PH Fast-CGI security pitfall

B.R. reallfqq-nginx at
Tue Nov 22 19:32:52 UTC 2011


I juste read this
highlight a common security pitfall to serve PHP files.
I don't see any similar advice in your PHP on Fast-CGI
tutorial<>nor your
pitfalls page <>.

On the last page, you tell about the problem in the *Pass Non-PHP Requests
to PHP* section, you seem to point in the right direction in the *Proxy
everything* section, but not for the right reasons.
You tell people to use an 'if' to check for file existence, but the use of
'try' is much better, a you know it since you redirect to the IfIsEvil page.

The article I gave you reference to offers 5 different wys to secure the
server. The 'try_files $uri =404;' seems to be a nice way of preventing
non-PHP script from being executed, isn't it?
*B. R.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list