PHP files being downloaded on condition

Samael nginx-forum at
Tue Aug 2 07:28:16 UTC 2011

Igor, to cut things short - I'd like to either pass the PHP scripts'
execution to the fcgi processes or prevent them from being downloaded.

In addition, I tried to prevent PHP scripts in common
webserver-writeable directories (of course, this list will be extended)
from being executed in order not to allow user-provided PHP files to be
passed to php-fpm:

if ($uri ~*
return 404;

I set this rule: "location ~ \/[0-9a-zA-Z]+\.php$" in order to evaluate
only PHP files with alphanumeric names as these are the only one valid
from my perspective. Of course the rule may be improved (not allowing a
script beginning with a number to be evaluated), but I don't think that
this is necessary at this point.

"location ~ (/\.|.*conf.*\.php)" - in order to prevent hidden and
configuration files from being exposed.

I hope I didn't do anything stupid, I'm open to suggestions :)

Edho, thank you for your advice, clearing the browser cache did the
trick, but still - I'd like to prevent that happening again by somehow
guarding the PHP scripts from being downloaded because of some
configuration error, for example.

Posted at Nginx Forum:,213229,213236#msg-213236

More information about the nginx mailing list