Monthly Archives: January 2013

Nginx and locking down your WEB-INF folder

I was working on some URL rewriting rules on my server this evening when I was taking a break at work. Just out of curiosity I tried hitting some of the files that are available in the WEB-INF directory and was surprised to find out that I could easily view all my context logs and anything that was not a ColdFusion template. In retrospect, I should not have been surprised but I should have taken steps to prevent that from ever happening.

I have a drop.conf file that gets loaded on every site so blocking directory access on all my sites was just a matter of adding the directive to block access to the directory and restarting nginx.

In hindsight, I should have checked that a long time ago. Hopefully someone will learn from my mistake.