PHP below server root not served
Jim Ohlstein
jim at ohlste.in
Thu Jan 9 17:13:01 UTC 2014
Hello,
On 1/9/14, 9:42 AM, nano wrote:
>
> I have attempted several variations of this format[1] you recommend and
> continue to produce a broken site; dialog to download
> application/octet-stream from the main servername.com and a 'File not
> found.' from https://servername.com/phpmyadmin.
>
> [1]
> location / {
> try_files $uri $uri/ /index.php?$args;
> }
>
> location ^~ /phpmyadmin {
> alias /usr/local/www/phpMyAdmin/;
> index index.php index.html;
>
> location ~ \.php$ {
> fastcgi_pass unix:/var/run/php-fpm.locatsock;
> fastcgi_param DOCUMENT_ROOT /usr/local/www/phpMyAdmin;
> fastcgi_param SCRIPT_FILENAME /usr/local/www/phpMyAdmin/$1;
> fastcgi_param SCRIPT_FILENAME
> /usr/local/www/site1/wordpress$fastcgi_script_name;
> fastcgi_param PATH_INFO $fastcgi_script_name;
> include fastcgi_params;
> }
> }
>
> I eagerly anticipate a working example if and when you can provide one.
> Thank you.
>
Next to "IfIsEvil" there should be a "DoNotUseAlias (unless necessary)".
Use the "root" directive and nested locations
location /phpMyAdmin {
root /usr/local/www;
index index.php;
# above probably not necessary as it is inherited from above
location ~ \.php$ {
fastcgi_pass ...;
...
}
}
A few notes, in no particular order:
You *should* use auth_basic [0] at the very least as exposing this
functionality the world is a very bad idea.
You should consider using "https only" for this script.
If you want to enter phpmyadmin in all lower case in the URL (it is
easier), do it via rewrite.
Consider turning off access log on at least rewritten requests once you
know it's working.
Consider using your server's FQDN, not your server name. It's less
likely potential intruders would guess it, though far from impossible.
Something like (not tested but should get you very close if not there):
server {
listen 80;
server_name foo;
location ^~ /phpmyadmin {
access_log off;
rewrite ^ /phpMyAdmin/ permanent;
}
location /phpMyAdmin {
access_log off;
rewrite ^ https://foo$request_uri? break;
}
...
}
server {
listen 443 ssl;
server name foo;
ssl_certificate /path/to/cert;
ssl_certificate_key /path/to/key;
...
location ^~ /phpmyadmin {
access_log off;
rewrite ^ /phpMyAdmin/ permanent;
}
location /phpMyAdmin {
auth_basic "Blah";
auth_basic_usr_file /path/to/auth/file;
# access_log off; # optional
location ~ \.php$ {
fastcgi_pass ...;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param HTTPS on;
}
}
}
[0] http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html
--
Jim Ohlstein
More information about the nginx
mailing list