From 506e571e235b4a24852926d235ca4f46ce784440 Mon Sep 17 00:00:00 2001
From: Casey Rapnicki <casey.rapnicki@bixal.com>
Date: Thu, 2 Jan 2025 15:08:32 -0500
Subject: [PATCH] DIGITAL-000: Fix NGINX routing to styles path.

---
 terraform/.gitignore                          |   1 +
 .../nginx-waf/nginx/conf.d/default.conf       | 115 ++++++++++++++++--
 .../nginx-waf/nginx/snippets/x-security.conf  |   2 +
 3 files changed, 106 insertions(+), 12 deletions(-)
 create mode 100644 terraform/applications/nginx-waf/nginx/snippets/x-security.conf

diff --git a/terraform/.gitignore b/terraform/.gitignore
index 15b963fd..624a59bc 100755
--- a/terraform/.gitignore
+++ b/terraform/.gitignore
@@ -50,4 +50,5 @@ applications/caddy-proxy/*.acl
 applications/nginx-waf/modules/*
 applications/nginx-waf/nginx/snippets/*.conf
 !applications/nginx-waf/nginx/snippets/owasp*.conf
+!applications/nginx-waf/nginx/snippets/x*.conf
 !applications/nginx-waf/packages/*
\ No newline at end of file
diff --git a/terraform/applications/nginx-waf/nginx/conf.d/default.conf b/terraform/applications/nginx-waf/nginx/conf.d/default.conf
index f5fd2901..6f44de53 100644
--- a/terraform/applications/nginx-waf/nginx/conf.d/default.conf
+++ b/terraform/applications/nginx-waf/nginx/conf.d/default.conf
@@ -37,7 +37,7 @@ server {
       break;
     }
 
-    location @rewrite {
+    location ^~ /s3/files {
       set $port 8883;
       proxy_redirect off;
       proxy_connect_timeout 300;
@@ -47,14 +47,7 @@ server {
       proxy_set_header Host $cf_forwarded_host;
       proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Real-IP $remote_addr;
-      error_page 403 = @fourohfour_english;
-    }
-
-    # Required by Drupal/S3FS Module
-    # Proxy request for image styles to CMS
-    # Harvested from https://github.com/usagov/vote-gov-tf/blob/main/applications/nginx-waf/nginx/conf.d/default.conf#L214C3-L219C4
-    location ^~ /s3/files {
-      try_files $uri @rewrite;
+      error_page 403 =404 @fourohfour_english;
     }
 
     location / {
@@ -66,7 +59,7 @@ server {
       proxy_set_header Host $cf_forwarded_host;
       proxy_set_header X-Forwarded-For $remote_addr;
       proxy_set_header X-Real-IP $remote_addr;
-      error_page 403 = @fourohfour_english;
+      error_page 403 =404 @fourohfour_english;
     }
 }
 
@@ -106,9 +99,107 @@ server {
     access_log off;
 
     default_type text/plain;
-    return 403 'Forbidden by USAGov';
+    return 403 'Forbidden by Digital.gov';
     break;
-    # redirect to homepage usa.gov
+  }
+
+  include nginx/snippets/x-security.conf;
+
+  location = /favicon.ico {
+    log_not_found off;
+    access_log off;
+  }
+
+  location = /robots.txt {
+    allow all;
+    log_not_found off;
+    access_log off;
+  }
+
+  location ~ \..*/.*\.php$ {
+    return 403;
+  }
+
+  location ~ ^/sites/.*/private/ {
+    return 403;
+  }
+
+  # Block access to scripts in site files directory
+  location ~ ^/sites/[^/]+/files/.*\.php$ {
+    deny all;
+  }
+
+  # Allow "Well-Known URIs" as per RFC 5785
+  location ~* ^/.well-known/ {
+    allow all;
+  }
+
+  # Block access to "hidden" files and directories whose names begin with a
+  # period. This includes directories used by version control systems such
+  # as Subversion or Git to store control files.
+  location ~ (^|/)\. {
+    return 403;
+  }
+
+  # Protect files and directories from prying eyes.
+  location ~* \.(?:engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(?:\.php)?|xtmpl|yml)(?:~|\.sw[op]|\.bak|\.orig|\.save)?(?:$|/) {
+    deny all;
+    return 404;
+  }
+
+  location ~* ^/(\.(?!well-known/).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))(?:/|$)|^/#.*#(?:/|$)|\.php(?:~|\.sw[op]|\.bak|\.orig|\.save)(?:/|$) {
+    deny all;
+    return 404;
+  }
+  
+  # Add patterns here to block files located anywhere in the site.
+  location ~* /README\.md {
+    deny all;
+    return 404;
+  }
+
+  location ~* ^/(update\.php|test\.txt|README\.md|LICENSE\.txt|install\.php|INSTALL(\..*?)?\.txt)(?:/|$) {
+    deny all;
+    return 404;
+  }
+
+  # Don't allow access to generated php files.
+  location = /sites/default/files/php {
+    deny all;
+    return 404;
+  }
+
+  location ^~ /sites/default/files/php/ {
+    deny all;
+    return 404;
+  }
+
+  location ^~ /vendor/ {
+    deny all;
+    return 404;
+  }
+
+  location ~* /autoload.php {
+    deny all;
+    return 404;
+  }
+
+  #Dont allow direct access to *.(css|js).gz files.
+  location ~ /sites/default/files/(css/.*\.css|js/.*\.js)\.gz(?:/|$) {
+    deny all;
+    return 404;
+  }
+
+  location @rewrite {
+    rewrite ^ /index.php;
+    include nginx/snippets/proxy-to-app.conf;
+  }
+
+  #Required by Drupal/S3FS Module
+  #Proxy request for image styles to CMS
+  location ~ /s3/files/styles/ {
+    try_files $uri @rewrite;
+    include nginx/snippets/proxy-to-app.conf;
   }
 
   location / {
diff --git a/terraform/applications/nginx-waf/nginx/snippets/x-security.conf b/terraform/applications/nginx-waf/nginx/snippets/x-security.conf
new file mode 100644
index 00000000..e8fa11c6
--- /dev/null
+++ b/terraform/applications/nginx-waf/nginx/snippets/x-security.conf
@@ -0,0 +1,2 @@
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-XSS-Protection "1; mode=block" always;
\ No newline at end of file