this section will go over how to harden nginx. specifically when exposing certain files that reside on the web server. by default these are all accessible, meaning that if someone goes to https://yoursite.com/file.pdf, they are able to see the contents. the same goes for any and all files. the point is to restrict what the end user can see and not see. this was needed for the project that i just finished, which is a portfolio type website. it showcases my links to different social platforms and several websites. this was done through html5up, which is an amazing platform for html and css websites.

support their organization as they do create work for the open source community. anyways, i deployed the html and css files to my nginx server and ensured that it was all served properly. this nginx server had already been existing since it was used to test ssl configurations on nginx. so i just decided to remove the index and css files and curl the zip file. once it was installed, i customized the html file to my liking and added some things and removed some things. now exposing the file was fairly easy as i just needed to href to ‘/file.pdf’.

as mentioned before, all files are accessible by the end user by default as there is this directive in the configuration file:
“try_files $uri $uri/ =404;”

nginx will try to serve the file as is if it exists, otherwise it will return a 404 error. meaning that with bots, it can scrub through your whole website directory and find certain files that should or should not be accessible. in my case, i just wanted it so that the end user only sees a specific file, as there are other files, but those are just extras from the .zip file.

another thing to note, is that you can specify which index file should be accessed by the fqdn. default setting sets a bunch of html and htm files, so by locking down to a single ‘index.html’ file, it will make serving websites easier and simpler.

all that is needed is this little section embedded:
location /file.pdf {
root /path/to/file;
allow all;
}

this will allow access to the .pdf file and defines the root path of the file. below this should be the ‘location /’ directive, and that should be set to ‘deny all;’. and if the ‘try_files’ is still there, just comment that out. this can also be used to expose multiple files if need be. depends on the use case scenario.

okay, so it turns out that this whole thing is wrong, this will just remove access to your entire nginx website. i guess in reality, you would just restrict access to certain files on the web server. since access to the whole website directory is permitted. in my case, there is a text file that has some instruction on how to use the template, so i just create a location for that text file and put ‘return 404;’. that way, the whole website is accessible, since it needs to call the css files in order to change how the html looks.