Help with NGINX Config

Hi,

I’m having trouble with nginx config for k3.
I am following the cookbook example:

server {

  root /var/www/html;

  index index.php index.html index.htm index.nginx-debian.html;

  server_name SERVER_NAME;

  location / {
    try_files $uri $uri/ /index.php$is_args$args;
  }

  location ~* \.php$ {
    try_files $uri =404;
    fastcgi_pass unix:/run/php/php8.0-fpm.sock;
    include fastcgi.conf;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_param PATH_INFO $fastcgi_path_info;
  }

  listen [::]:443 ssl ipv6only=on; # managed by Certbot
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/SERVER_NAME/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/SERVER_NAME/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


server {
  if ($host = SERVER_NAME) {
    return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;

    server_name SERVER_NAME;
    return 404; # managed by Certbot


  }

This results in the following route behaviour:

/ downloads the index.php file
/anyroute correct behaviour, rendered page
/panel downloads the index.php file
/panel/site correct behaviour, rendered page

In addition, files in the content and site folder are accessible. For instance:
/site/blueprints/pages/default.yml will download the blueprint file.

How can I fix the file download behaviour on the / the /panel routes and how can I block access to the system folders?

Looks like you need to add this line:

# block content
rewrite ^/(content|site|kirby)/(.*)$ /error last;  
1 Like

Thank You @texnixe

After clearing browser cache, this worked like a charm!

My working nginx config on a DigitalOcean LEMP droplet (v42):

server {

  root /var/www/html;

  index index.php index.html index.htm index.nginx-debian.html;

  server_name SERVER_NAME;

  location / {
    try_files $uri $uri/ /index.php$is_args$args;
  }

  rewrite ^/(content|site|kirby)/(.*)$ /error last; 

  location ~* \.php$ {
    try_files $uri =404;
    fastcgi_pass unix:/run/php/php8.0-fpm.sock;
    include fastcgi.conf;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_param PATH_INFO $fastcgi_path_info;
  }

  listen [::]:443 ssl ipv6only=on; # managed by Certbot
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/SERVER_NAME/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/SERVER_NAME/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

@texnixe Thanks - this line fixed the ‘exposed folders’ error for me.

It doesn’t appear to be in the example at Running Kirby on a Nginx web server | Kirby CMS - perhaps it should be added?