Nginx whitelist file extension

Question

 server {
    listen  80; ## listen for ipv4; this line is default and implied
    #listen   [::]:80 default ipv6only=on; ## listen for ipv6

server_name public;
root /var/www/public;

location = /gameserver/
{
root /var/www/public/gameserver;
index index.html;
    if ($request_filename !~* [pk3]$)
    {
        rewrite ^ /404.html;
    }
}

}

I'm new to Nginx and I've been trying for a few hours now (google and reading the manual) but i cant figure out how to deny all file extensions except the .pk3 with nginx.

the /var/www/gameserver/ points to a symbiotic link from where i only want the .pk3's downloadable.

This is going to be a small gameserver for some fun with friends, no money involved.

Thanks for your time,

Vitali

What is the problem you are having? – Michael Hampton Jun 12 '15 at 22:18 — Michael Hampton, Jun 12 '15 at 22:18

score 3 · Answer 1 · answered Jun 12 '15 at 23:43

3

You can achieve this using a nested location like this:

location /gameserver/ {
    root /var/www/public;
    index index.html;
    location ~ \.pk3$ {
    }
    return 403;
}

The empty location block is intentional and required because nginx does not support negative regex matches. If a file is located below /gameserver/ and ends in .pk3 then the empty location block matches and the request is granted. You can add additional directives there of course. If a file is located below /gameserver/ and does not end in .pk3 then the inner location block does not match and instead the return 403 (access forbidden) is executed.

The general rule with nginx is that you want to avoid "if" and if you need any form of path matching you want to rely on (nested) location blocks.

answered Jun 12 '15 at 23:43

Dennis Jacobfeuerborn

146
3

Thanks for your answer but the problem still persists. I can still download (for example) my server.cfg while it should return a 403 according to you. – vitali Jun 13 '15 at 13:34
Where exactly is server.cfg located? Remember that the above configuration only deals with things under the location /gameserver. If you want to disable other things you have to introduce for example a block for the location / to deal with other paths. – Dennis Jacobfeuerborn Jun 13 '15 at 14:18
I mentioned that the /gameserver/ is a symbiotic link to the gameserver files. in /gameserver/ and /gameserver/main are the files they need to download (.pk3) but also the server.cfg which they shouldnt have acces to. So if i understand correctly it only works for /gameserver/ with this setup? – vitali Jun 13 '15 at 17:28

Nginx whitelist file extension

1 Answers1