disable file uploads
Steve Holdoway
steve at greengecko.co.nz
Mon Mar 23 23:47:38 UTC 2015
On Mon, 2015-03-23 at 22:52 +0000, Francis Daly wrote:
> On Tue, Mar 24, 2015 at 09:13:50AM +1300, Steve Holdoway wrote:
>
> Hi there,
>
> > Is there any way to stop / disable random file uploads... for example,
> > I'm having 'fun' with mail relays being uploaded to the cache area of a
> > wordpress site?
>
> What the difference between a request that is a file upload and a request
> that is not a file upload, on your system?
>
> Are there some specific urls you want to block? Do you want to block
> all POST requests?
>
> > Can't think of anything off the top of my head that would do it.
>
> Would it be simpler for you to configure your wordpress to disallow
> file uploads?
>
> f
I would like to block at web server level if possible, seems the most
sensible to me. This is what I currently use for wordpress ( after this
morning lol )
# set the static ones first, then the catchall
# Directives to send expires headers and turn off 404 error
logging.
location ~* ^/(?:uploads|files|cache|plugins)/.*\.(png|gif|jpg|
jpeg|css|js|swf|ico|txt|xml|bmp|pdf|doc|docx|ppt|pptx|zip|woff|ttf|otf|
xls|myo|qbb|pst|dat|qbx|bc7|cf7)$ {
expires 24h;
log_not_found off;
}
location ~* ^/wp-content/(files|uploads|cache|plugins)/.*.(|php|
js|swf)$ {
types { }
default_type text/plain;
}
I think I should be able to simplify it by having the block before a
straight catchall with no extensions listed, which would help ( although
a zero expiry on .html would probably be beneficial ).
Cheers,
Steve
--
Steve Holdoway BSc(Hons) MIITP
http://www.greengecko.co.nz
Linkedin: http://www.linkedin.com/in/steveholdoway
Skype: sholdowa
More information about the nginx
mailing list