#4: Hardening

riotkit-org · Aug 23, 2020 · 9c52a9e · 9c52a9e
1 parent 93d8087
commit 9c52a9e
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 2 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -13,6 +13,8 @@ ARG RIOTKIT_IMAGE_VERSION=""
 
 ENV AUTO_UPDATE_CRON="0 5 * * SAT" \
     BASIC_AUTH_ENABLED=true \
+    XMLRPC_DISABLED=true \
+    DISABLE_DIRECT_CONTENT_PHP_EXECUTION=false \
     BASIC_AUTH_USER=riotkit \
     BASIC_AUTH_PASSWORD=riotkit \
     PHP_DISPLAY_ERRORS="Off" \

diff --git a/README.md b/README.md
@@ -55,9 +55,11 @@ services:
             WORDPRESS_DB_PASSWORD: "${DB_PASSWORD_THERE}"
             WORDPRESS_DB_NAME: "your_app"
             AUTO_UPDATE_CRON: "0 5 * * SAT"
+            XMLRPC_DISABLED: "true"
+            DISABLE_DIRECT_CONTENT_PHP_EXECUTION: "false"
 
             # basic auth on administrative endpoints
-            BASIC_AUTH_ENABLED=true
+            BASIC_AUTH_ENABLED: "true"
             BASIC_AUTH_USER: john
             BASIC_AUTH_PASSWORD: secret
 

diff --git a/container-files/etc/nginx/nginx.conf.j2 b/container-files/etc/nginx/nginx.conf.j2
@@ -68,6 +68,8 @@ http {
         fastcgi_param PATH_INFO $path_info;
         fastcgi_index index.php;
         fastcgi_read_timeout 60s;
+        fastcgi_hide_header X-Powered-By;
+        proxy_hide_header X-Powered-By;
 
         location = /favicon.ico {
             log_not_found off;
@@ -80,7 +82,7 @@ http {
             access_log off;
         }
 
-        {% if BASIC_AUTH_ENABLED %}
+        {% if BASIC_AUTH_ENABLED == "true" %}
         location ^~ /wp-login.php {
             auth_basic "Access secured";
             auth_basic_user_file /opt/htpasswd;
@@ -92,6 +94,39 @@ http {
         }
         {% endif %}
 
+        {% if XMLRPC_DISABLED == "true" %}
+        location = /xmlrpc.php {
+            allow 172.0.1.1;
+            deny all;
+            access_log off;
+            log_not_found off;
+            return 444;
+        }
+        {% endif %}
+
+        {% if DISABLE_DIRECT_CONTENT_PHP_EXECUTION == "true" %}
+        location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {
+            deny all;
+            access_log off;
+            log_not_found off;
+        }
+        {% endif %}
+
+        location ~ /\.(svn|git)/* {
+            deny all;
+            access_log off;
+            log_not_found off;
+
+            break;
+        }
+        location ~ /\.ht {
+            deny all;
+            access_log off;
+            log_not_found off;
+
+            break;
+        }
+
         location / {
             # This is cool because no php is touched for static content.
             # include the "?$args" part so non-default permalinks doesn't break when using query string