Protect against php files being send as static files

Ian Hobson hobson42 at
Wed Mar 6 12:01:35 UTC 2019

On 05/03/2019 11:50, Olaf van der Spek wrote:
> Hi,
> Is there a way to protect against php files being send as static files /
> source due to some php specific configuration being missed (by accident)?
> Another web server has this by default: static-file.exclude-extensions = (
> ".php", ".pl", ".fcgi" )

I think you need the zero day exploit defence.

If you place your php files outside the main root directory, and
then do something like this

server {

    root /location/of/static/files;
    location ~ \.php {
       root /location/of/php/files;
       # Zero-day exploit defence, see,88846,page 3
       try_files $uri =404;
       fastcgi_split_path_info ^(.+\.php)(/.+)$;
       include /etc/nginx/fastcgi_params;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

Then you should be OK.

There is actually no need to move php files to a new root.



Ian Hobson
Tel (+351) 910 418 473

More information about the nginx mailing list