Nginx config help - Regex location has no anchors in regex pattern

Cache · March 10, 2023, 11:11am

Here’s my config:

location ~ /\.(?!well-known\/) {
    deny all;
    access_log off;
    log_not_found off;
    return 444;
}

On this line:

location ~ /\.(?!well-known\/) {

I’m getting this waring:

Regex location has no anchors in regex pattern

Regex location has a regex pattern without ^ or $. This is a configuration style that is prone to errors. It may also lead to a situation when requests partially matching the regex pattern are incorrectly routed to this location.

Always use ^ or $ achor in a regex pattern.

If I add ^ like this location ~ /^\.(?!well-known\/) { then . (dot files) are no longer blocked and become downloadable.

How can I silence this warning without destroying the deny of access to dot files.

unixdude · March 10, 2023, 2:19pm

You could probably use something like:

location ~ ^http.*\.(?!well-known\/).*$ {

But I bet that would block everything. Also, what exactly are you trying to block? All dot-files? And, does “well-known” begin with a period? Be more specific about the exact path you are trying to block.

Also, why are there dotfiles on your server that you don’t want to have downloaded? Why are there any files on the server if you don’t want them to be publicly available?

Cache · March 10, 2023, 2:25pm

Thanks for the follow-up.

I’m trying to block files on the server that begin with “.”. Some of which config files for the application.
No, I don’t want to block everything. Everything else, except dot files, should be allowed.
".well-known" is used by Let’s Encrypt when auto-renewing cert. So it should be the only allowed dot file.

Thanks

unixdude · March 10, 2023, 2:45pm

You might need two blocks, one to allow .well-known, and one to disallow all other dot-files.

These (untested) blocks might work:

location ~ ^http.*\.well-known\/.*$ {
    accept all;
}

location ~ ^http.*\/\..*$ {
    deny all;
    access_log off;
    log_not_found off;
    return 444;
}

Cache · March 10, 2023, 3:12pm

Will try that, I’ve also managed to get it to work in 1 block, so it currently looks like this:

location ~ /\.(?!well-known\/) {
    deny all;
    access_log off;
    log_not_found off;
    return 444;
}

How would I modify this single block to include ^ or $.

Also, where can I learn the syntax? Any useful links?

unixdude · March 10, 2023, 3:39pm

I expect you would just add ^http to the front, like this:

location ~ ^http.*\/\.(?!well-known\/) {
    deny all;
    access_log off;
    log_not_found off;
    return 444;
}

Cache · March 10, 2023, 3:49pm

Adding ^ was valid:

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

But it resulted in the dotfiles not being blocked. A web address with a dot file path entered into the address bar causes the download box to pup up. Without the ^, its denied correctly, but the syntax warning.

unixdude · March 10, 2023, 4:02pm

I assume you added ^http, right? Not just a carat.

Also, I am not an nginx expert – I’m just trying to help with the regex syntax.

Cache · March 10, 2023, 4:06pm

Same here. I am researching also.

Yes, full block was:

location ~ ^http.*\/\.(?!well-known\/) {
    deny all;
    access_log off;
    log_not_found off;
    return 444;
}

unixdude · March 10, 2023, 5:03pm

Maybe nginx doesn’t want the nginx or hostname, just the path on the server:

location ~ ^\/\.(?!well-known\/) {
    deny all;
    access_log off;
    log_not_found off;
    return 444;
}

And maybe the escaping on that is incorrect. Hopefully you get it soon.

Cache · March 13, 2023, 8:17pm

I ended up ignoring this warning because I’ve seen Nginx team themselves ignore it in some of the configs they offer online. Thanks for the help. It’s been nice to dig into Nginx a little.

I have been since setting up fastcgi_cache and open_file_cache.