On 05/03/2019 11:50, Olaf van der Spek wrote:
Hi,
Is there a way to protect against php files being send as static files /
source due to some php specific configuration being missed (by accident)?
Another web server has this by default: static-file.exclude-extensions = (
".php", ".pl", ".fcgi" )
Hi,
I think you need the zero day exploit defence.
If you place your php files outside the main root directory, and
then do something like this
server {
.....
root /location/of/static/files;
location ~ \.php {
root /location/of/php/files;
# Zero-day exploit defence, see
http://forumm.nginx.org/read.php?2,88846,page 3
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}
}
Then you should be OK.
There is actually no need to move php files to a new root.
Regards
Ian
--
Ian Hobson
Tel (+351) 910 418 473
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
