Update 404 rules for md files, closes #93

- Drupal preset: .md files excluded from the default not found regex
- Drupal preset: CHANGELOG, README, INSTALL, FAQ, LICENSE md files in modules directory now return 404
- WP preset: CHANGELOG, README, INSTALL, FAQ, LICENSE md files in plugins directory now return 404

Author: csandanov

Makefile

@@ -66,12 +66,11 @@ buildx-imagetools-create:
 .PHONY: buildx-imagetools-create
 
 test:
-#	cd ./tests/basic && IMAGE=$(REPO):$(TAG) ./run.sh
-#	cd ./tests/php && IMAGE=$(REPO):$(TAG) ./run.sh
-#	cd ./tests/wordpress && IMAGE=$(REPO):$(TAG) ./run.sh
-#	cd ./tests/drupal/11 && IMAGE=$(REPO):$(TAG) ./run.sh
+	cd ./tests/basic && IMAGE=$(REPO):$(TAG) ./run.sh
+	cd ./tests/php && IMAGE=$(REPO):$(TAG) ./run.sh
+	cd ./tests/wordpress && IMAGE=$(REPO):$(TAG) ./run.sh
+	cd ./tests/drupal/11 && IMAGE=$(REPO):$(TAG) ./run.sh
 	cd ./tests/drupal/10 && IMAGE=$(REPO):$(TAG) ./run.sh
-	cd ./tests/drupal/7 && IMAGE=$(REPO):$(TAG) ./run.sh
 	cd ./tests/matomo && PLATFORM=$(PLATFORM) IMAGE=$(REPO):$(TAG) ./run.sh
 
 push:

README.md

@@ -315,8 +315,9 @@ Overridden default values:
       add `$NGINX_WP_GOOGLE_XML_SITEMAP=1`
     - For plugin [Yoast SEO](https://kb.yoast.com/kb/xml-sitemaps-nginx/) add `$NGINX_WP_YOAST_XML_SITEMAP=1`
 - Default value of `NGINX_HEADERS_CONTENT_SECURITY_POLICY` overridden to `frame-ancestors: 'self'`
+- Files `INSTALL.md`, `README.md`, `LICENSE.md`, `FAQ.md` and `CHANGELOG.md` inside plugins directory return 404
 
-Default value of NGINX_WP_NOT_FOUND_REGEX (backspaces must be escaped) is: `.+\\.(?:txt|md|pot|sh|.*sql?)|(?:composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$`
+Default value of NGINX_WP_NOT_FOUND_REGEX (backspaces must be escaped) is: `.+\\.(?:txt|pot|sh|.*sql?)|(?:composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$`
 
 #### Drupal
 
@@ -329,14 +330,15 @@ Default value of NGINX_WP_NOT_FOUND_REGEX (backspaces must be escaped) is: `.+\\
 - Access to cert extensions gives 404 based on the value of `$NGINX_DRUPAL_NOT_FOUND_REGEX`
 - Default value of `NGINX_HEADERS_CONTENT_SECURITY_POLICY` overridden to `frame-ancestors: 'self'`
 - Set `NGINX_DRUPAL_REMOVE_INDEXPHP` to any value to remove `index.php` from the URL, e.g. `index.php/node/abc` will redirect to `/node/abc`
+- Files `INSTALL.md`, `README.md`, `LICENSE.md`, `FAQ.md` and `CHANGELOG.md` inside modules directory return 404
 
 Default value of `NGINX_DRUPAL_NOT_FOUND_REGEX` (backspaces must be escaped) is taken from Drupal's `.htaccess` and
 depends on the Drupal version:
 
 Drupal 11/10/9/8:
 
 ```
-\\.(engine|md|txt|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\\.php)?|xtmpl|yml|yaml)(~|\\.sw[op]|\\.bak|\\.orig|\\.save)?$|^(\\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|(web\\.config|composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$|^#.*#$|\\.php(~|\\.sw[op]|\\.bak|\\.orig|\\.save)$
+\\.(engine|txt|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\\.php)?|xtmpl|yml|yaml)(~|\\.sw[op]|\\.bak|\\.orig|\\.save)?$|^(\\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|(web\\.config|composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$|^#.*#$|\\.php(~|\\.sw[op]|\\.bak|\\.orig|\\.save)$
 ```
 
