My Nginx config allows the downloading of files

[horak]

Problem: Nginx config allows the downloading of files

Pico Version: v2.1.4

Recreate Issue: Unfortunately, when I navigate to my-domain/config/config.yml, or anywhere else there's a file, it downloads.

What I've tried: I've followed the instructions on the in-depth installation for Nginx and there's a section in there indicates you should include the following lines to avoid this: (Assuming pico's files are located in the root directory, which they are for me.)

location ~ ^/((config|content|vendor|composer\.(json|lock|phar))(/|$)|(.+/)?\.(?!well-known(/|$))) {
    try_files /index.php$is_args$args =404;
}

Here is my full conf file:

server {

        listen 80;

        server_name my-domain www.my-domain;

        root /var/www/html;
        index index.php index.html index.htm index.nginx-debian.html;

        access_log /var/log/nginx/server_name.access.log;
        error_log /var/log/nginx/server_name.error.log;

        location ~ ^/((config|content|vendor|composer\.(json|lock|phar))(/|$)|(.+/)?\.(?!well-known(/|$))) {
                        try_files /index.php$is_args$args =404;
        }

        location ~ \.php$ {
                try_files $uri =404;

                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_buffer_size 16k;
                fastcgi_buffers 4 16k;

                # Let Pico know about available URL rewriting
                fastcgi_param PICO_URL_REWRITING 1;
        }

        location / {
                try_files $uri $uri/ /index.php$is_args$args;
        }

        listen [::]:443 ssl ipv6only=on; # managed by Certbot
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/server_name/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/server_name/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

Does anybody see any problems?

[PhrozenByte]

The section denying access must be placed before the PHP section.

From the howto:

Having this said: The order of your rules do matter in Nginx, so make sure that the rules have the same order as we discuss them in this document.

[horak]

The section denying access must be placed before the PHP section.

Yes, of course. I actually did try this and it didn't work. Updated the .conf to reflect my current non-working configuration.

[PhrozenByte]

In this case: No idea, sorry. :unamused:

I don't use nginx and I honestly never really understood nginx's very obscure config principles (to be more precise: I thought I understood it in the past, but since it should work but simply doesn't, I'm obviously wrong). Unfortunately a lot of people have issues with nginx's config. Sometimes there's an obvious error like a typo or a wrong section order, but if this isn't the case it often simply doesn't work for some unknown reason. I tried with a lot of people in the past, nobody got it working. I didn't write http://picocms.org/in-depth/nginx/ myself, but I indeed tested the config and it worked for me. But for some people it simply doesn't.

If you find a solution I'd be very pleased to know about it! :heart:

Besides that I can only recommend you to use a webserver for which one doesn't have to attend a academic course just to configure the webserver. I recommend Apache, it usually works out-of-the-box :v:

[horak]

Welp, fair enough.

[killerbees19]

Try to move the regex location blocks inside the block for /. Or replace the block for / with a regex match too. Just two short ideas to debug it...

What's your Nginx version? Any OS-specific patches?

[horak]

I ended up moving back to apache! Thanks for the ideas though. Closing :)