Allow internal redirect to URI x, but deny external request for x?

Francis Daly francis at daoine.org
Sat Aug 31 07:27:31 UTC 2019 

On Sat, Aug 31, 2019 at 12:21:40AM +0100, Francis Daly wrote:

Hi there,

A few further thoughts here...

> It sounds like your desires are for requests:
> 
>  * starts with /my-app/current/ -> reject
>  * starts with /my-app/releases/ -> reject
>  * matches /my-app/something.php, or /myapp/something.php/anything ->

Typo there -- should be "/my-app/".

But note that the "/my-app/" in the request and the "/my-app/" on the
filesystem do not need to the same. (And also: the filesystem /my-app/
for the php files and the filesystem /my-app/ for other files do not
need to be the same; if you want to keep your "static" and "processed"
content separate.)

> fastcgi-process the file /srv/www/my-app/current/something.php
>  * matches /my-app/something -> just send the file
> /srv/www/my-app/current/something
> 
> Is that correct? If so -- do exactly that.
> 
> For example (but mostly untested):
> 
> ==
>   location ^~ /my-app/current/ { return 200 "nothing to see at /current/\n"; }
>   location ^~ /my-app/releases/ { return 200 "nothing to see at /releases/\n"; }
>   location ^~ /my-app/ {
>     location ~ \.php($|/) {
>       fastcgi_split_path_info ^/my-app(/.*php)(.*);

If there might be more than one "php" in the request, that will split on
"the last one". Perhaps you want to split on "the first one followed by
slash". In that case, adjust the regex:

      fastcgi_split_path_info ^/my-app(/.*?php)($|/.*);

>       root /srv/www/my-app/current/;

You did also show a "if (!-f" config, which is "404 if the matching php
file is not present". That can be:

      try_files $fastcgi_script_name =404;

because we have root and the variable set correctly here.

>       include fastcgi.conf;

Possibly the only bits of that file that you care about are:

      fastcgi_param PATH_INFO $fastcgi_path_info;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

so you could just use those lines directly.

>       fastcgi_pass unix:php.sock;
>     }
>     alias /srv/www/my-app/current/;
>   }
> ==

Cheers,

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list