 Drupal 7:

templates/presets/drupal10.conf.tmpl

@@ -1,5 +1,5 @@
 {{ $static := (getenv "NGINX_STATIC_EXT_REGEX" "css|cur|js|jpe?g|gif|htc|ico|png|xml|otf|ttf|eot|woff|woff2|svg|mp4|svgz|ogg|ogv|pdf|pptx?|zip|tgz|gz|rar|bz2|doc|xls|exe|tar|mid|midi|wav|bmp|rtf|txt|map|webp") }}
-{{ $not_found_regex := (getenv "NGINX_DRUPAL_NOT_FOUND_REGEX" "\\.(engine|md|txt|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\\.php)?|xtmpl|yml|yaml)(~|\\.sw[op]|\\.bak|\\.orig|\\.save)?$|^(\\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|(web\\.config|composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$|^#.*#$|\\.php(~|\\.sw[op]|\\.bak|\\.orig|\\.save)$") }}
+{{ $not_found_regex := (getenv "NGINX_DRUPAL_NOT_FOUND_REGEX" "\\.(engine|txt|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\\.php)?|xtmpl|yml|yaml)(~|\\.sw[op]|\\.bak|\\.orig|\\.save)?$|^(\\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|(web\\.config|composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$|^#.*#$|\\.php(~|\\.sw[op]|\\.bak|\\.orig|\\.save)$") }}
 {{ $files_dir_static := (getenv "NGINX_DRUPAL_FILES_STATIC_EXT_REGEX" "txt") }}
 
 index index.php index.html;
@@ -110,6 +110,10 @@ location / {
         return 404;
     }
 
+    location ~* ^/(?:sites/[^/]+/)?modules/(contrib|custom)/[a-z0-9_-]+/(CHANGELOG|README|INSTALL|LICENSE|FAQ)\.md$ {
+        return 404;
+    }
+
     location ~* ^.+\.(?:{{ $static }})$ {
         access_log {{ getenv "NGINX_STATIC_ACCESS_LOG" "off" }};
         tcp_nodelay {{ getenv "NGINX_STATIC_TCP_NODELAY" "off" }};

templates/presets/drupal11.conf.tmpl

@@ -1,5 +1,5 @@
 {{ $static := (getenv "NGINX_STATIC_EXT_REGEX" "css|cur|js|jpe?g|gif|htc|ico|png|xml|otf|ttf|eot|woff|woff2|svg|mp4|svgz|ogg|ogv|pdf|pptx?|zip|tgz|gz|rar|bz2|doc|xls|exe|tar|mid|midi|wav|bmp|rtf|txt|map|webp") }}
-{{ $not_found_regex := (getenv "NGINX_DRUPAL_NOT_FOUND_REGEX" "\\.(engine|md|txt|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\\.php)?|xtmpl|yml|yaml)(~|\\.sw[op]|\\.bak|\\.orig|\\.save)?$|^(\\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|(web\\.config|composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$|^#.*#$|\\.php(~|\\.sw[op]|\\.bak|\\.orig|\\.save)$") }}
+{{ $not_found_regex := (getenv "NGINX_DRUPAL_NOT_FOUND_REGEX" "\\.(engine|txt|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\\.php)?|xtmpl|yml|yaml)(~|\\.sw[op]|\\.bak|\\.orig|\\.save)?$|^(\\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|(web\\.config|composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$|^#.*#$|\\.php(~|\\.sw[op]|\\.bak|\\.orig|\\.save)$") }}
 {{ $files_dir_static := (getenv "NGINX_DRUPAL_FILES_STATIC_EXT_REGEX" "txt") }}
 
 index index.php index.html;
@@ -110,6 +110,10 @@ location / {
         return 404;
     }
 
+    location ~* ^/(?:sites/[^/]+/)?modules/(contrib|custom)/[a-z0-9_-]+/(CHANGELOG|README|INSTALL|LICENSE|FAQ)\.md$ {
+        return 404;
+    }
+
     location ~* ^.+\.(?:{{ $static }})$ {
         access_log {{ getenv "NGINX_STATIC_ACCESS_LOG" "off" }};
         tcp_nodelay {{ getenv "NGINX_STATIC_TCP_NODELAY" "off" }};

