Protect against php files being send as static files

Ian Hobson hobson42 at gmail.com
Wed Mar 6 12:01:35 UTC 2019


On 05/03/2019 11:50, Olaf van der Spek wrote:
> Hi,
> 
> Is there a way to protect against php files being send as static files /
> source due to some php specific configuration being missed (by accident)?
> Another web server has this by default: static-file.exclude-extensions = (
> ".php", ".pl", ".fcgi" )
Hi,

I think you need the zero day exploit defence.

If you place your php files outside the main root directory, and
then do something like this

server {
    .....

    root /location/of/static/files;
    location ~ \.php {
       root /location/of/php/files;
       # Zero-day exploit defence, see 
http://forumm.nginx.org/read.php?2,88846,page 3
       try_files $uri =404;
       fastcgi_split_path_info ^(.+\.php)(/.+)$;
       include /etc/nginx/fastcgi_params;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       fastcgi_pass  127.0.0.1:9000;
    }
}

Then you should be OK.

There is actually no need to move php files to a new root.

Regards

Ian

-- 
Ian Hobson
Tel (+351) 910 418 473


More information about the nginx mailing list