PHP below server root not served

Jim Ohlstein jim at ohlste.in
Thu Jan 9 17:13:01 UTC 2014


Hello,

On 1/9/14, 9:42 AM, nano wrote:
>
> I have attempted several variations of this format[1] you recommend and
> continue to produce a broken site; dialog to download
> application/octet-stream from the main servername.com and a 'File not
> found.' from https://servername.com/phpmyadmin.
>
> [1]
> location  / {
>      try_files $uri $uri/ /index.php?$args;
> }
>
> location ^~ /phpmyadmin {
>      alias /usr/local/www/phpMyAdmin/;
>      index index.php index.html;
>
> location ~ \.php$ {
>      fastcgi_pass unix:/var/run/php-fpm.locatsock;
>      fastcgi_param DOCUMENT_ROOT /usr/local/www/phpMyAdmin;
>      fastcgi_param SCRIPT_FILENAME /usr/local/www/phpMyAdmin/$1;
>      fastcgi_param SCRIPT_FILENAME
> /usr/local/www/site1/wordpress$fastcgi_script_name;
>      fastcgi_param PATH_INFO $fastcgi_script_name;
>      include fastcgi_params;
>    }
> }
>
> I eagerly anticipate a working example if and when you can provide one.
> Thank you.
>

Next to "IfIsEvil" there should be a "DoNotUseAlias (unless necessary)". 
Use the "root" directive and nested locations

location /phpMyAdmin {
	root /usr/local/www;
	index index.php;
# above probably not necessary as it is inherited from above
	location ~ \.php$ {
		fastcgi_pass ...;
	...
	}
}


A few notes, in no particular order:

You *should* use auth_basic [0] at the very least as exposing this 
functionality the world is a very bad idea.

You should consider using "https only" for this script.

If you want to enter phpmyadmin in all lower case in the URL (it is 
easier), do it via rewrite.

Consider turning off access log on at least rewritten requests once you 
know it's working.

Consider using your server's FQDN, not your server name. It's less 
likely potential intruders would guess it, though far from impossible.

Something like (not tested but should get you very close if not there):

server {
	listen 80;
	server_name foo;

	location ^~ /phpmyadmin {
		access_log  off;
		rewrite ^  /phpMyAdmin/ permanent;
	}

	location /phpMyAdmin {
		access_log  off;
		rewrite ^ https://foo$request_uri? break;
	}
  ...

}

server {
	listen 443 ssl;
	server name foo;

	ssl_certificate  /path/to/cert;
	ssl_certificate_key /path/to/key;
   	
	...	

	location ^~ /phpmyadmin {
		access_log  off;	
		rewrite ^  /phpMyAdmin/ permanent;
	}

	location /phpMyAdmin {
	auth_basic "Blah";
	auth_basic_usr_file /path/to/auth/file;
#	access_log  off;	# optional
		location ~ \.php$ {
			fastcgi_pass ...;
			include fastcgi_params;
			fastcgi_index  index.php;
			fastcgi_param  HTTPS on;
		}
	}
}


[0] http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html
	
-- 
Jim Ohlstein



More information about the nginx mailing list