📌 What broke?
Nginx is returning 200 (index.html) for malicious path requests like /.git/config, /geoserver/web/, and random path scans. Bot scanners are actively probing the server and receiving successful responses, which may encourage further attacks.
🚨 Urgency
P1 (major feature broken, deploy within hours)
🔗 Related Issue / Evidence
47.91.97.187 - "GET /gy8D HTTP/1.1" 400 255 "-" "Go-http-client/1.1"
47.91.97.187 - "GET /VYBk HTTP/1.1" 200 456 "-" "Go-http-client/1.1"
SSL_read() failed (SSL: error:0A0001BB:SSL routines::bad record type error)
64.62.197.2 - "GET /geoserver/web/ HTTP/1.1" 200 456
64.62.197.2 - "GET /.git/config HTTP/1.1" 200 456
🔍 Root Cause
Nginx SPA config uses try_files $uri $uri/ /index.html, which returns index.html with 200 status for all unmatched paths — including sensitive paths like /.git/config and /.env.
🛠 Proposed Fix
- File:
nginx/default.conf
- Change: Add deny rules for sensitive paths before the SPA catch-all:
- Block
/.git/*
- Block
/.env
- Block
/geoserver/*
- Return 404 for all blocked paths
✅ Verification
📌 What broke?
Nginx is returning 200 (index.html) for malicious path requests like
/.git/config,/geoserver/web/, and random path scans. Bot scanners are actively probing the server and receiving successful responses, which may encourage further attacks.🚨 Urgency
P1 (major feature broken, deploy within hours)
🔗 Related Issue / Evidence
🔍 Root Cause
Nginx SPA config uses
try_files $uri $uri/ /index.html, which returnsindex.htmlwith 200 status for all unmatched paths — including sensitive paths like/.git/configand/.env.🛠 Proposed Fix
nginx/default.conf/.git/*/.env/geoserver/*✅ Verification
default.confGET /.git/configreturns 404GET /.envreturns 404