Can't figure out secure PHP incantation for owncloud...

Ed W lists at wildgooses.com
Wed Jan 2 11:18:21 UTC 2013 

Hi, I'm using php-fpm to run an "owncloud" install.  The application in 
question is a bit icky in that it has PHP files spread across the 
filesystem, uploadable data files in the htdocs root, all PHP files 
default to writeable (erk) and there is extensive use of both path_info 
and parameters. I'm struggling to figure out a a secure implementation 
for the php execution which guarantees that the PHP files in question 
exist and aren't in the upload directory.

So example (expected) php URLs would be:

# with path_info and params
(index|remote|public|status).php/some/long/path?possibly=withparams
(public|remote|index).php?some=params
# scattered around the filesystem in various (limited) subdirs
(apps|search|core)/.*/.*\.php?some=params

# needing default index file (grr)
/?app=gallery&getfile=ajax%2Fthumbnail.php&filepath=blah

# to return asset files (eek?)
/remote.php?core.css
/remote.php/core.css


I'm struggling to figure out how to use try_files to ensure that the php 
file in question really exists, because it seems like using try_files 
changes the URI and removes the path_info part?

(Also note that some asset files are returned by php scripts and we 
desire to match those urls and set various expiry/cache times on them.)

At present I have:

fastcgi2.conf is a copy of fastcgi.conf with one change:
fastcgi_param  REQUEST_URI        $uri$is_args$args;


nginx config:

         server {
                 listen 443;
                 server_name cloud.example.com;

                 ssl on;
                 ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
                 ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;

                 access_log /var/log/nginx/cloud.example.com.access_log 
main;
                 error_log /var/log/nginx/cloud.example.com.error_log info;

                 root /var/www/$server_name/htdocs;

                 client_max_body_size 1200M;
                 fastcgi_buffers 64 4K;

                 index index.php;

                 location ~ ^/(data|config|\.ht|db_structure\.xml|README) {
                         deny all;
                 }

                 location / {
                         rewrite ^/.well-known/host-meta 
/public.php?service=host-meta last;
                         rewrite ^/.well-known/carddav 
/remote.php/carddav/ redirect;
                         rewrite ^/.well-known/caldav 
/remote.php/caldav/ redirect;

                         try_files $uri $uri/ index.php;
                 }

                 location ~ ^(?P<script_name>.+\.php)(/|$) {
                         fastcgi_split_path_info ^(.+\.php)(/.*)$;
                         if (!-f $script_name) {
                                 #return 404;
                                 break;
                         }
                         include fastcgi2.conf;
                         fastcgi_pass 127.0.0.1:9000;
                 }

                 location ~* ^.+.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
                         expires 30d;
                         access_log off;
                 }

         }


Can anyone please help me do better with the php section? In particular 
for some reason if I use "return 404" then the app breaks, seems like 
the URL paths get messed up (why?), however, leaving it as is, then 
missing files return a 403 response...

Thanks for any help (I guess it can go on the wiki once thrashed out?)

Ed W

More information about the nginx mailing list