Hi,
I have a largely working NGINX config as below. The only problem is that when "/administrator" or "/administrator/" or "administrator/foo.php" is called, I always get prompted to download the PHP file rather than it be executed by PHP FPM. Meanwhile, calls to "/" or "/foo.php" operate as expected (i.e. executed correctly by PHP FPM).
Thanks in advance for you help
Laura
#### CONFIG START
server {
listen 192.0.2.43:80;
listen [2001:db8:69d0:723c:1cba::1173]:80;
server_tokens off;
server_name example.com www.example.com ;
if ($request_method !~ ^(GET|HEAD)$ )
{
return 405;
}
return 301 https://example.com$request_uri;
}
server {
listen 192.0.2.43:443 ssl http2;
listen [2001:db8:69d0:723c:1cba::1173]:443 ssl http2;
server_tokens off;
server_name example.com www.example.com ;
root /usr/share/nginx/foo;
index index.php index.html index.htm default.html default.htm;
ssl_certificate /etc/ssl/example.com/example.com.pem;
ssl_certificate_key /etc/ssl/example.com/example.com.key;
ssl_dhparam /etc/ssl/example.com/example.com.dhp;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA2$
-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/example.com/example.com.chain;
resolver 198.51.100.25 203.0.113.25 [2001:db8::aaaa:20] [2001:db8::aaaa:25];
gzip on;
gzip_vary on;
gzip_comp_level 5;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/html text/plain text/css text/javascript application/x-javascript;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "referrer no-referrer";
add_header Referrer-Policy "no-referrer";
add_header Cache-Control private,max-age=300,no-transform;
expires 300;
if ($request_method !~ ^(GET|HEAD|POST|)$ )
{
return 405;
}
location /log {
return 403;
}
location /logs {
return 403;
}
location ^~ /administrator/ {
limit_except GET HEAD POST {
deny all;
}
try_files $uri /index.php /index.html;
auth_basic "Hello";
auth_basic_user_file /etc/nginx/salt_htpasswd/htpasswd_foo;
}
location / {
try_files $uri $uri/ /index.php$is_args$args;
if ($query_string ~ "base64_encode[^(]*\([^)]*\)"){
return 403;
}
if ($query_string ~* "(<|%3C)([^s]*s)+cript.*(>|%3E)"){
return 403;
}
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})"){
return 403;
}
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})"){
return 403;
}
auth_basic "Hello";
auth_basic_user_file /etc/nginx/salt_htpasswd/htpasswd_foo;
}
# PHP config from https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
limit_except GET HEAD POST {
deny all;
}
}
}#### CONFIG END