Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

A little assistance with nginx and php-fpm config

A little assistance with nginx and php-fpm config

MikHoMikHo Member
edited September 2012 in Help

I'm having some trouble after adding an IP check on a subdirectory.

        location ~ ^/info {
                allow 192.168.1.88/32; # To give one ip access
        ##      allow 192.168.1.0/24; # To give a whole network access
                deny all;
                include /etc/nginx/php.conf;
        }

the block works, only the dedicated IP can access this directory, problem is that the index.php gets downloaded.

this is the php.conf

# Route all requests for non-existent files to index.php
location ~* / {
        try_files $uri $uri/ ~* /index.php$is_args$args;
}

# Pass PHP scripts to php-fastcgi listening on port 9000
location ~ \.php$ {

        # Zero-day exploit defense.
        # http://forum.nginx.org/read.php?2,88845,page=3
        # Won't work properly (404 error) if the file is not stored on
        # this server,  which is entirely possible with php-fpm/php-fcgi.
        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi
        # on another machine.  And then cross your fingers that you won't get hacked.
        try_files $uri =404;

        include fastcgi_params;

        # Keep these parameters for compatibility with old PHP scripts using them.
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

        # Some default config
        fastcgi_connect_timeout        20;
        fastcgi_send_timeout          180;
        fastcgi_read_timeout          180;
        fastcgi_buffer_size          128k;
        fastcgi_buffers            4 256k;
        fastcgi_busy_buffers_size    256k;
        fastcgi_temp_file_write_size 256k;
        fastcgi_intercept_errors    on;
        fastcgi_ignore_client_abort off;
        fastcgi_pass 127.0.0.1:9000;

}
# PHP search for file Exploit:
# The PHP regex location block fires instead of the try_files block. Therefore we need
# to add "try_files $uri =404;" to make sure that "/uploads/virusimage.jpg/hello.php"
# never executes the hidden php code inside virusimage.jpg because it can't find hello.php!
# The exploit also can be stopped by adding "cgi.fix_pathinfo = 0" in your php.ini file.

I had to change the first location path to the above to avoid an error when reloading/restarting nginx. This config breaks it.

location  / {
        try_files $uri $uri/ /index.php$is_args$args;
}

So could anyone please give me some direction on what is wrong and what I need to do to get it to work.

Tagged:

Comments

Sign In or Register to comment.