aboutsummaryrefslogtreecommitdiffstats
path: root/doc/install
diff options
context:
space:
mode:
authorOlaf Conradi <olaf@conradi.org>2013-11-12 23:21:08 +0100
committerOlaf Conradi <olaf@conradi.org>2013-11-12 23:21:08 +0100
commitf55fec9ace95a99e8816b1cdccc7587e9cf07414 (patch)
tree66344287dbe9c54521d09e656b69d8bab4b19beb /doc/install
parent428e0c8945ecb63714b67693941fe24b5761a2f2 (diff)
downloadvolse-hubzilla-f55fec9ace95a99e8816b1cdccc7587e9cf07414.tar.gz
volse-hubzilla-f55fec9ace95a99e8816b1cdccc7587e9cf07414.tar.bz2
volse-hubzilla-f55fec9ace95a99e8816b1cdccc7587e9cf07414.zip
Improve Nginx config to prevent php injection in uri
First check if php script exists before calling php-fpm.
Diffstat (limited to 'doc/install')
-rw-r--r--doc/install/sample-nginx.conf14
1 files changed, 12 insertions, 2 deletions
diff --git a/doc/install/sample-nginx.conf b/doc/install/sample-nginx.conf
index 57a0e63b5..97e091f8e 100644
--- a/doc/install/sample-nginx.conf
+++ b/doc/install/sample-nginx.conf
@@ -98,16 +98,26 @@ server {
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
# or a unix socket
location ~* \.php$ {
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ # Zero-day exploit defense.
+ # http://forum.nginx.org/read.php?2,88845,page=3
+ # Won't work properly (404 error) if the file is not stored on this
+ # server, which is entirely possible with php-fpm/php-fcgi.
+ # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on
+ # another machine. And then cross your fingers that you won't get hacked.
+ try_files $uri =404;
+
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
# With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
- fastcgi_index index.php;
+
include fastcgi_params;
+ fastcgi_index index.php;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
# deny access to all dot files