modules. -# Set to one of: Full | OS | Minimal | Minor | Major | Prod -# where Full conveys the most information, and Prod the least. -#ServerTokens Minimal -# ServerTokens OS -# #ServerTokens Full +# Minimize information sent about the server +# https://httpd.apache.org/docs/current/mod/core.html#servertokens ServerTokens Prod -# -# Optionally add a line containing the server version and virtual host -# name to server-generated pages (internal error documents, FTP directory -# listings, mod_status and mod_info output etc., but not CGI generated -# documents or custom error documents). -# Set to "EMail" to also include a mailto: link to the ServerAdmin. -# Set to one of: On | Off | EMail +# Disable server signature on error pages +# https://httpd.apache.org/docs/current/mod/core.html#serversignature ServerSignature Off -# ServerSignature On -# -# Allow TRACE method -# -# Set to "extended" to also reflect the request body (only for testing and -# diagnostic purposes). -# -# Set to one of: On | Off | extended +# Disable TRACE HTTP method to prevent XST attacks +# https://owasp.org/www-community/attacks/Cross_Site_Tracing TraceEnable Off -#TraceEnable On -# -# Forbid access to version control directories -# -# If you use version control systems in your document root, you should -# probably deny access to their directories. For example, for subversion: -# - - Require all denied +# ------------------------------------------------------------------------------ +# | Security Headers | +# ------------------------------------------------------------------------------ + +# Prevent clickjacking attacks by disabling iframe embedding +# https://owasp.org/www-project-secure-headers/#x-frame-options +Header always set X-Frame-Options "SAMEORIGIN" + +# Prevent MIME type sniffing attacks +# https://owasp.org/www-project-secure-headers/#x-content-type-options +Header always set X-Content-Type-Options "nosniff" + +# Control referrer information sent with requests +# https://owasp.org/www-project-secure-headers/#referrer-policy +Header always set Referrer-Policy "strict-origin-when-cross-origin" + +# Enable HTTP Strict Transport Security (HSTS) +# https://owasp.org/www-project-secure-headers/#strict-transport-security +Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" + +# ------------------------------------------------------------------------------ +# | File Access Restrictions | +# ------------------------------------------------------------------------------ + +# Block access to all hidden files and directories (dotfiles) +# EXCEPT for the "/.well-known/" directory which is required by RFC 8615 +# for ACME challenges, security.txt, and other standardized endpoints. +# https://www.rfc-editor.org/rfc/rfc8615 +# https://github.com/h5bp/server-configs-apache + + Require all denied -# Prevent Apache from serving Gitlab files - - Require all denied +# Block access to files that may expose sensitive information +# Based on H5BP server configs: https://github.com/h5bp/server-configs-apache + + Require all denied # Disable XML-RPC on all wordpress sites Require all denied # allow from xxx.xxx.xxx.xxx - - -# -# Setting this header will prevent MSIE from interpreting files as something -# else than declared by the content type in the HTTP headers. -# Requires mod_headers to be enabled. -# -Header always set X-Content-Type-Options: "nosniff" - -# -# Setting this header will prevent other sites from embedding pages from this -# site as frames. This defends against clickjacking attacks. -# Requires mod_headers to be enabled. -# -Header always set X-Frame-Options: "sameorigin" - -# -# Referrer policy -# -Header always set Referrer-Policy "no-referrer-when-downgrade" - -# -# Content Security Policy -# UPDATE - September 2020: Commenting this out until we grasp better security requirements -# -#Header always set Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" - -# -# Strict-Transport-Security Policy (set HSTS) -# -Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" \ No newline at end of file + \ No newline at end of file diff --git a/src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf b/src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf index e9056298..19986ee3 100644 --- a/src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf +++ b/src/variations/fpm-nginx/etc/nginx/server-opts.d/security.conf @@ -1,24 +1,51 @@ +## +# Security Configuration +## + +# This configuration follows security best practices from: +# +# H5BP Server Configs (nginx) +# https://github.com/h5bp/server-configs-nginx # -# Security Headers +# OWASP Secure Headers Project +# https://owasp.org/www-project-secure-headers/ # +# RFC 8615 - Well-Known URIs +# https://www.rfc-editor.org/rfc/rfc8615 +# +# ############################################################################## -# Prevent IFRAME spoofing attacks +# Prevent clickjacking attacks by disabling iframe embedding +# https://owasp.org/www-project-secure-headers/#x-frame-options add_header X-Frame-Options "SAMEORIGIN" always; -# Prevent MIME attacks +# Prevent MIME type sniffing attacks +# https://owasp.org/www-project-secure-headers/#x-content-type-options add_header X-Content-Type-Options "nosniff" always; -# Prevent Referrer URL from being leaked -add_header Referrer-Policy "no-referrer-when-downgrade" always; - -# Configure Content Security Policy -# UPDATE - September 2020: Commenting this out until we grasp better security requirements -#add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always; +# Control referrer information sent with requests +# https://owasp.org/www-project-secure-headers/#referrer-policy +add_header Referrer-Policy "strict-origin-when-cross-origin" always; -# Enable HSTS +# Enable HTTP Strict Transport Security (HSTS) +# https://owasp.org/www-project-secure-headers/#strict-transport-security add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; -# Prevent access to . files (the well-known directory) +# ------------------------------------------------------------------------------ +# | File Access Restrictions | +# ------------------------------------------------------------------------------ + +# Block access to hidden files and directories (dotfiles) +# EXCEPT for the "/.well-known/" directory which is required by RFC 8615 +# for ACME challenges, security.txt, and other standardized endpoints. +# https://www.rfc-editor.org/rfc/rfc8615 +# https://github.com/h5bp/server-configs-nginx location ~ /\.(?!well-known) { deny all; +} + +# Block access to files that may expose sensitive information +# Based on H5BP server configs: https://github.com/h5bp/server-configs-nginx +location ~* (?:#.*#|\.(?:bak|conf|config|dist|inc|ini|log|sh|sql|sw[op])|~)$ { + deny all; } \ No newline at end of file diff --git a/src/variations/frankenphp/etc/frankenphp/Caddyfile b/src/variations/frankenphp/etc/frankenphp/Caddyfile index 56691112..e914049c 100644 --- a/src/variations/frankenphp/etc/frankenphp/Caddyfile +++ b/src/variations/frankenphp/etc/frankenphp/Caddyfile @@ -127,24 +127,38 @@ fd00::/8 \ } (security) { - # Reject dot files and certain file extensions - @rejected path *.bak *.conf *.dist *.fla *.ini *.inc *.inci *.log *.orig *.psd *.sh *.sql *.swo *.swp *.swop */.* - - # Return 403 Forbidden for rejected files + # This configuration follows security best practices from: + # + # H5BP Server Configs (nginx) - Adapted for Caddy + # https://github.com/h5bp/server-configs-nginx + # + # OWASP Secure Headers Project + # https://owasp.org/www-project-secure-headers/ + # + # RFC 8615 - Well-Known URIs + # https://www.rfc-editor.org/rfc/rfc8615 + + # Block access to files that may expose sensitive information + @rejected { + path *.bak *.conf *.config *.dist *.inc *.ini *.log *.sh *.sql *.swp *.swo *~ */.* + # EXCEPTION: /.well-known/* is allowed per RFC 8615 for ACME challenges + # https://www.rfc-editor.org/rfc/rfc8615 + not path /.well-known/* + } respond @rejected 403 - # Security headers + # Security Headers + # https://owasp.org/www-project-secure-headers/ header { defer - # Prevent IFRAME spoofing attacks + # Prevent clickjacking attacks by disabling iframe embedding X-Frame-Options "SAMEORIGIN" - # Prevent MIME type sniffing + # Prevent MIME type sniffing attacks X-Content-Type-Options "nosniff" - # Prevent referrer leakage + # Control referrer information sent with requests Referrer-Policy "strict-origin-when-cross-origin" - # Prevent server header leakage + # Remove server identification headers -Server - # Prevent powered by header leakage -X-Powered-By } } From 2829cf20c3d2b116ef7102b5ff65c327b71413ee Mon Sep 17 00:00:00 2001 From: Jay Rogers Date: Thu, 15 Jan 2026 14:31:37 -0600 Subject: [PATCH 05/10] Update GitHub Actions to use actions/checkout@v6 in multiple workflows --- .github/workflows/action_update-dockerhub-readme.yml | 2 +- .github/workflows/scheduled-task_update-sponsors.yml | 2 +- .github/workflows/service_docker-build-and-publish.