How to use Nginx to restrict access to everyfiles to 127.0.0.1, except the php files in /

B.R. reallfqq-nginx at yahoo.fr
Fri Jan 9 18:58:46 UTC 2015


I suggest you put the generic \.php$ regex location into the / default
prefix location, like :
location / {
    location \.php$ {
        [...]
    }
}

This avoids having regex location at the first level, since they are
sensitive to order.

Why using regex locations for individual files? The following would be more
efficient:
location /myfile.php {
    [...]
}

I also suggest you move redundant directives to the upper level whenever
possible, this will help maintenance.
---
*B. R.*

On Thu, Jan 8, 2015 at 11:49 PM, carlg <nginx-forum at nginx.us> wrote:

> Here is what i found to achieve this :
>
> i denied access to every php files :
>
>  location ~ \.php$ {
>         fastcgi_split_path_info ^(.+\.php)(/.+)$;
>         fastcgi_pass unix:/var/run/php5-fpm.sock;
>         fastcgi_index index.php;
>         include fastcgi_params;
>         allow 127.0.0.1;
>         deny all;
>       }
>
>
> and then i create one rule per page (takes time with some scripts, but it
> worth it :)
>
> location ~* ^/myfile.php$ {
>  fastcgi_split_path_info ^(.+\.php)(/.+)$;
>  try_files $uri $uri/ /index.php?q=$args;
> fastcgi_pass unix:/var/run/php5-fpm.sock;
> fastcgi_index index.php;
> include fastcgi_params;
> include /etc/nginx/naxsi.rules;
> allow all;
> }
>
> Every tutorials i found on nginx tell us to allow / deny in location /.
> ...but  ^(.+\.php) is another location, not included in location /
>
> If i follow most tutorials i am still able to reach the php files inside
> the
> location / even if i denied access to all of them.  Doing this way works
> great :)
>
> I hope this will help someone ... ...someday  :)
> Cheers :)
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,254785,256007#msg-256007
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20150109/31caa221/attachment.html>


More information about the nginx mailing list