I am hosting an express application on an ubuntu server, i use nginx as a webserver, i configured nginx to serve the application with passenger and it works, but when i type server.js or .env or the path to any other file i can view the contents of the file, which is a big problem as anyone can steal all the backend code along with .env file, i tried many thing but nothing seems to work, write now i am blocking the access to .env and js files with nginx as a temporarily solution, the following is my configuration.
server { server_name example.com; listen x.x.x.x; root /path/public_html/api; index index.php index.htm index.html; access_log /var/log/virtualmin/example.com_access_log; error_log /var/log/virtualmin/example.com_error_log; location ^~ /.well-known/acme-challenge/ { allow all; try_files $uri =404; } location / { proxy_pass http://127.0.0.1:3000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection Upgrade; proxy_set_header Host $host; passenger_enabled on; passenger_app_type node; passenger_startup_file server.js; passenger_app_root /path/public_html/api; passenger_nodejs /home/user/.nvm/versions/node/v20.11.1/bin/node; } listen x.x.x.x:443 ssl; ssl_certificate /etc/ssl/virtualmin/x/ssl.combined; ssl_certificate_key /etc/ssl/virtualmin/x/ssl.key;}I tried blocking access to sensitive files, but its not a solution as you may miss some files to block.