Your .env file is available in public - how to prevent this

Post Reply
User avatar
isscbta
Posts: 68
Joined: Mon Jul 19, 2021 1:41 am

Since this can be a big security issue, here are the steps to take in order to prevent exposing .env files to the public:

For a particular domain for which we are going to prevent access to the .env file, check which Proxy Template is active. In this example, let's suppose that would be: 'proxy-pass-docker'
image.png
image.png (52.62 KiB)
So config files for this nginx template are those two:

Code: Select all

/usr/local/vesta/data/templates/web/nginx/proxy-pass-docker.tpl
/usr/local/vesta/data/templates/web/nginx/proxy-pass-docker.stpl
We would take the certain line of code from: https://github.com/myvesta/vesta/blob/m ... g.stpl#L29
Particularly this one:

Code: Select all

location ~ /\.env {return 404;}
And insert it in those two files previously mentioned above

And the end, rebuild the nginx conf file with this:

Code: Select all

v-rebuild-web-domains admin
Instead of admin, insert your account name

Tags:
User avatar
myVesta
Site Admin
Posts: 766
Joined: Fri Jun 19, 2020 9:59 am

Automatically do it with:

Code: Select all

NOTFOUNDVAL='.env'
OLDVAL="    location ~ \/\\\.ht    {return 404;}"
NEWVAL="    location ~ \/\\\.ht    {return 404;}\n    location ~ \/\\\.env   {return 404;}"
find /usr/local/vesta/data/templates/web/nginx -type f \( -name "*.tpl" -or -name "*.stpl" \) -exec grep -L "$NOTFOUNDVAL" {} \; | xargs sed -i "s|$OLDVAL|$NEWVAL|g"

for user in $(grep '@' /etc/passwd |cut -f1 -d:); do
    if [ ! -f "/usr/local/vesta/data/users/$user/user.conf" ]; then
        continue;
    fi
    v-rebuild-web-domains $user 'no'
done
service nginx restart
Post Reply