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/action_update-dockerhub-readme.yml b/.github/workflows/action_update-dockerhub-readme.yml index b7ebb6c9..9f848712 100644 --- a/.github/workflows/action_update-dockerhub-readme.yml +++ b/.github/workflows/action_update-dockerhub-readme.yml @@ -14,7 +14,7 @@ jobs: name: Push README to Docker Hub steps: - name: git checkout - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: ref: main diff --git a/.github/workflows/scheduled-task_update-sponsors.yml b/.github/workflows/scheduled-task_update-sponsors.yml index 6461482d..3d1d233b 100644 --- a/.github/workflows/scheduled-task_update-sponsors.yml +++ b/.github/workflows/scheduled-task_update-sponsors.yml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout 🛎️ - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Generate Sponsors 💖 uses: JamesIves/github-sponsors-readme-action@v1 diff --git a/.github/workflows/service_docker-build-and-publish.yml b/.github/workflows/service_docker-build-and-publish.yml index dbd4d7fa..fb09ff5c 100644 --- a/.github/workflows/service_docker-build-and-publish.yml +++ b/.github/workflows/service_docker-build-and-publish.yml @@ -39,7 +39,7 @@ jobs: php-version-map-json: ${{ steps.get-php-versions.outputs.php-version-map-json }} steps: - name: Check out code - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: ref: ${{ inputs.ref }} @@ -80,7 +80,7 @@ jobs: steps: - name: Check out code. - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: ref: ${{ inputs.ref }} From f0e5dc93e7b1bbc43209a7e6eb75c96bf5bf24b1 Mon Sep 17 00:00:00 2001 From: Jay Rogers Date: Thu, 15 Jan 2026 14:31:58 -0600 Subject: [PATCH 06/10] Update GitHub Actions to use actions/upload-artifact@v6 for improved artifact handling --- .github/workflows/service_docker-build-and-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/service_docker-build-and-publish.yml b/.github/workflows/service_docker-build-and-publish.yml index fb09ff5c..1f14ef4b 100644 --- a/.github/workflows/service_docker-build-and-publish.yml +++ b/.github/workflows/service_docker-build-and-publish.yml @@ -67,7 +67,7 @@ jobs: echo "${MATRIX_JSON}" | jq '.' - name: Upload the php-versions.yml file - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: php-versions.yml path: ${{ inputs.php-versions-file }} From b8259a10b050555dc7485f1ad39f78cbdac7ec8a Mon Sep 17 00:00:00 2001 From: Jay Rogers Date: Thu, 15 Jan 2026 14:32:13 -0600 Subject: [PATCH 07/10] Update GitHub Actions to use actions/download-artifact@v7 for improved artifact handling --- .github/workflows/service_docker-build-and-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/service_docker-build-and-publish.yml b/.github/workflows/service_docker-build-and-publish.yml index 1f14ef4b..b53d63b6 100644 --- a/.github/workflows/service_docker-build-and-publish.yml +++ b/.github/workflows/service_docker-build-and-publish.yml @@ -85,7 +85,7 @@ jobs: ref: ${{ inputs.ref }} - name: Download PHP Versions file - uses: actions/download-artifact@v5 + uses: actions/download-artifact@v7 with: name: php-versions.yml path: ./artifacts From 245e23faa00d728f2f8248b28abfe46b8535f43f Mon Sep 17 00:00:00 2001 From: Jay Rogers Date: Thu, 15 Jan 2026 14:45:36 -0600 Subject: [PATCH 08/10] Upgrade FrankenPHP to v1.11.1 --- src/variations/frankenphp/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/variations/frankenphp/Dockerfile b/src/variations/frankenphp/Dockerfile index 50813be4..f9c1ed67 100644 --- a/src/variations/frankenphp/Dockerfile +++ b/src/variations/frankenphp/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_OS_VERSION='trixie' ARG PHP_VERSION='8.5' ARG BASE_IMAGE="php:${PHP_VERSION}-zts-${BASE_OS_VERSION}" -ARG FRANKENPHP_VERSION='1.10.1' +ARG FRANKENPHP_VERSION='1.11.1' ARG GOLANG_VERSION='1.25' ######################## From ca9136d971d096633f90927f43ae400feeb818fa Mon Sep 17 00:00:00 2001 From: Jay Rogers Date: Thu, 15 Jan 2026 14:47:30 -0600 Subject: [PATCH 09/10] =?UTF-8?q?Increase=20size=20of=20GitHub=20Actions?= =?UTF-8?q?=20Runners=20because=20of=20memory=20segmentation=20fault=20iss?= =?UTF-8?q?ues=20(Thanks=20Depot!