PHP files being downloaded on condition
Samael
nginx-forum at nginx.us
Tue Aug 2 07:28:16 UTC 2011
Igor, to cut things short - I'd like to either pass the PHP scripts'
execution to the fcgi processes or prevent them from being downloaded.
In addition, I tried to prevent PHP scripts in common
webserver-writeable directories (of course, this list will be extended)
from being executed in order not to allow user-provided PHP files to be
passed to php-fpm:
if ($uri ~*
\/(images?|system|download|upload|cache|logs?)\/(.*\/)?[0-9a-z]+\.php$)
{
return 404;
}
I set this rule: "location ~ \/[0-9a-zA-Z]+\.php$" in order to evaluate
only PHP files with alphanumeric names as these are the only one valid
from my perspective. Of course the rule may be improved (not allowing a
script beginning with a number to be evaluated), but I don't think that
this is necessary at this point.
"location ~ (/\.|.*conf.*\.php)" - in order to prevent hidden and
configuration files from being exposed.
I hope I didn't do anything stupid, I'm open to suggestions :)
Edho, thank you for your advice, clearing the browser cache did the
trick, but still - I'd like to prevent that happening again by somehow
guarding the PHP scripts from being downloaded because of some
configuration error, for example.
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,213229,213236#msg-213236
More information about the nginx
mailing list