Equivalent of Apache's SetEnv Variable
Igor Sysoev
igor at sysoev.ru
Thu Aug 5 11:26:46 MSD 2010
On Thu, Aug 05, 2010 at 12:01:38AM -0700, Michael Shadle wrote:
> Yeah I expect nginx to only be aware of the filesystem it has access to. So open_file_cache saves stat calls? How do you invalidate the cache if a file is removed? Or if I put a new file that wasn't there I want it to instantly show up not 404 for a while? Apologies if you've covered this already.
open file cache entries are valid for open_file_cache_valid time, 60s
by default. If you want to cache file errors such as "not found", you may
set open_file_cache_errors on.
> On Aug 4, 2010, at 11:38 PM, Igor Sysoev <igor at sysoev.ru> wrote:
>
> > On Wed, Aug 04, 2010 at 02:48:07PM -0700, Michael Shadle wrote:
> >
> >> On Wed, Aug 4, 2010 at 2:44 PM, Ed W <lists at wildgooses.com> wrote:
> >>
> >>> However, all the default configs that I have seen for PHP setups on the
> >>> wiki, etc, seem insecure to my mind. They nearly all point *all* files
> >>> named xx.php to be processed by the your php interpreter. Coupled with
> >>> nearly all non trivial applications having some "upload" feature this allows
> >>> a gaping potential issue to upload arbitrary files named xx.php and you are
> >>> allowing arbitrary code to be uploaded...
> >>
> >> Someone just posted this on my blog:
> >>
> >> location ~ \.php$ {
> >> ....
> >> try_files $uri =404;
> >> ...
> >> }
> >>
> >> exploit http://site.ru/images/as5df3.jpeg/.php
> >>
> >> might be an interesting approach, haven't tried it yet. would this add
> >> an additional stat call or two though for every PHP request, Igor?
> >
> > Yes, it adds a stat() syscall, however, it can be eliminated with
> > open_file_cache. Note also, that it works only if nginx and php are
> > on the same host.
> >
> >
> > --
> > Igor Sysoev
> > http://sysoev.ru/en/
> >
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > http://nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list