=20=F0=9F=98=85)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/service_docker-build-and-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/service_docker-build-and-publish.yml b/.github/workflows/service_docker-build-and-publish.yml index b53d63b6..7c3a36dd 100644 --- a/.github/workflows/service_docker-build-and-publish.yml +++ b/.github/workflows/service_docker-build-and-publish.yml @@ -74,7 +74,7 @@ jobs: docker-publish: needs: setup-matrix - runs-on: depot-ubuntu-24.04-4 + runs-on: depot-ubuntu-24.04-8 strategy: matrix: ${{fromJson(needs.setup-matrix.outputs.php-version-map-json)}} From 919fd470827d06950fa70c6ab3e2601d75970db7 Mon Sep 17 00:00:00 2001 From: Jay Rogers <3174134+jaydrogers@users.noreply.github.com> Date: Fri, 16 Jan 2026 13:50:12 -0600 Subject: [PATCH 10/10] Add security measures to block PHP execution in storage directory (#641) Implemented restrictions across Apache, NGINX, and FrankenPHP configurations to prevent the execution of PHP files in the /storage directory, addressing potential vulnerabilities related to arbitrary file uploads (GHSA-29cq-5w36-x7w3). --- .../fpm-apache/etc/apache2/conf-available/security.conf | 6 ++++++ .../fpm-nginx/etc/nginx/site-opts.d/http.conf.template | 6 ++++++ .../fpm-nginx/etc/nginx/site-opts.d/https.conf.template | 6 ++++++ src/variations/frankenphp/etc/frankenphp/Caddyfile | 5 +++++ 4 files changed, 23 insertions(+) diff --git a/src/variations/fpm-apache/etc/apache2/conf-available/security.conf b/src/variations/fpm-apache/etc/apache2/conf-available/security.conf index 990648e7..f572f250 100644 --- a/src/variations/fpm-apache/etc/apache2/conf-available/security.conf +++ b/src/variations/fpm-apache/etc/apache2/conf-available/security.conf @@ -55,6 +55,12 @@ Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains # | File Access Restrictions | # ------------------------------------------------------------------------------ +# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running +# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3) + + Require all denied + + # Block access to all hidden files and directories (dotfiles) # EXCEPT for the "/.well-known/" directory which is required by RFC 8615 # for ACME challenges, security.txt, and other standardized endpoints. diff --git a/src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template b/src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template index 1d6ee8e6..08a90ff9 100644 --- a/src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template +++ b/src/variations/fpm-nginx/etc/nginx/site-opts.d/http.conf.template @@ -30,6 +30,12 @@ location / { try_files $uri $uri/ /index.php?$query_string; } +# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running +# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3) +location ~* ^/storage/.*\.php$ { + deny all; +} + # Pass "*.php" files to PHP-FPM location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; diff --git a/src/variations/fpm-nginx/etc/nginx/site-opts.d/https.conf.template b/src/variations/fpm-nginx/etc/nginx/site-opts.d/https.conf.template index 0685ac17..810ff074 100644 --- a/src/variations/fpm-nginx/etc/nginx/site-opts.d/https.conf.template +++ b/src/variations/fpm-nginx/etc/nginx/site-opts.d/https.conf.template @@ -36,6 +36,12 @@ location / { try_files $uri $uri/ /index.php?$query_string; } +# Block PHP execution in storage directory to prevent uploaded malicious PHP files from running +# Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3) +location ~* ^/storage/.*\.php$ { + deny all; +} + # Pass "*.php" files to PHP-FPM location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; diff --git a/src/variations/frankenphp/etc/frankenphp/Caddyfile b/src/variations/frankenphp/etc/frankenphp/Caddyfile index e914049c..50b2158b 100644 --- a/src/variations/frankenphp/etc/frankenphp/Caddyfile +++ b/src/variations/frankenphp/etc/frankenphp/Caddyfile @@ -138,6 +138,11 @@ fd00::/8 \ # RFC 8615 - Well-Known URIs # https://www.rfc-editor.org/rfc/rfc8615 + # Block PHP execution in storage directory to prevent uploaded malicious PHP files from running + # Reference: Livewire arbitrary file upload (GHSA-29cq-5w36-x7w3) + @storage-php path_regexp ^/storage/.*\.php$ + respond @storage-php 403 + # Block access to files that may expose sensitive information @rejected { path *.bak *.conf *.config *.dist *.inc *.ini *.log *.sh *.sql *.swp *.swo *~ */.*