Updates

PDowney · web-flow · commit a2affd4e5ca5 · 2025-11-03T21:45:44.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to EngineScript will be documented in this file.
 
 Changes are organized by date, with the most recent changes listed first.
 
+## 2025-11-03
+
+### 🔧 CONFIGURATION IMPROVEMENTS
+
+- **Optional Unsafe File Blocking**: Made FastCGI cache unsafe file blocking configurable
+
 ## 2025-11-02
 
 ### 🔒 SECURITY IMPROVEMENTS
diff --git a/config/etc/nginx/globals/map-cache.conf b/config/etc/nginx/globals/map-cache.conf
@@ -110,13 +110,13 @@ map $request_uri $es_request_uri {
   "~*/edd-"                               1;  # Easy Digital Downloads
 
   # Block: Unsafe Files
-  "~*\.(?:asc|aspx?|bak|bash|bat|blade(\.php)?|cfg|cgi|cmd|conf|csh|dll|dump|engine|env|exe|git(ignore)?|hg|inc|info|ini|install|jsp|log|lua|make|mdb|module|old|orig(inal)?|out|pem|pl|po|profile|py|rdf|save|sh|svn|swo|swp|test|theme|tpl|twig|woa|xtmpl)$" 2;
-  "~*(Gemfile|Gruntfile|auth|composer|composer/installed|package|package-lock|yarn)\.(?:json|lock)$" 2;
-  "~*(changelog|example|installation|legalnotice|license|readme|wp-config)\.(?:html?|md|php|rst|txt)$" 2;
-  "~*gems\.(?:rb|locked)?$"               2;
+  #"~*\.(?:asc|aspx?|bak|bash|bat|blade(\.php)?|cfg|cgi|cmd|conf|csh|dll|dump|engine|env|exe|git(ignore)?|hg|inc|info|ini|install|jsp|log|lua|make|mdb|module|old|orig(inal)?|out|pem|pl|po|profile|py|rdf|save|sh|svn|swo|swp|test|theme|tpl|twig|woa|xtmpl)$" 2;
+  #"~*(Gemfile|Gruntfile|auth|composer|composer/installed|package|package-lock|yarn)\.(?:json|lock)$" 2;
+  #"~*(changelog|example|installation|legalnotice|license|readme|wp-config)\.(?:html?|md|php|rst|txt)$" 2;
+  #"~*gems\.(?:rb|locked)?$"               2;
   #"~*/(wp-content)\/.*\.(?:7z|bz2|[rt]ar|zip)$"  2; # Disables compressed files from being accessed from the wp-content directory. Be careful with this as it will stop you from being able to manually upload plugins/themes or access backups
-  "~*/wp-content/updraft/"                2;  # Updraft
-  "~*/wp-content/uploads/.*\.(?:js|php|[ps]?html?|swf|tpl)$" 2;
+  #"~*/wp-content/updraft/"                2;  # Updraft
+  #"~*/wp-content/uploads/.*\.(?:js|php|[ps]?html?|swf|tpl)$" 2;
   #"~*/wp-content/uploads/enginescript-sse-site-exports/" 2;  # EngineScript Simple Site Exporter
 }
 
diff --git a/config/home/enginescript-install-options.txt b/config/home/enginescript-install-options.txt
@@ -83,6 +83,12 @@ INSTALL_EXTRA_WP_PLUGINS=1
 # Recommended: 0
 SHOW_ENGINESCRIPT_HEADER=0
 
+## Nginx Unsafe File Blocking ##
+# Blocks access to potentially unsafe file types and locations in FastCGI cache
+# When enabled, blocks: .env, .log, .ini, wp-config.php, composer.json, backup files, etc.
+# Disable if you need to access these files through the web (not recommended for security)
+NGINX_BLOCK_UNSAFE_FILES=0
+
 ## DigitalOcean Remote Console ##
 # Install DigitalOcean's Droplet Agent for remote console access
 # This enables the Recovery Console feature in the DigitalOcean control panel
diff --git a/scripts/install/nginx/nginx-misc.sh b/scripts/install/nginx/nginx-misc.sh
@@ -22,6 +22,16 @@ source /usr/local/bin/enginescript/scripts/functions/shared/enginescript-common.
 cp -a /usr/local/bin/enginescript/config/etc/nginx/. /etc/nginx/
 sed -i "s|SEDPHPVER|${PHP_VER}|g" /etc/nginx/globals/php-fpm.conf
 
+# Enable unsafe file blocking if configured
+if [[ "${NGINX_BLOCK_UNSAFE_FILES}" == "1" ]]; then
+    sed -i 's|^  #\("~\*\\.\(?:asc\|  \1|' /etc/nginx/globals/map-cache.conf
+    sed -i 's|^  #\("~\*(Gemfile\|  \1|' /etc/nginx/globals/map-cache.conf
+    sed -i 's|^  #\("~\*(changelog\|  \1|' /etc/nginx/globals/map-cache.conf
+    sed -i 's|^  #\("~\*gems\\.\|  \1|' /etc/nginx/globals/map-cache.conf
+    sed -i 's|^  #\("~\*/wp-content/updraft/\|  \1|' /etc/nginx/globals/map-cache.conf
+    sed -i 's|^  #\("~\*/wp-content/uploads/\.\*\\.\|  \1|' /etc/nginx/globals/map-cache.conf
+fi
+
 # Create nginx user and group if they don't exist
 if ! id "www-data" &>/dev/null; then
     useradd -r -s /bin/false www-data
