<font color="#333399"><font size="2">Hello,<br><br>I juste read <a href="https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/" target="_blank">this article</a> which highlight a common security pitfall to serve PHP files.<br>
I don't see any similar advice in <a href="http://wiki.nginx.org/PHPFcgiExample" target="_blank">your PHP on Fast-CGI tutorial</a> nor <a href="http://wiki.nginx.org/Pitfalls" target="_blank">your pitfalls page</a>.<br>
<br>On the last page, you tell about the problem in the <b>Pass Non-PHP Requests to PHP</b> section, you seem to point in the right direction in the <b>Proxy everything</b> section, but not for the right reasons.<br>
You tell people to use an 'if' to check for file existence, but the use of 'try' is much better, a you know it since you redirect to the IfIsEvil page.<br><br>The article I gave you reference to offers 5 different wys to secure the server. The 'try_files $uri =404;' seems to be a nice way of preventing non-PHP script from being executed, isn't it?<br>
Thanks,<br></font></font><font size="1"><span style="color:rgb(102, 102, 102)">---<br></span><b><span style="color:rgb(102, 102, 102)">B. R.</span></b><span style="color:rgb(102, 102, 102)"></span></font><br clear="all">