MK8S-25: Disable HTTP directory listing for RPM repository

rdebay-scality · rdebay-scality · commit 73edc791686e · 2025-09-01T14:21:16.000+02:00
Security fix to prevent exposing repository structure on port 8080.
Changed autoindex from on to off in nginx configuration.

Related: RD-680
diff --git a/salt/metalk8s/repo/files/nginx.conf.j2 b/salt/metalk8s/repo/files/nginx.conf.j2
@@ -4,7 +4,9 @@ server {
 
     location / {
         root   /var/www/repositories;
-        autoindex on;
+        # Security fix: Disable directory listing to prevent exposing repository structure
+        # Fixes: MK8S-25, RD-680 - HTTP directory listing of redhat packages
+        autoindex off;
     }
 
     include conf.d/*.inc;

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,9 @@ server {`
`4`	`4`
`5`	`5`	`location / {`
`6`	`6`	`root /var/www/repositories;`
`7`		`- autoindex on;`
	`7`	`+ # Security fix: Disable directory listing to prevent exposing repository structure`
	`8`	`+ # Fixes: MK8S-25, RD-680 - HTTP directory listing of redhat packages`
	`9`	`+ autoindex off;`
`8`	`10`	`}`
`9`	`11`
`10`	`12`	`include conf.d/*.inc;`