Improve Nginx config to prevent php injection in uri

First check if php script exists before calling php-fpm.
2013-11-12 23:21:08 +01:00 · 2013-11-12 23:21:08 +01:00 · f55fec9ace
commit f55fec9ace
parent 428e0c8945
1 changed files with 12 additions and 2 deletions
--- a/doc/install/sample-nginx.conf
+++ b/doc/install/sample-nginx.conf
@ -98,16 +98,26 @@ server {
  # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
  # or a unix socket
  location ~* \.php$ {
-    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    # Zero-day exploit defense.
+    # http://forum.nginx.org/read.php?2,88845,page=3
+    # Won't work properly (404 error) if the file is not stored on this
+    # server, which is entirely possible with php-fpm/php-fcgi.
+    # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on
+    # another machine.  And then cross your fingers that you won't get hacked.
+    try_files $uri =404;
+
    # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;

    # With php5-cgi alone:
    # fastcgi_pass 127.0.0.1:9000;

    # With php5-fpm:
    fastcgi_pass unix:/var/run/php5-fpm.sock;
-    fastcgi_index index.php;
+
    include fastcgi_params;
+    fastcgi_index index.php;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  }

  # deny access to all dot files