From 534f7187c4820f892d4429fe5b0959cf90467ab6 Mon Sep 17 00:00:00 2001
From: "Patrik J. Braun" <bra.patrik@gmail.com>
Date: Sat, 10 Dec 2022 00:57:31 +0100
Subject: [PATCH] Restricting non get methods to the /pgapi subdomain in the
 recommended nginx config #214, #519

---
 docker/docker-compose/default/nginx.conf    | 15 ++++++++++++++-
 docker/docker-compose/with-mysql/nginx.conf | 15 ++++++++++++++-
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/docker/docker-compose/default/nginx.conf b/docker/docker-compose/default/nginx.conf
index 7b9581fc..aa348352 100644
--- a/docker/docker-compose/default/nginx.conf
+++ b/docker/docker-compose/default/nginx.conf
@@ -56,7 +56,9 @@ http {
 	  gzip on;
 
 
-    location / {
+    # Only allow all methods (GET,POST,PUT,etc..) for root (/pgapi).
+    # see https://github.com/bpatrik/pigallery2/issues/214
+    location /pgapi {
       proxy_pass http://pigallery2:80; # forwarding to the other container, named 'pigallery2'
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
@@ -65,6 +67,17 @@ http {
       proxy_cache_bypass $http_upgrade;
     }
 
+    location / {
+      limit_except GET {
+        deny  all;
+      }
+      proxy_pass http://pigallery2:80; # forwarding to the other container, named 'pigallery2'
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection 'upgrade';
+      proxy_set_header Host $host;
+      proxy_cache_bypass $http_upgrade;
+    }
 
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;
diff --git a/docker/docker-compose/with-mysql/nginx.conf b/docker/docker-compose/with-mysql/nginx.conf
index ef4ea867..adc6fd03 100644
--- a/docker/docker-compose/with-mysql/nginx.conf
+++ b/docker/docker-compose/with-mysql/nginx.conf
@@ -56,7 +56,9 @@ http {
 	  gzip on;
 
 
-    location / {
+    # Only allow all methods (GET,POST,PUT,etc..) for root (/pgapi).
+    # see https://github.com/bpatrik/pigallery2/issues/214
+    location /pgapi {
       proxy_pass http://pigallery2:80; # forwarding to the other container, named 'pigallery2'
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
@@ -65,6 +67,17 @@ http {
       proxy_cache_bypass $http_upgrade;
     }
 
+    location / {
+      limit_except GET {
+        deny  all;
+      }
+      proxy_pass http://pigallery2:80; # forwarding to the other container, named 'pigallery2'
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection 'upgrade';
+      proxy_set_header Host $host;
+      proxy_cache_bypass $http_upgrade;
+    }
 
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;