PHP below server root not served
nano
nanotek at bsdbox.co
Thu Jan 9 17:28:58 UTC 2014
On 10/01/2014 4:13 AM, Jim Ohlstein wrote:
> Hello,
>
> On 1/9/14, 9:42 AM, nano wrote:
>>
>> I have attempted several variations of this format[1] you recommend and
>> continue to produce a broken site; dialog to download
>> application/octet-stream from the main servername.com and a 'File not
>> found.' from https://servername.com/phpmyadmin.
>>
>> [1]
>> location / {
>> try_files $uri $uri/ /index.php?$args;
>> }
>>
>> location ^~ /phpmyadmin {
>> alias /usr/local/www/phpMyAdmin/;
>> index index.php index.html;
>>
>> location ~ \.php$ {
>> fastcgi_pass unix:/var/run/php-fpm.locatsock;
>> fastcgi_param DOCUMENT_ROOT /usr/local/www/phpMyAdmin;
>> fastcgi_param SCRIPT_FILENAME /usr/local/www/phpMyAdmin/$1;
>> fastcgi_param SCRIPT_FILENAME
>> /usr/local/www/site1/wordpress$fastcgi_script_name;
>> fastcgi_param PATH_INFO $fastcgi_script_name;
>> include fastcgi_params;
>> }
>> }
>>
>> I eagerly anticipate a working example if and when you can provide one.
>> Thank you.
>>
>
> Next to "IfIsEvil" there should be a "DoNotUseAlias (unless necessary)".
> Use the "root" directive and nested locations
>
> location /phpMyAdmin {
> root /usr/local/www;
> index index.php;
> # above probably not necessary as it is inherited from above
> location ~ \.php$ {
> fastcgi_pass ...;
> ...
> }
> }
>
>
If my recollection is correct, I believe I had problems when using root
instead of alias directive. I will try again though.
> A few notes, in no particular order:
>
> You *should* use auth_basic [0] at the very least as exposing this
> functionality the world is a very bad idea.
>
> You should consider using "https only" for this script.
>
> If you want to enter phpmyadmin in all lower case in the URL (it is
> easier), do it via rewrite.
>
> Consider turning off access log on at least rewritten requests once you
> know it's working.
>
> Consider using your server's FQDN, not your server name. It's less
> likely potential intruders would guess it, though far from impossible.
>
> Something like (not tested but should get you very close if not there):
>
> server {
> listen 80;
> server_name foo;
>
> location ^~ /phpmyadmin {
> access_log off;
> rewrite ^ /phpMyAdmin/ permanent;
> }
>
> location /phpMyAdmin {
> access_log off;
> rewrite ^ https://foo$request_uri? break;
> }
> ...
>
> }
>
> server {
> listen 443 ssl;
> server name foo;
>
> ssl_certificate /path/to/cert;
> ssl_certificate_key /path/to/key;
>
> ...
>
> location ^~ /phpmyadmin {
> access_log off;
> rewrite ^ /phpMyAdmin/ permanent;
> }
>
> location /phpMyAdmin {
> auth_basic "Blah";
> auth_basic_usr_file /path/to/auth/file;
> # access_log off; # optional
> location ~ \.php$ {
> fastcgi_pass ...;
> include fastcgi_params;
> fastcgi_index index.php;
> fastcgi_param HTTPS on;
> }
> }
> }
>
I would like the whole server accessible over SSL. Not just for
phpMyAdmin but WordPress administration.
>
> [0] http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html
>
Jim, thank you very much for your example(s) and advice, it is very much
appreciated. I had intended to secure phpMyAdmin access after resolving
my basic configuration issues. I will attempt to implement these changes
and report back with results.
--
syn.bsdbox.co
More information about the nginx
mailing list