Confusion over apparently conflicting advice in guide/wiki/examples
Francis Daly
francis at daoine.org
Tue Mar 4 21:40:47 UTC 2014
On Tue, Mar 04, 2014 at 03:51:36PM -0500, talkingnews wrote:
Hi there,
continuing from my previous mail...
> > There is no such DOCUMENT_URI server variable in PHP
> > The nginx wiki has not the reputation of being a trustable source
>
> I know you say not to trust the wiki (it appears in
> http://wiki.nginx.org/PHPFcgiExample) but it also is in the standard install
> of nginx on ubuntu which comes with an /etc/nginx/fastcgi_params file
> containing
> fastcgi_param DOCUMENT_URI $document_uri;
>
> Perhaps it should not even be there? Should I report it as a possible error
> to the Ubuntu package maintainers?
nginx is the fastcgi client. It can send any key/value pairs to the
fastcgi server. If you read the fastcgi spec, you'll see that certain keys
are expected to exist. And if you read your fastcgi server documentation,
you'll see that certain keys are heeded. Those lists of keys may not
be identical.
A lot of the fastcgi_params file seems to be things that some common
fastcgi servers and/or the code they run will typically make use of. They
are things added to be helpful in some cases, which are unlikely to ever
be harmful.
Perhaps your fastcgi server will be happy with just "fastcgi_param
SCRIPT_FILENAME /tmp/env.php", and with no other fastcgi_param values
at all. Or perhaps it ignores SCRIPT_FILENAME and instead uses some
different keys to identify the file to be processed.
And perhaps your next fastcgi server will do something different.
You must configure your nginx to say whatever your fastcgi server needs
to hear. Many of the "default" params are to make it Just Work with
different servers. (I think.)
> So, you can understand my confusion here! PHP says leave it on. You say
> leave it on. Nginx stand install and wiki says turn it off so that nginx
> doesn't keep trying files.
No. nginx doesn't keep trying files. The fastcgi server might, but that's
a "fix your fastcgi server" issue.
> So what I meant was that setting cgi.fix_pathinfo = 1 may leave this
> security gap of executing unwanted code.
...in the php interpreter.
Not in nginx. Fix php problems in php, and things will be easier.
Cheers,
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list