Feat: mount /var/www/html to the nginx container and add config to protect against CVE-2019-11043

roles/podman_cleaninsights/tasks/main.yml

@@ -79,6 +79,10 @@
     podman_nginx_primary_hostname: "{{ podman_cleaninsights_web_hostname }}"
     podman_nginx_systemd_service_slice: cleaninsights.slice
     podman_nginx_systemd_service_requires: ["matomo"]
+    podman_nginx_additional_volumes:
+      - src: "/home/{{ podman_cleaninsights_podman_rootless_user }}/matomo"
+        dest: "/var/www/html"
+        options: "ro"
 
 - name: create nginx configuration file
   ansible.builtin.template:

roles/podman_cleaninsights/templates/nginx.conf

@@ -41,8 +41,8 @@ server {
 
 	location ~ ^/(index|matomo|cleaninsights|piwik|js/index|plugins/HeatmapSessionRecording/configs).php {
 		# regex to split $uri to $fastcgi_script_name and $fastcgi_path
+		try_files $fastcgi_script_name =404;
 		fastcgi_split_path_info ^(.+\.php)(/.+)$;
-
 		# Check that the PHP script exists before passing it
 		#try_files $fastcgi_script_name =404;
 
@@ -59,6 +59,10 @@ server {
 		return 403;
 	}
 
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
     # deny access to all cleaninsights.ini file
 	location ~ cleaninsights.ini {
 		return 403;