Restricting non get methods to the /pgapi subdomain in the recommended nginx config #214, #519

docker/docker-compose/default/nginx.conf

@@ -56,7 +56,9 @@ http {
 	  gzip on;
 
 
-    location / {
+    # Only allow all methods (GET,POST,PUT,etc..) for root (/pgapi).
+    # see https://github.com/bpatrik/pigallery2/issues/214
+    location /pgapi {
       proxy_pass http://pigallery2:80; # forwarding to the other container, named 'pigallery2'
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
@@ -65,6 +67,17 @@ http {
       proxy_cache_bypass $http_upgrade;
     }
 
+    location / {
+      limit_except GET {
+        deny  all;
+      }
+      proxy_pass http://pigallery2:80; # forwarding to the other container, named 'pigallery2'
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection 'upgrade';
+      proxy_set_header Host $host;
+      proxy_cache_bypass $http_upgrade;
+    }
 
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;

docker/docker-compose/with-mysql/nginx.conf

@@ -56,7 +56,9 @@ http {
 	  gzip on;
 
 
-    location / {
+    # Only allow all methods (GET,POST,PUT,etc..) for root (/pgapi).
+    # see https://github.com/bpatrik/pigallery2/issues/214
+    location /pgapi {
       proxy_pass http://pigallery2:80; # forwarding to the other container, named 'pigallery2'
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
@@ -65,6 +67,17 @@ http {
       proxy_cache_bypass $http_upgrade;
     }
 
+    location / {
+      limit_except GET {
+        deny  all;
+      }
+      proxy_pass http://pigallery2:80; # forwarding to the other container, named 'pigallery2'
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection 'upgrade';
+      proxy_set_header Host $host;
+      proxy_cache_bypass $http_upgrade;
+    }
 
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;