From 09cbf70e134cb70f996a2b6b70160ef30c984716 Mon Sep 17 00:00:00 2001 From: Ana Custura Date: Fri, 8 Aug 2025 17:08:43 +0100 Subject: [PATCH] Feat: mount /var/www/html to the nginx container and add config to protect against CVE-2019-11043 --- roles/podman_cleaninsights/tasks/main.yml | 4 ++++ roles/podman_cleaninsights/templates/nginx.conf | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/roles/podman_cleaninsights/tasks/main.yml b/roles/podman_cleaninsights/tasks/main.yml index 296d7e0..7550975 100644 --- a/roles/podman_cleaninsights/tasks/main.yml +++ b/roles/podman_cleaninsights/tasks/main.yml @@ -79,6 +79,10 @@ podman_nginx_primary_hostname: "{{ podman_cleaninsights_web_hostname }}" podman_nginx_systemd_service_slice: cleaninsights.slice podman_nginx_systemd_service_requires: ["matomo"] + podman_nginx_additional_volumes: + - src: "/home/{{ podman_cleaninsights_podman_rootless_user }}/matomo" + dest: "/var/www/html" + options: "ro" - name: create nginx configuration file ansible.builtin.template: diff --git a/roles/podman_cleaninsights/templates/nginx.conf b/roles/podman_cleaninsights/templates/nginx.conf index 4a3d231..3c20147 100644 --- a/roles/podman_cleaninsights/templates/nginx.conf +++ b/roles/podman_cleaninsights/templates/nginx.conf @@ -41,8 +41,8 @@ server { location ~ ^/(index|matomo|cleaninsights|piwik|js/index|plugins/HeatmapSessionRecording/configs).php { # regex to split $uri to $fastcgi_script_name and $fastcgi_path + try_files $fastcgi_script_name =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; - # Check that the PHP script exists before passing it #try_files $fastcgi_script_name =404; @@ -59,6 +59,10 @@ server { return 403; } + location / { + try_files $uri $uri/ =404; + } + # deny access to all cleaninsights.ini file location ~ cleaninsights.ini { return 403;