The current nginx config is permissive by default which makes it unsafe and bad practice.
For example the file console "php"-file is currently publicly accessible.
And future new/renamed files or paths will be accessible too that hasn't been included in the nginx config.
This PR revers this and instead denies everything except for the the defined paths.
These changes also makes it easy to restrict public access the full matomo site, by still allowing access to the paths needed to gather analytics (matomo.js, matomo.php, piwik.js & piwik.php).
As this is a slightly modified variant of what I have been tested, it may need some proofing.
The current nginx config is permissive by default which makes it unsafe and bad practice.
For example the file
console
"php"-file is currently publicly accessible. And future new/renamed files or paths will be accessible too that hasn't been included in the nginx config.This PR revers this and instead denies everything except for the the defined paths. These changes also makes it easy to restrict public access the full matomo site, by still allowing access to the paths needed to gather analytics (matomo.js, matomo.php, piwik.js & piwik.php).
As this is a slightly modified variant of what I have been tested, it may need some proofing.