templates/presets/drupal8.conf.tmpl

@@ -1,5 +1,5 @@
 {{ $static := (getenv "NGINX_STATIC_EXT_REGEX" "css|cur|js|jpe?g|gif|htc|ico|png|xml|otf|ttf|eot|woff|woff2|svg|mp4|svgz|ogg|ogv|pdf|pptx?|zip|tgz|gz|rar|bz2|doc|xls|exe|tar|mid|midi|wav|bmp|rtf|txt|map|webp") }}
-{{ $not_found_regex := (getenv "NGINX_DRUPAL_NOT_FOUND_REGEX" "\\.(engine|md|txt|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\\.php)?|xtmpl|yml|yaml)(~|\\.sw[op]|\\.bak|\\.orig|\\.save)?$|^(\\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|(web\\.config|composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$|^#.*#$|\\.php(~|\\.sw[op]|\\.bak|\\.orig|\\.save)$") }}
+{{ $not_found_regex := (getenv "NGINX_DRUPAL_NOT_FOUND_REGEX" "\\.(engine|txt|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\\.php)?|xtmpl|yml|yaml)(~|\\.sw[op]|\\.bak|\\.orig|\\.save)?$|^(\\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|(web\\.config|composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$|^#.*#$|\\.php(~|\\.sw[op]|\\.bak|\\.orig|\\.save)$") }}
 {{ $files_dir_static := (getenv "NGINX_DRUPAL_FILES_STATIC_EXT_REGEX" "txt") }}
 
 index index.php index.html;
@@ -116,6 +116,10 @@ location / {
         return 404;
     }
 
+    location ~* ^/(?:sites/[^/]+/)?modules/(contrib|custom)/[a-z0-9_-]+/(CHANGELOG|README|INSTALL|LICENSE|FAQ)\.md$ {
+        return 404;
+    }
+
     location ~* ^.+\.(?:{{ $static }})$ {
         access_log {{ getenv "NGINX_STATIC_ACCESS_LOG" "off" }};
         tcp_nodelay {{ getenv "NGINX_STATIC_TCP_NODELAY" "off" }};

templates/presets/drupal9.conf.tmpl

@@ -1,5 +1,5 @@
 {{ $static := (getenv "NGINX_STATIC_EXT_REGEX" "css|cur|js|jpe?g|gif|htc|ico|png|xml|otf|ttf|eot|woff|woff2|svg|mp4|svgz|ogg|ogv|pdf|pptx?|zip|tgz|gz|rar|bz2|doc|xls|exe|tar|mid|midi|wav|bmp|rtf|txt|map|webp") }}
-{{ $not_found_regex := (getenv "NGINX_DRUPAL_NOT_FOUND_REGEX" "\\.(engine|md|txt|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\\.php)?|xtmpl|yml|yaml)(~|\\.sw[op]|\\.bak|\\.orig|\\.save)?$|^(\\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|(web\\.config|composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$|^#.*#$|\\.php(~|\\.sw[op]|\\.bak|\\.orig|\\.save)$") }}
+{{ $not_found_regex := (getenv "NGINX_DRUPAL_NOT_FOUND_REGEX" "\\.(engine|txt|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\\.php)?|xtmpl|yml|yaml)(~|\\.sw[op]|\\.bak|\\.orig|\\.save)?$|^(\\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|(web\\.config|composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$|^#.*#$|\\.php(~|\\.sw[op]|\\.bak|\\.orig|\\.save)$") }}
 {{ $files_dir_static := (getenv "NGINX_DRUPAL_FILES_STATIC_EXT_REGEX" "txt") }}
 
 index index.php index.html;
@@ -110,6 +110,10 @@ location / {
         return 404;
     }
 
+    location ~* ^/(?:sites/[^/]+/)?modules/(contrib|custom)/[a-z0-9_-]+/(CHANGELOG|README|INSTALL|LICENSE|FAQ)\.md$ {
+        return 404;
+    }
+
     location ~* ^.+\.(?:{{ $static }})$ {
         access_log {{ getenv "NGINX_STATIC_ACCESS_LOG" "off" }};
         tcp_nodelay {{ getenv "NGINX_STATIC_TCP_NODELAY" "off" }};

templates/presets/wordpress.conf.tmpl

@@ -1,5 +1,5 @@
 {{ $static := (getenv "NGINX_STATIC_EXT_REGEX" "css|cur|js|jpe?g|gif|htc|ico|png|xml|otf|ttf|eot|woff|woff2|svg|mp4|svgz|ogg|ogv|pdf|pptx?|zip|tgz|gz|rar|bz2|doc|xls|exe|tar|mid|midi|wav|bmp|rtf|txt|map|webp") }}
-{{ $not_found_regex := (getenv "NGINX_WP_NOT_FOUND_REGEX" ".+\\.(?:txt|md|pot|sh|.*sql?)|(?:composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$") }}
+{{ $not_found_regex := (getenv "NGINX_WP_NOT_FOUND_REGEX" ".+\\.(?:txt|pot|sh|.*sql?)|(?:composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$") }}
 
 index index.php index.html;
 
