Roots Discourse

Nginx .htaccess equivalent to protect uploads directories

Hi,
Apparently Formidable Pro’s uploaded-files protection only works in Apache which is a super big problem for me with Trellis and nginx.

How would I go about adding the equivalent of a rewrite rule preventing non-local-referrer access to mysite.com/app/uploads/formidable/* with Trellis?

This has become something of a problem lately so any help you can provide would be great. Thank you!

EDIT: I’m reading this but this is new to me so any guidance to get this urgent issue resolved would be great

OK, as usual posting here has been part of my process for finding the solution.

This problem is resolved, but I’d like to leave this thread here for anyone else looking for a solution to this problem and/or a working example for nginx rewrite templates!

Here’s what I did:

I created the following file:

project/
    trellis/
        nginx-includes/
            example.com
                rewrites.conf.j2

The contents of this rewrites.conf.j2 are as follows:

location ~ ^/app/uploads/formidable/css/(.*) {
	try_files $uri /dev/null =404;
}
location ~ ^/app/uploads/formidable/(.*) {
	if ($http_referer !~ "^http(s)?://(www\.)?example.com/.*$"){
		return 403;
	}
}
```

I reprovisioned my server and it resolved the issue.

This resolved the `uploads` directory being open to the world, while maintaining the `css` directory which Formidable keeps when you make changes to the default CSS using the admin.

Whew. I learned a lot today. Now I need to apply this fix to like five other sites.

Thanks for bearing with me.
2 Likes

Related issue:

1 Like

Quick follow-up for anyone who knows nginx config better (or at all!) is there more generic way I can write this line which doesn’t require typing the URL of the site? That would make it easier to port between projects.

There may be a smart technique with just Nginx. I haven’t looked.

However, you could perhaps reuse a single child template across projects, given that a child template would make available a variable like site_hosts_canonical | first
(or maybe you’d want to loop over all site_hosts_canonical).

This thread discusses why different variables are available in in the child template context vs the regular nginx include context.

1 Like

Interesting side note concerning formidable forms:

Yeah, but the filename stays the same, so if you know where to look (which is easy enough to get; the upload directory is named for the form ID which is in the HTML), and you know your filename, you can link to it directly.

The .htaccess prevents this, but obviously not on nginx.

1 Like

Is the nginx conf really the equivalent of the .htaccess files though? The referrer is easily spoofed.