Forbid web.config page from the browser as in https://mydomain.com/web.config

Kaushal Shriyan kaushalshriyan at gmail.com
Fri Nov 13 00:21:57 UTC 2020


On Thu, Nov 12, 2020 at 8:13 PM Francis Daly <francis at daoine.org> wrote:

> On Thu, Nov 12, 2020 at 07:17:46PM +0530, Kaushal Shriyan wrote:
>
> Hi there,
>
> > I am running the Nginx version: nginx/1.16.1 on CentOS Linux release
> > 7.8.2003 (Core). I am trying to forbid/prevent web.config file to
> > download it from the browser. When I hit
> > https://mydomain.com/web.config it is allowing me to download instead of
> > forbidding the page ( 403 Forbidden).
>
> When I use this config, it works for me (I get the http 403 response).
>
> Are you sure that the config file with this server{} block is read by
> your running nginx?
>
> Are there any other server{} blocks with the same (implicit) "listen"
> directive, that might mean that this server{} block is never used?
>
> What do you get if you do
>
>   curl -i -H Host:_ http://your-server/web.config
>
> where the "Host:_" part is an attempt to match the server_name that you
> set in this server{} block.
>
> (Change "your-server" to be a name or IP that your client can use to get
> at the web service.)
>

Hi Francis,

 Thanks Francis for the email response. There are two servers {} blocks one
with *listen 80 default_server* and the other with *listen 443 ssl* I am
running the website on port 443 and added the below in the server block
with listen 443 ssl. It worked perfectly. Thanks a lot for pointing the
issue and appreciate it.

location ^~ /web.config {
>             deny all;
>         }


Best Regards,

Kaushal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20201113/4c9a8ea1/attachment.htm>


More information about the nginx mailing list