From f6f3ebc3ca2e5fbfc64da6d9335fc85ee4df7b46 Mon Sep 17 00:00:00 2001
From: Ernesto Serrano <erseco@gmail.com>
Date: Sun, 23 Feb 2025 20:22:37 +0100
Subject: [PATCH] Added moodle.conf nginx configuration file to avoid some
 direct files (#75)

---
 rootfs/etc/nginx/server-conf.d/moodle.conf | 59 ++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 rootfs/etc/nginx/server-conf.d/moodle.conf

diff --git a/rootfs/etc/nginx/server-conf.d/moodle.conf b/rootfs/etc/nginx/server-conf.d/moodle.conf
new file mode 100644
index 0000000..c924a7b
--- /dev/null
+++ b/rootfs/etc/nginx/server-conf.d/moodle.conf
@@ -0,0 +1,59 @@
+# This passes 404 pages to Moodle so they can be themed
+error_page 404 /error/index.php;
+error_page 403 =404 /error/index.php;
+
+# Dedicated block to override error_page for any /fixtures/ requests
+location ~ /fixtures/ {
+    deny all;
+    return 404;
+}
+
+
+# TODO: Temporary block exact match for /privacy/tests/fixtures/logo.png (see issue #74)
+location = /privacy/tests/fixtures/logo.png {
+    deny all;
+    return 404;
+}
+
+# TODO: Temporary block exact match for /enrol/lti/tests/fixtures/input.xml (see issue #74)
+location =  /enrol/lti/tests/fixtures/input.xml {
+    deny all;
+    return 404;
+}
+
+# Block exact match for /admin/environment.xml
+location = /admin/environment.xml {
+    deny all;
+    return 404;
+}
+
+# Block exact match for /lib/db/install.xml
+location = /lib/db/install.xml {
+    deny all;
+    return 404;
+}
+
+# Block exact match for /mod/assign/db/install.xml
+location = /mod/assign/db/install.xml {
+    deny all;
+    return 404;
+}
+
+# Hide all dot files but allow "Well-Known URIs" as per RFC 5785
+location ~ /\.(?!well-known).* {
+    return 404;
+}
+
+# This should be after the php fpm rule and very close to the last nginx ruleset.
+# Don't allow direct access to various internal files. See MDL-69333
+location ~ (/vendor/|/node_modules/|composer\.json|/readme|/README|readme\.txt|README\.txt|upgrade\.txt|UPGRADING\.md|UPGRADING\-CURRENT\.md|db/install\.xml|/fixtures/|/behat/|phpunit\.xml|\.lock|environment\.xml|doesnotexist|CHANGELOG|CHANGELOG\.md|TRADEMARK\.txt|PULL_REQUEST_TEMPLATE\.txt|INSTALL\.txt|CONTRIBUTING\.txt|behat\.yml\.dist|phpunit\.xml\.dist|package\.json|npm-shrinkwrap\.json|security\.txt|index\.php\.inc) {
+    deny all;
+    return 404;
+}
+
+# Offload file serving from PHP process as per Moodle documentation
+location ~ ^/dataroot/(.*)$ {
+    internal;
+    alias /var/www/moodledata/$1;
+}
+