Hi I added below codes to disable all access to the following directories, but somehow it is not working. Anything wrong with the codes? /etc/nginx/sites-enabled ## disable all access to the following directories location ~ ^/(config|tmp|core|lang) { deny all; return 403; # replace with 404 to not show these directories exist } Full codes for vhost in /etc/nginx/sites-enabled ----------------------------------------- server { listen *:80; listen [::]:80; listen *:443 ssl http2; ssl_protocols TLSv1.2; listen [::]:443 ssl http2; server_name xxx.com ; add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; root /var/www/xxx.com/web/; disable_symlinks if_not_owner from=$document_root; index index.html index.htm index.php index.cgi index.pl index.xhtml; error_page 400 /error/400.html; error_page 401 /error/401.html; error_page 403 /error/403.html; error_page 404 /error/404.html; error_page 405 /error/405.html; error_page 500 /error/500.html; error_page 502 /error/502.html; error_page 503 /error/503.html; recursive_error_pages on; location = /error/400.html { internal; } location = /error/401.html { internal; } location = /error/403.html { internal; } location = /error/404.html { internal; } location = /error/405.html { internal; } location = /error/500.html { internal; } location = /error/502.html { internal; } location = /error/503.html { internal; } error_log /var/log/ispconfig/httpd/xxx.com/error.log; access_log /var/log/ispconfig/httpd/xxx.com/access.log combined; location ~ /\. { deny all; } location ^~ /.well-known/acme-challenge/ { access_log off; log_not_found off; auth_basic off; root /usr/local/ispconfig/interface/acme/; autoindex off; index index.html; try_files $uri $uri/ =404; } location = /favicon.ico { log_not_found off; access_log off; expires max; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; } location = /robots.txt { allow all; log_not_found off; access_log off; } location /stats/ { index index.html index.php; auth_basic "Members Only"; auth_basic_user_file /var/www/clients/client0/web36/web//stats/.htpasswd_stats; add_header Content-Security-Policy "default-src * 'self' 'unsafe-inline' 'unsafe-eval' data:;"; } location ^~ /awstats-icon { alias /usr/share/awstats/icon; } location ~ \.php$ { try_files /d8d42ac3e07b8aeac13a317608cafcd4.htm @php; } location @php { try_files $uri =404; include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/lib/php7.2-fpm/web36.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_intercept_errors on; } ## disable all access to the following directories location ~ ^/(config|tmp|core|lang) { deny all; return 403; # replace with 404 to not show these directories exist } ## deny access to all other .php files location ~* ^.+\.php$ { deny all; return 403; } ## deny access to all other .php files location ~* ^.+\.php$ { deny all; return 403; } ## serve all other files normally location / { try_files $uri $uri/ =404; } location ~ /\.ht { deny all; return 403; } location ~ js/container_.*_preview\.js$ { expires off; add_header Cache-Control 'private, no-cache, no-store'; } location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2)$ { allow all; ## Cache images,CSS,JS and webfonts for an hour ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade expires 1h; add_header Pragma public; add_header Cache-Control "public"; } location ~ ^/(libs|vendor|plugins|misc|node_modules) { deny all; return 403; } ## properly display textfiles in root directory location ~/(.*\.md|LEGALNOTICE|LICENSE) { default_type text/plain; } }
Seems like you are using ISPConfig. Don't alter the vhost manually but add the folders as protected folders through the ISPConfig UI.