Vulnerability in "Proxy Everything" (Wiki article Pitfalls)

genarg nginx-forum at
Wed Apr 6 19:29:57 MSD 2011

I created this conf file following a couple of how to's on the internet.
I use this template for creating wordpress sites (hence the total cache

#       Servidor: name.server.tld
#       Cliente: template        /       Dominio: www.domain.tld
#       Revisión: 19/3/2011
server {
	server_name www.domain.tld domain.tld;
	root /home/clientes/tamplate/domain.tld;
	index index.php;
	#ssl on;
	#ssl_certificate /usr/local/nginx/conf/certs/domain_bundle.crt;
	#ssl_certificate_key /usr/local/nginx/conf/certs/domain.key;
	error_page 404 = @wordpress;
	log_not_found off;

	location ^~ /files/ {
		rewrite /files/(.+) /wp-includes/ms-files.php?file=$1 last;

# Rewrite minified CSS and JS files
/wp-content/w3tc/min/index.php?tt=$1&gg=$2&g=$3&t=$7 last;

# Set a variable to work around the lack of nested conditionals
	set $cache_uri $request_uri;

# POST requests and urls with a query string should always go to PHP
	if ($request_method = POST) {
		set $cache_uri 'no cache';
		if ($query_string != "") {
			set $cache_uri 'no cache';
# Don't cache uris containing the following segments
	if ($request_uri ~*
		set $cache_uri "no cache";

# Don't use the cache for logged in users or recent commenters
	if ($http_cookie ~*
		set $cache_uri 'no cache';
# Use cached or actual file if they exists, otherwise pass request to
	location / {
		try_files /wp-content/w3tc/pgcache/$cache_uri/_index.html $uri $uri/
# Cache static files for as long as possible
	location ~*
		try_files       $uri =404;
		expires         max;
		access_log      off;
# Deny access to hidden files
	location ~* /\.ht {
		deny            all;
		access_log      off;
		log_not_found   off;
	location @wordpress {
		fastcgi_param SCRIPT_FILENAME $document_root/index.php;
		include fastcgi_params;
		fastcgi_param SCRIPT_NAME /index.php;
	location ~ \.php$ {
		try_files $uri @wordpress;
		fastcgi_index index.php;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		include fastcgi_params;
	location ^~ /blogs.dir/ {
		root /home/clientes/template/name/wp-content;

Posted at Nginx Forum:,181274,188798#msg-188798

More information about the nginx mailing list