PHP below server root not served

nano nanotek at bsdbox.co
Thu Jan 9 17:28:58 UTC 2014


On 10/01/2014 4:13 AM, Jim Ohlstein wrote:
> Hello,
>
> On 1/9/14, 9:42 AM, nano wrote:
>>
>> I have attempted several variations of this format[1] you recommend and
>> continue to produce a broken site; dialog to download
>> application/octet-stream from the main servername.com and a 'File not
>> found.' from https://servername.com/phpmyadmin.
>>
>> [1]
>> location  / {
>>      try_files $uri $uri/ /index.php?$args;
>> }
>>
>> location ^~ /phpmyadmin {
>>      alias /usr/local/www/phpMyAdmin/;
>>      index index.php index.html;
>>
>> location ~ \.php$ {
>>      fastcgi_pass unix:/var/run/php-fpm.locatsock;
>>      fastcgi_param DOCUMENT_ROOT /usr/local/www/phpMyAdmin;
>>      fastcgi_param SCRIPT_FILENAME /usr/local/www/phpMyAdmin/$1;
>>      fastcgi_param SCRIPT_FILENAME
>> /usr/local/www/site1/wordpress$fastcgi_script_name;
>>      fastcgi_param PATH_INFO $fastcgi_script_name;
>>      include fastcgi_params;
>>    }
>> }
>>
>> I eagerly anticipate a working example if and when you can provide one.
>> Thank you.
>>
>
> Next to "IfIsEvil" there should be a "DoNotUseAlias (unless necessary)".
> Use the "root" directive and nested locations
>
> location /phpMyAdmin {
>      root /usr/local/www;
>      index index.php;
> # above probably not necessary as it is inherited from above
>      location ~ \.php$ {
>          fastcgi_pass ...;
>      ...
>      }
> }
>
>

If my recollection is correct, I believe I had problems when using root 
instead of alias directive. I will try again though.

> A few notes, in no particular order:
>
> You *should* use auth_basic [0] at the very least as exposing this
> functionality the world is a very bad idea.
>
> You should consider using "https only" for this script.
>
> If you want to enter phpmyadmin in all lower case in the URL (it is
> easier), do it via rewrite.
>
> Consider turning off access log on at least rewritten requests once you
> know it's working.
>
> Consider using your server's FQDN, not your server name. It's less
> likely potential intruders would guess it, though far from impossible.
>
> Something like (not tested but should get you very close if not there):
>
> server {
>      listen 80;
>      server_name foo;
>
>      location ^~ /phpmyadmin {
>          access_log  off;
>          rewrite ^  /phpMyAdmin/ permanent;
>      }
>
>      location /phpMyAdmin {
>          access_log  off;
>          rewrite ^ https://foo$request_uri? break;
>      }
>   ...
>
> }
>
> server {
>      listen 443 ssl;
>      server name foo;
>
>      ssl_certificate  /path/to/cert;
>      ssl_certificate_key /path/to/key;
>
>      ...
>
>      location ^~ /phpmyadmin {
>          access_log  off;
>          rewrite ^  /phpMyAdmin/ permanent;
>      }
>
>      location /phpMyAdmin {
>      auth_basic "Blah";
>      auth_basic_usr_file /path/to/auth/file;
> #    access_log  off;    # optional
>          location ~ \.php$ {
>              fastcgi_pass ...;
>              include fastcgi_params;
>              fastcgi_index  index.php;
>              fastcgi_param  HTTPS on;
>          }
>      }
> }
>

I would like the whole server accessible over SSL. Not just for 
phpMyAdmin but WordPress administration.

>
> [0] http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html
>

Jim, thank you very much for your example(s) and advice, it is very much 
appreciated. I had intended to secure phpMyAdmin access after resolving 
my basic configuration issues. I will attempt to implement these changes 
and report back with results.

-- 
syn.bsdbox.co



More information about the nginx mailing list