<font color="#333399"><font size="2">Your use of the if switch is enlisted in the <a href="http://wiki.nginx.org/Pitfalls">pitfalls page of nginx</a> (see <b>Check IF File Exists</b> section) :o)<br>It is said you should use the try one!<br>
<br>My message was: is using the try switch with the '=404' the right way? If yes can someone add that to the nginx wiki?</font></font><br clear="all"><font size="1"><span style="color:rgb(102,102,102)">---<br></span><b><span style="color:rgb(102,102,102)">B. R.</span></b><span style="color:rgb(102,102,102)"></span></font><br>
<br><br><div class="gmail_quote">On Tue, Nov 22, 2011 at 14:58, Maxim Khitrov <span dir="ltr"><<a href="mailto:max@mxcrypt.com">max@mxcrypt.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div></div><div class="h5">On Tue, Nov 22, 2011 at 2:32 PM, B.R. <<a href="mailto:reallfqq-nginx@yahoo.fr">reallfqq-nginx@yahoo.fr</a>> wrote:<br>
> Hello,<br>
><br>
> I juste read this article which highlight a common security pitfall to serve<br>
> PHP files.<br>
> I don't see any similar advice in your PHP on Fast-CGI tutorial nor your<br>
> pitfalls page.<br>
><br>
> On the last page, you tell about the problem in the Pass Non-PHP Requests to<br>
> PHP section, you seem to point in the right direction in the Proxy<br>
> everything section, but not for the right reasons.<br>
> You tell people to use an 'if' to check for file existence, but the use of<br>
> 'try' is much better, a you know it since you redirect to the IfIsEvil page.<br>
><br>
> The article I gave you reference to offers 5 different wys to secure the<br>
> server. The 'try_files $uri =404;' seems to be a nice way of preventing<br>
> non-PHP script from being executed, isn't it?<br>
<br>
</div></div>I generally use the following template for serving PHP via FastCGI:<br>
<br>
location ~ \.php$ {<br>
if (!-f $request_filename) { return 404; }<br>
<br>
fastcgi_pass <a href="http://127.0.0.1:8000" target="_blank">127.0.0.1:8000</a>;<br>
fastcgi_param SCRIPT_FILENAME $request_filename;<br>
...<br>
}<br>
<br>
The 'if' statement causes 404 to be returned unless the requested file<br>
actually exists. Making sure that people can't upload files ending in<br>
'.php' is a separate mater, but I believe that this configuration<br>
takes care of the security issue described in your first link.<br>
<br>
For the given example, nginx detects that<br>
<a href="http://www.bambookites.com/uploads/random.gif/somefilename.php" target="_blank">http://www.bambookites.com/uploads/random.gif/somefilename.php</a> doesn't<br>
refer to an actual php file, so nothing is passed to the interpreter.<br>
<br>
- Max<br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div><br>