nginx - php-fpm: access restrictions for some php pages

Francis Daly francis at daoine.org
Thu Jan 31 19:52:09 UTC 2013


On Thu, Jan 31, 2013 at 09:12:07AM -0500, m.desantis wrote:

> An extra information which would have been useful to me is a configuration
> code example, because is less prone to misunderstandings by me (due to my
> comprehension skills), or maybe some link about the matter I submitted (if
> known), because I couldn't find on the web any infos about the needings I
> have

What documentation did you find your current configuration in? If it is
something on the nginx.org domain, then possibly it can be adjusted to
be clearer for the next person.

> (maybe just because the solution is trivial).

The solution is straightforward when you know how nginx works.

One request is handled in one location. Whatever configuration you want
to apply to a specific request must be available in the location which
handles that request. (There are some subtleties where one client http
request can become multiple nginx requests.)

I find it easier to keep the locations simple. To me, that means separate
locations for separate configurations.

> Anyway, I have a doubt: in the previous reply you sent, you say

> > location = /some/path/phpinfo.php {
> > }

> > In *that* location, put all of the configuration that you want for
> > that request.
> 
> So I think you mean something like this:
> 
> location = /some/path/phpinfo.php {
> # common configurations...
> # configuration for some children urls...
> }

Yes. Inside that location block, put your allow and deny directives. And
also put your fastcgi directives.

The fastcgi directives are possibly only something like:

  fastcgi_pass unix:/var/run/php5-fpm.sock;
  include fastcgi_params;
  fastcgi_param SCRIPT_FILENAME /some/path/some/path/phpinfo.php

This location, because of the =, will only handle one type of http
request. The query string part, after the ?, can vary. But the rest of
the http request is fixed. There are no other urls that will match
this location.

> I found that a nested locations configuration works too:
> 
> location ~  ^\/some\/path\/(.*\.php)$ {
> # configuration for some children urls...
> location ~ \/phpinfo\.php$ {
> # common configurations...
> }
> }

There isn't enough actual example configuration there to know for sure,
but it looks to me like that will not do what you want.

> Of the two options I would prefer the last, because I avoid to write two
> different configurations equal between each other, which would imply that
> every
> time I change one configuration I have to duplicate it into the other
> location

For me, doing that is a *good* thing. When you're changing the
configuration, you should know why you are doing it. search-and-replace
should allow you to verify that you are changing all and only what you
mean to change without too much extra work.

> (but above all I have a loss of logic). Do you have some considerations
> which
> maybe I miss about the difference between the two configurations?

One works; the other doesn't?

You can probably make the nested location do what you want by adding a
few more lines to it. It might be a useful exercise to do that, and then
compare the two working configurations.

(You can possibly tidy the "main" php configuration too -- there aren't
many requests which would lead to your "fastcgi_split_path_info" or
"fastcgi_index" directives making a difference.)

	f
-- 
Francis Daly        francis at daoine.org



More information about the nginx mailing list