Nginx .htaccess equivalent to protect uploads directories

MWDelaney · April 30, 2017, 2:55pm

Hi,
Apparently Formidable Pro’s uploaded-files protection only works in Apache which is a super big problem for me with Trellis and nginx.

How would I go about adding the equivalent of a rewrite rule preventing non-local-referrer access to mysite.com/app/uploads/formidable/* with Trellis?

This has become something of a problem lately so any help you can provide would be great. Thank you!

EDIT: I’m reading this but this is new to me so any guidance to get this urgent issue resolved would be great

MWDelaney · April 30, 2017, 3:50pm

OK, as usual posting here has been part of my process for finding the solution.

This problem is resolved, but I’d like to leave this thread here for anyone else looking for a solution to this problem and/or a working example for nginx rewrite templates!

Here’s what I did:

I created the following file:

project/
    trellis/
        nginx-includes/
            example.com
                rewrites.conf.j2

The contents of this rewrites.conf.j2 are as follows:

location ~ ^/app/uploads/formidable/css/(.*) {
	try_files $uri /dev/null =404;
}
location ~ ^/app/uploads/formidable/(.*) {
	if ($http_referer !~ "^http(s)?://(www\.)?example.com/.*$"){
		return 403;
	}
}
```

I reprovisioned my server and it resolved the issue.

This resolved the `uploads` directory being open to the world, while maintaining the `css` directory which Formidable keeps when you make changes to the default CSS using the admin.

Whew. I learned a lot today. Now I need to apply this fix to like five other sites.

Thanks for bearing with me.

strarsis · April 30, 2017, 4:17pm

Related issue:

MWDelaney · April 30, 2017, 5:18pm

Quick follow-up for anyone who knows nginx config better (or at all!) is there more generic way I can write this line which doesn’t require typing the URL of the site? That would make it easier to port between projects.

fullyint · April 30, 2017, 5:36pm

There may be a smart technique with just Nginx. I haven’t looked.

However, you could perhaps reuse a single child template across projects, given that a child template would make available a variable like site_hosts_canonical | first
(or maybe you’d want to loop over all site_hosts_canonical).

This thread discusses why different variables are available in in the child template context vs the regular nginx include context.

strarsis · May 3, 2017, 5:20pm

Interesting side note concerning formidable forms:

github.com

wp-plugins/formidable/blob/5a52820c19165a172adea6bfbee084fbe41d4493/readme.txt#L829


* Fixed display of radio field values from fields with separate values
* PRO: Added custom display content box into "create posts" settings tab
* PRO: Added options to auto-create fields for post status and post categories/taxonomies
* PRO: Added link to de-authorize a site to use your Pro credentials
* PRO: Added meta box on posts with link to automatically create a form entry linked to the post
* PRO: Hide pro credentials settings form when pro is active
* PRO: Fixed redirect URL to correctly replace shortcodes for forms set to not save any entries
* PRO: Fixed regular dropdown field taxonomies to trigger conditional logic and use the auto width option
* PRO: Allow searching by user login when selecting a user ID field to search by on the admin entries page
* PRO: Updated the auto_id default value to continue functioning correctly even if there are non-numeric values in entries
* PRO: Added an index.php file into the uploads/formidable folder to prevent file browsing for those without an htaccess file
* PRO: Allow field IDs as dynamic default values ie [25]. This will ONLY work when the value has just been posted.
* PRO: Added the display object into the args array to pass to the frm_where_filter hook
* PRO: Allow for negative numbers in calculations
* PRO: Allow for unlimited GET parameter setting in the custom display shortcode. [display-frm-data id=2 whatever=value whatever2=value2]
* PRO: Switched phone field to HTML5 "tel" input type
* PRO: Added a frm_cookie_expiration hook to change the cookie expiration time
* PRO: Added cookie expiration option
* PRO: Added frm_used_dates hook for blocked out dates in unique datepickers
* PRO: Added frm_redirect_url hook
* PRO: Fixed forms submit button labels for forms in add entry mode that follow a form in edit mode on the same page

MWDelaney · May 3, 2017, 5:35pm

Yeah, but the filename stays the same, so if you know where to look (which is easy enough to get; the upload directory is named for the form ID which is in the HTML), and you know your filename, you can link to it directly.

The .htaccess prevents this, but obviously not on nginx.

Jason_Schmedes · June 19, 2019, 10:26pm

Is the nginx conf really the equivalent of the .htaccess files though? The referrer is easily spoofed.