nginx's Introduction

PlaceOS

This repository defines PlaceOS platform releases. It provides new release notification and the canonical reference for the platform's release history.

Platform Versioning

A PlaceOS deployment is a set of interdependent services and associated tools. Each of these have their own version number, test and release process. Platform versions overlay this to provide a set of compatible, deployable components.

A platform version looks like:

placeos-1.2104.1
        |  |   |
        |  |   revision
        |  |
        |  minor release (year, month)
        |
        major release

Major

Releases that share a major version are consistent for core features.

Moving to a new major version may include breaking changes and the removal of deprecated functionality. This includes both machine facing (API’s, infrastructure) and human facing (core platform concepts, UX).

Minor

Minor versions introduce new features that are forwards compatible.

Numbering reflects the original release packaging date (YYMM). This will perpetually increase, including across major versions.

When moving to a new minor version deprecation warnings may appear in API responses and logging, but functionality will remain.

Revision

Revisions increment within each minor version, resetting to 0. These represent change to address a bug, feature limitation or security vulnerability in the originally packaged minor release.

An increment to a release number can represent a change to one or more underlying services.

When operating a deployment, all components should use a consistent version.

Channels

Release channels exist as a set of dynamic tags on service images. They provide a way to pair a PlaceOS instance with a release maturity suited to the deployment environment.

`nightly`

Collects the state of all services based on their primary branch and builds against upstream dependencies every 24 hours. Releases on this channel are automated and should not be considered stable. These are ephemeral and do not have a corresponding platform version.

Intended primarily for development environments.

`latest`

Main release channel.

Recommended for production environments.

`preview`

The latest preview build.

NOT recommended for production environments.

Release Artefacts

Docker

Images for all services are available from Docker Hub.

Source Code

References to all source repositories exist as submodules. If you have already cloned this repo, you can access these via git submodule update --init. These reference commits used to construct the built artefacts at each release.

CI Status

Libraries

Services

nginx's People

Contributors

Stargazers

Watchers

nginx's Issues

Backoffice fails to load if missing trailing `/`

When loading Backoffice with a missing trailing / the initial resource loads due to the current nginx config however other required assets do not.

Feat: Support HTTP3

Remove `nginx-nossl.conf`

The config/nginx-nossl.conf file is not in use at the moment, as far as I know.

Allow CORS for PlaceOS Portal by default

@vinnyo can explain what the requirements would be

Contents of `.git` directory exposed

Describe the bug
Interface repositories served with the default config enable retrieval of the contents of the .git directory. While directory listing is not enabled, this does allow for the retrieval of specific files resulting in information disclosure for frontend assets.

To Reproduce
Query <domain>/<interface>/.git/HEAD (or other well known file).

Expected behavior
The server should response with a HTTP 403, or potentially a 404.

Additional context
Addition protection should potentially be added to PlaceOS/frontends to seperate file system locations for cached deployment assets from the upstream source and what is being served, however protection here makes sense also.

.git Vulnerability Identified in URL Path

I found a git repository on https://pwcme.dev.place.tech/.git. This endpoint allows an attacker to retrieve much of the source code and git history for this service which could potentially reveal sensitive information, it all depends on what is stored there.
Example:

https://url/.git/FETCH_HEAD
https://url/.git/HEAD
https://url/.git/config
https://url/.git/logs/HEAD
https://url/.git/logs/refs/remotes/origin/master
https://url/.git/refs/remotes/origin/master
https://url/.gitlab-ci.yml
https://url/.git/index

Mitigation

The restricted access (403 forbidden) is enabled only on /.git and not their subfolders. You just need to add all the git subfolders to the same rule.

Impact

An attacker can get information just by dumping data using the .git repository.

POC: -
Open given URLs and see the response

Recommend Projects

placeos / nginx Goto Github PK