Protect against php files being send as static files
Ian Hobson
hobson42 at gmail.com
Wed Mar 6 12:01:35 UTC 2019
On 05/03/2019 11:50, Olaf van der Spek wrote:
> Hi,
>
> Is there a way to protect against php files being send as static files /
> source due to some php specific configuration being missed (by accident)?
> Another web server has this by default: static-file.exclude-extensions = (
> ".php", ".pl", ".fcgi" )
Hi,
I think you need the zero day exploit defence.
If you place your php files outside the main root directory, and
then do something like this
server {
.....
root /location/of/static/files;
location ~ \.php {
root /location/of/php/files;
# Zero-day exploit defence, see
http://forumm.nginx.org/read.php?2,88846,page 3
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}
}
Then you should be OK.
There is actually no need to move php files to a new root.
Regards
Ian
--
Ian Hobson
Tel (+351) 910 418 473
More information about the nginx
mailing list