httptunnel and nginx

António P. P. Almeida appa at perusio.net
Mon Jan 10 20:24:06 MSK 2011 

On 10 Jan 2011 16h45 WET, nginx-forum at nginx.us wrote:

Going out in a tangent, if you're using this config (also) for Drupal,
you're exposed to a lot of potential security holes.

The configuration is quite messy. How many locations and regexes are
needed for making a request? There's an example config along theses
lines in the current debian nginx package for Nginx on the unstable
release. I've procrastinated opening a bug report because of this
messy config because I no longer use the debian package, but roll my
own instead. But something must be done to stop this ugliness to
spread like wildfire.

You can get a better config by visiting the group
http://groups.drupal.org/nginx and checking out what's discussed
there.

It doesn't solve your tunnel issue, but takes care of security
issues. 

If you're not using this for drupal then just ignore my rant.
--- appa

> and I configure nginx as it (file /etc/nginx/site-avaible/default):
> [code]server {
> 	listen 80; ## listen for ipv4; this line is default and
> 	implied
> 	#listen   8080; ## listen for ipv4; this line is default and implied
> 	listen   [::]:80 default ipv6only=on; ## listen for ipv6
>
> 	#root /usr/share/nginx/www;
> 	root /var/www;
> 	index index.html index.htm index.php;
>
> 	# Make site accessible from http://localhost/
> 	server_name barmic.fr barmic.42;
>
> 	location / {
> 		# First attempt to serve request as file, then
> 		# as directory, then fall back to index.html
> 		try_files $uri $uri/ /index.html;
> 	}
>
> ## Indefero
> location /indefero {
> 	  root /var/www/indefero;
> 	  index index.php;
>
> #rewrite rules for indefero
> if (-e $request_filename) {
> break;
> }
> rewrite ^(.*)$ /index.php?_pluf_action=/$1 last;
> }
>
> #location /blog {
> 	#  root /home/barmic/blog;
> 	#  index index.html;
> #}
>
> 	location /doc {
> 		root /usr/share;
> 		autoindex on;
> 		allow 127.0.0.1;
> 		deny all;
> 	}
>
> 	location /images {
> 		root /usr/share;
> 		autoindex off;
> 	}
>
> 	#error_page 404 /404.html;
>
> 	# redirect server error pages to the static page /50x.html
> 	#
> 	#error_page 500 502 503 504 /50x.html;
> 	#location = /50x.html {
> 	#	root /usr/share/nginx/www;
> 	#}
>
> 	# pass the PHP scripts to FastCGI server listening on
> 	# 127.0.0.1:9000
> 	#
> 	#location ~ \.php$ {
> 	#	fastcgi_pass 127.0.0.1:9000;
> 	#	fastcgi_index index.php;
> 	#	include fastcgi_params;
> 	#}
>
> # This block adds a little security.
> # See /usr/share/doc/nginx/examples/drupal for context
> location ~ \..*/.*\.php$ {
> 	  return 403;
> }
>
> # This is basic PHP block that can be used to handle all PHP
> requests.
> # See /usr/share/doc/nginx/examples/drupal for context
> location ~ \.php$ {
> 	  fastcgi_split_path_info ^(.+\.php)(/.+)$;
> 	  include fastcgi_params;
> # Intercepting errors will cause PHP errors to appear in Nginx logs
> 	  fastcgi_intercept_errors on;
> 	  fastcgi_pass unix:/tmp/phpcgi.socket;
> }
>
> 	# deny access to .htaccess files, if Apache's document root
> 	# concurs with nginx's one
> 	#
> 	#location ~ /\.ht {
> 	#	deny all;
> 	#}
> }

More information about the nginx mailing list