Passing / denying PHP requests

Paul N. Pace paulnpace at gmail.com
Fri Oct 25 21:44:57 UTC 2013


Hi Francis, and again thanks for your help in this matter. I would
have responded sooner but the day I was planning to resolve this issue
I had an unseasonably long power outage.

On Wed, Oct 23, 2013 at 11:41 AM, Francis Daly <francis at daoine.org> wrote:
> On Wed, Oct 23, 2013 at 11:32:33AM -0700, Paul N. Pace wrote:
>> On Wed, Oct 23, 2013 at 9:49 AM, Francis Daly <francis at daoine.org> wrote:
>
> Hi there,
>
>> "location ~ php$ { deny all; }" does not deny access to any php files,
>> even when nested in "location ^~ /installdirectory/ {}". The previous
>> configuration "location ~* installdirectory/.*\.php$ { deny all; }"
>> did block access to all php files. The ".*\." - is that why one works
>> and the other doesn't?
>
> I suspect not.
>
> What "location" lines do you have in the appropriate server{} block in
> your config file?

hese are the location directives that would apply to the /forums/
directory, the /installdirectory/ of the server block that I'm
currently working on. This is an installation of Vanilla, but I'm
trying to come up with a general template that I can apply to other
packages (not a template as in one single file, but a way to apply
directives to each package I use):

server {

location = /forums/index.php {
    include global-configs/php.conf;
    fastcgi_split_path_info ^(.+\.php)(.*)$;
}

 location ^~ forums/ {
    location ~ php$ { deny all;}
}

#location ~* forums/.*\.php$ {
#    deny all;
#}

location ~* ^/forums/uploads/.*.(html|htm|shtml|php)$ {
        types { }
        default_type text/plain;
}

location /forums/ {
    try_files $uri $uri/ @forum;
    location ~* /categories/([0-9]|[1-9][0-9]|[1-9][0-9][0-9])$ {
        return 404;
    }
}

location @forum {
        rewrite ^/forums/(.+)$ /forums/index.php?p=$1 last;
}
}


>
> What one request do you make?
>
> From that, which one location{} block is used to handle this one request?
>
>> > http://nginx.org/r/location for how the one location{} is chosen to
>> > handle a request.
>>
>> I read through the nginx.org explanation of the location directive,
>> but it isn't helping me with understanding how to build the deny
>> statement.
>
> Do whatever it takes to have these requests handled in a known location{}
> block.
>
> Put the config you want inside that block.

Do you mean that I should single out each php file and create a
location block to deny access the file?

> If you enable the debug log, you will see lots of output, but it will tell
> you exactly which block is used, if it isn't clear from the "location"
> documentation.

I navigated to /forums/login.php. Here seems to be the pertinent part
of error.log:

2013/10/25 21:39:19 [debug] 2771#0: *1 test location: "forums/"
2013/10/25 21:39:19 [debug] 2771#0: *1 test location: "/"
2013/10/25 21:39:19 [debug] 2771#0: *1 test location: "phpmyadmin/"
2013/10/25 21:39:19 [debug] 2771#0: *1 test location: "forums"
2013/10/25 21:39:19 [debug] 2771#0: *1 test location: "/"
2013/10/25 21:39:19 [debug] 2771#0: *1 test location: "index.php"
2013/10/25 21:39:19 [debug] 2771#0: *1 test location: ~
"/categories/([0-9]|[1-9][0-9]|[1-9][0-9][0-9])$"
2013/10/25 21:39:19 [debug] 2771#0: *1 test location: ~ "/\."
2013/10/25 21:39:19 [debug] 2771#0: *1 test location: ~ "~$"
2013/10/25 21:39:19 [debug] 2771#0: *1 test location: ~ "piwik/config/"
2013/10/25 21:39:19 [debug] 2771#0: *1 test location: ~ "piwik/core/"
2013/10/25 21:39:19 [debug] 2771#0: *1 test location: ~
"(piwik/index|piwik/piwik|piwik/js/index)\.php$"
2013/10/25 21:39:19 [debug] 2771#0: *1 test location: ~
"^/forums/uploads/.*.(html|htm|shtml|php)$"
2013/10/25 21:39:19 [debug] 2771#0: *1 using configuration "/forums/"

I'm not sure which location block is "/forums/". The login.php file is
served as a downloadable file.

Thanks!


Paul



More information about the nginx mailing list