I followed this guide:
http://sleepycode.com/2010/11/disabling-php-files-in-wordpress-upload-when-using-nginx/
But the way he did it seemed to repeat a lot of code. I have about 8 locations from which ONLY image files should be downloaded.
This is what I now have in my conf file - is this valid, safe, and the best way of doing things?
The only way I can think to do this is to try for a non-existent file. As that file doesn't exist, it redirects to be handled by the @protected block and
php files get specifically 403'd. And if it does, the worst that can happen is that someone can download nothing.txt
I have this feeling there's a far better way - including the ability to deny ALL files except those 3 image types. But if not (and 2 hours of RTFM and googling hasn't found a result yet), is my way safe?
*********************************************************
# Locations only images should be served from
location ~ /images { try_files nothing.txt @protected; location ~ \.php$ { return 403; } }
location ~ /editors { try_files nothing.txt @protected; location ~ \.php$ { return 403; } }
location @protected {
types {
image/gif gif;
image/jpeg jpeg jpg;
image/png png;
}
default_type application/octet-stream;
}
*********************************************************
And while I'm here, can I just check...
*********************************************************
# Inaccessible locations
location ~ /includes/.*\.php$ { return 403; }
location ~ /backups { return 403; }
location ~ /logs { return 403; }
*********************************************************
The above seems to block access to ALL include/backup/log directories, whatever their path, which is perfect for what I want. But is it safe?