PH Fast-CGI security pitfall

Maxim Khitrov max at
Tue Nov 22 19:58:07 UTC 2011

On Tue, Nov 22, 2011 at 2:32 PM, B.R. <reallfqq-nginx at> wrote:
> Hello,
> I juste read this article which highlight a common security pitfall to serve
> PHP files.
> I don't see any similar advice in your PHP on Fast-CGI tutorial nor your
> pitfalls page.
> On the last page, you tell about the problem in the Pass Non-PHP Requests to
> PHP section, you seem to point in the right direction in the Proxy
> everything section, but not for the right reasons.
> You tell people to use an 'if' to check for file existence, but the use of
> 'try' is much better, a you know it since you redirect to the IfIsEvil page.
> The article I gave you reference to offers 5 different wys to secure the
> server. The 'try_files $uri =404;' seems to be a nice way of preventing
> non-PHP script from being executed, isn't it?

I generally use the following template for serving PHP via FastCGI:

location ~ \.php$ {
    if (!-f $request_filename) { return 404; }

    fastcgi_param SCRIPT_FILENAME $request_filename;

The 'if' statement causes 404 to be returned unless the requested file
actually exists. Making sure that people can't upload files ending in
'.php' is a separate mater, but I believe that this configuration
takes care of the security issue described in your first link.

For the given example, nginx detects that doesn't
refer to an actual php file, so nothing is passed to the interpreter.

- Max

More information about the nginx mailing list