Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[docs] Nginx subdirectory URL example allows download of settings.yml #1617

Open
ypid opened this issue Jun 8, 2019 · 2 comments

Comments

Projects
None yet
2 participants
@ypid
Copy link

commented Jun 8, 2019

There is an issue with the setup example in https://asciimoo.github.io/searx/dev/install/installation.html#installation for subdirectory URL deployments:

root /usr/local/searx;

location = /searx { rewrite ^ /searx/; }
# location /searx {
        try_files $uri @searx;
}
location @searx {
        uwsgi_param SCRIPT_NAME /searx;
        include uwsgi_params;
        uwsgi_modifier1 30;
        uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}

try_files causes Nginx to search for files in the server root first. If it matches a file, it is returned. Only if no file matched, the request is passed to uwsgi. The worst consequence I can think of is that settings.yml can be downloaded without authentication (where secrets and configuration details are stored).

To fix this, I propose:

location = /searx {
        rewrite ^ /searx/;
}

location /searx/static {
}

location /searx {
        uwsgi_param SCRIPT_NAME /searx;
        include uwsgi_params;
        uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}

And add

route-run = fixpathinfo:

to /etc/uwsgi/apps-available/searx.ini because uwsgi_modifier1 30 is apparently deprecated. Ref: https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.11.html#fixpathinfo-routing-action

I assume this issue exists because some uwsgi upstream docs also use the try_files construct (at least I have seen this somewhere in the docs or somewhere else on the Internet but cannot find it right now again).

https://uwsgi-docs.readthedocs.io/en/latest/Nginx.html#hosting-multiple-apps-in-the-same-process-aka-managing-script-name-and-path-info also warns about this:

If used incorrectly a configuration like this may cause security problems. For your sanity’s sake, double-triple-quadruple check that your application files, configuration files and any other sensitive files are outside of the root of the static files.

@unixfox

This comment has been minimized.

Copy link
Contributor

commented Jun 16, 2019

If you found an issue in the documentation you may create a pull request by editing the HTML file in the gh-pages git branch of the Searx repository : https://github.com/asciimoo/searx/blob/gh-pages/docs/dev/install/installation.rst

ypid added a commit to ypid/searx that referenced this issue Jun 18, 2019

Fix Nginx subdir URL install docs which allowed download of settings.yml
Closes: asciimoo#1617

There is an issue with the setup example in https://asciimoo.github.io/searx/dev/install/installation.html#installation for subdirectory URL deployments:

```nginx
root /usr/local/searx;

location = /searx { rewrite ^ /searx/; }
        try_files $uri @searx;
}
location @searx {
        uwsgi_param SCRIPT_NAME /searx;
        include uwsgi_params;
        uwsgi_modifier1 30;
        uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
```

`try_files` causes Nginx to search for files in the server root first. If it matches a file, it is returned. Only if no file matched, the request is passed to uwsgi. The worst consequence I can think of is that  `settings.yml` can be downloaded without authentication (where secrets and configuration details are stored).

To fix this, I propose:

```nginx
location = /searx {
        rewrite ^ /searx/;
}

location /searx/static {
}

location /searx {
        uwsgi_param SCRIPT_NAME /searx;
        include uwsgi_params;
        uwsgi_pass unix:/run/uwsgi/app/searx/socket;
}
```

And add

```
route-run = fixpathinfo:
```

to `/etc/uwsgi/apps-available/searx.ini` because `uwsgi_modifier1 30` is apparently deprecated. Ref: https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.11.html#fixpathinfo-routing-action

I assume this issue exists because some uwsgi upstream docs also use the `try_files` construct (at least I have seen this somewhere in the docs or somewhere else on the Internet but cannot find it right now again).

https://uwsgi-docs.readthedocs.io/en/latest/Nginx.html#hosting-multiple-apps-in-the-same-process-aka-managing-script-name-and-path-info also warns about this:

> If used incorrectly a configuration like this may cause security problems. For your sanity’s sake, double-triple-quadruple check that your application files, configuration files and any other sensitive files are outside of the root of the static files.
@ypid

This comment has been minimized.

Copy link
Author

commented Jun 18, 2019

Thanks for the hint. I somehow did not find the source of the docs. My bad. Done that: #1623.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.