Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve uploads folder security #3428

Closed
freescout-helpdesk opened this issue Sep 27, 2023 · 5 comments
Closed

Improve uploads folder security #3428

freescout-helpdesk opened this issue Sep 27, 2023 · 5 comments

Comments

@freescout-helpdesk
Copy link
Contributor

freescout-helpdesk commented Sep 27, 2023
edited
Loading

In order to improve uploads folder security:

  • If you are using Apache web server - make sure you have headers module installed. Otherwise install it:
sudo a2enmod headers
sudo systemctl restart apache2
  • If you are using nginx web server, add the following instruction to your nginx config (THIS BLOCK OF CODE HAS TO BE INSERTED IN THE VERY SPECIFIC PLACE IN THE NGINX CONFIG: nginx configuration):
    location ~* ^/storage/.*\.((?!(jpg|jpeg|jfif|pjpeg|pjp|apng|bmp|gif|ico|cur|png|tif|tiff|webp|pdf|txt|diff|patch|json|mp3|wav|ogg|wma)).)*$ {
        add_header Content-disposition "attachment; filename=$2";
        default_type application/octet-stream;
    }
freescout-helpdesk pushed a commit that referenced this issue Sep 27, 2023
@freescout-help-desk
Improve uploads folder security - closes #3428
1daa34f
@freescout-helpdesk
Copy link
Contributor Author

FYI @tiredofit @nebulade

bfren added a commit to bfren/docker-freescout that referenced this issue Oct 7, 2023
@bfren
Improving folder security - see freescout-help-desk/freescout#3428
496c303
bfren added a commit to bfren/docker-freescout that referenced this issue Oct 7, 2023
@bfren
v4.0.36 (#216)
7d96dc1 
Minor updates
* Improving folder security - see freescout-help-desk/freescout#3428
@freescout-helpdesk freescout-helpdesk mentioned this issue Oct 12, 2023
Closed
@freescout-helpdesk
Copy link
Contributor Author

Also everyone please notice that filename=$1 changed to filename=$2 in the nginx config above.

@tiredofit @nebulade

@nebulade
Copy link
Contributor

Thanks for letting us know, we use apache in the package, so we added the headers module now.

@Lars-
Copy link
Contributor

Lars- commented Oct 13, 2023
edited
Loading

Nice, all attachments return a 404 now...
Edit: cache seemed to be the problem

@freescout-helpdesk freescout-helpdesk mentioned this issue Oct 23, 2023
Closed
@rosinghal
Copy link
Contributor

I am using https://openlitespeed.org/, would you be able to recommend on how to get it to work?

@rosinghal rosinghal mentioned this issue Nov 16, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nebulade @rosinghal @Lars- @freescout-helpdesk