Warm tip: This article is reproduced from serverfault.com, please click

Magento Enterprise 1.14.2 Block rss via nginx

发布于 2021-01-13 22:47:11

I've tried several variations found on the web but it doesn't seem to work. I want to block these urls because they're appearing on magento security scan.

domain.com/index.php/rss/catalog/notifystock
domain.com/index.php/rss/catalog/review
domain.com/index.php/rss/order/new

domain.com/rss/catalog/notifystock
domain.com/rss/catalog/review
domain.com/rss/order/new

What I've tried are:

location ^~ /rss/order/new {
  deny all;
}

location ~ ^/index.php/?rss/ {
   deny all; 
}

location ~ ^/rss/ {
   deny all;
}

location ~* ^/?(index.php?)?rss/(order/new|catalog/notifystock|catalog/review) { return 403; }

Some of the codes can only block url without index.php

Questioner
Christian Young
Viewed
11
Richard Smith 2019-01-22 22:31:48

Looking at the rules one at a time...

location ^~ /rss/order/new { deny all; }

This will block the 6th URI in your question.

Using the prefix location with the ^~ modifier is unambiguous and more efficient that regular expressions. You could block all six URIs in your question using:

location ^~ /index.php/rss/catalog/notifystock { deny all; }
location ^~ /index.php/rss/catalog/review { deny all; }
location ^~ /index.php/rss/order/new { deny all; }
location ^~ /rss/catalog/notifystock { deny all; }
location ^~ /rss/catalog/review { deny all; }
location ^~ /rss/order/new { deny all; }

Or for a more general rule, all /rss/ URIs, using:

location ^~ /index.php/rss/ { deny all; }
location ^~ /rss/ { deny all; }

location ~ ^/index.php/?rss/ { deny all; }

This is a regular expression location and needs to be placed above any conflicting regular expression location block (for example: location ~ \.php). See this document for details.

The ? after the / is unnecessary, as there is no requirement to match a URI like /index.phprss.

If placed high enough in your configuration, it should block the first three URIs in your question.


location ~ ^/rss/ { deny all; }

This is also a regular expression location and needs to be placed above any conflicting regular expression location block.

If placed high enough in your configuration, it should block the last three URIs in your question.

Together with the previous rule, should block all of the URIs in your question, and more.


location ~* ^/?(index.php?)?rss/(order/new|catalog/notifystock|catalog/review) { return 403; }

This is also a regular expression location and needs to be placed above any conflicting regular expression location block.

It will not match the first three URIs in your question, as it is missing the / between .php and rss.

Try:

location ~* ^(/index.php)/rss/(order/new|catalog/notifystock|catalog/review) { return 403; }

This rule needs to be placed above any conflicting regular expression location block, especially the location ~ \.php block.