@@ -69,6 +69,10 @@ location / {
         return 404;
     }
 
+    location ~* ^/wp-content/plugins/[a-z0-9_-]+/(CHANGELOG|README|INSTALL|LICENSE|FAQ)\.md$ {
+        return 404;
+    }
+
     location ~* /(?:uploads|files)/.*\.php$ {
         deny all;
     }

tests/drupal/11/run.sh

@@ -10,6 +10,10 @@ nginx_exec() {
     docker compose exec -T nginx "${@}"
 }
 
+drupal_exec() {
+    docker compose exec -T drupal "${@}"
+}
+
 clean_exit() {
   docker compose down -v
 }
@@ -19,6 +23,15 @@ docker compose up -d
 
 nginx_exec make check-ready -f /usr/local/bin/actions.mk
 
+drupal_exec mkdir -p web/sites/abc/modules/contrib/test
+drupal_exec mkdir -p web/modules/contrib/test
+drupal_exec touch web/sites/abc/modules/contrib/test/CHANGELOG.md
+drupal_exec touch web/sites/abc/modules/contrib/test/README.md
+drupal_exec touch web/sites/abc/modules/contrib/test/INSTALL.md
+drupal_exec touch web/modules/contrib/test/CHANGELOG.md
+drupal_exec touch web/modules/contrib/test/README.md
+drupal_exec touch web/modules/contrib/test/INSTALL.md
+
 # TODO: check endpoints of installed Drupal
 
 echo "Checking Drupal endpoints"
@@ -66,4 +79,13 @@ nginx_exec curl -s -S -I "localhost/redirect-internal-permanent" | grep '301 Mov
 echo -n "Checking user-defined external redirect... "
 nginx_exec curl -s -S -I "localhost/redirect-external" | grep '302 Moved Temporarily'
 echo -n "Checking CSP header...   "
-nginx_exec curl -s -S -I "localhost" | grep "frame-ancestors 'self'"
+nginx_exec curl -s -S -I "localhost" | grep "frame-ancestors 'self'"
+
+echo -n "Checking modules md files...   "
+nginx_exec curl -s -S -I "localhost/modules/contrib/test/README.md" | grep "404 Not Found"
+nginx_exec curl -s -S -I "localhost/modules/contrib/test/INSTALL.md" | grep "404 Not Found"
+nginx_exec curl -s -S -I "localhost/modules/contrib/test/CHANGELOG.md" | grep "404 Not Found"
+
+nginx_exec curl -s -S -I "localhost/sites/abc/modules/contrib/test/README.md" | grep "404 Not Found"
+nginx_exec curl -s -S -I "localhost/sites/abc/modules/contrib/test/INSTALL.md" | grep "404 Not Found"
+nginx_exec curl -s -S -I "localhost/sites/abc/modules/contrib/test/CHANGELOG.md" | grep "404 Not Found"

tests/wordpress/run.sh

@@ -21,6 +21,11 @@ docker compose up -d
 docker compose exec -T nginx make check-ready -f /usr/local/bin/actions.mk
 docker compose exec -T wordpress make init -f /usr/local/bin/actions.mk
 
+docker compose exec -T wordpress mkdir -p web/wp-content/plugins/test
+docker compose exec -T wordpress touch web/wp-content/plugins/test/CHANGELOG.md
+docker compose exec -T wordpress touch web/wp-content/plugins/test/README.md
+docker compose exec -T wordpress touch web/wp-content/plugins/test/INSTALL.md
+
 echo -n "Checking homepage endpoint... "
 check_endpoint "" "302 Found"
 
@@ -53,3 +58,8 @@ check_endpoint "non-existing.php" "404 Not Found"
 
 echo -n "Check CSP header...   "
 check_endpoint "" "frame-ancestors 'self'"
+
+echo -n "Checking modules md files...   "
+check_endpoint "wp-content/plugins/test/README.md" "404 Not Found"
+check_endpoint "wp-content/plugins/test/INSTALL.md" "404 Not Found"
+check_endpoint "wp-content/plugins/test/CHANGELOG.md" "404 Not Found"