Welcome! Log In Create A New Profile

Advanced

Issue with the try_files and status page

Posted by axeloz 
Issue with the try_files and status page
January 13, 2015 10:20AM
Hello guys,

I just noticed a problem with my Nginx installation: I enable the PHP FPM status page (url: /status). Then I add the location block on a default virtual host allowing only 127.0.0.1 to connect to this page.

Luckily I have tested my website : www.example.com/status because the status page shows up even from outside. It took me quite a while to figure out the problem, I think I may have found an explanation (at least, this is the only one I can think of):

If I remove the /status location block everywhere in my websites, the /status URL keeps working from outside. So the location block does nothing. I think there is a strong incompatibility between the FPM status feature and the Nginx try_files feature. I am using a try_files on example.com which sends the requests to PHP if the URI does not match a file nor a folder. So PHP receives the /status GET request and therefore replies with the status page !!

I think this is quite serious as the status page may contain some confidential information, especially with the ?full query string.

Has anyone seen this before? How can I prevent the status page to be seen outside the loopback address?

Thanks

Axel
Re: Issue with the try_files and status page
January 13, 2015 11:31AM
As a workaround, I must add the following block into any server configuration using try_files:

location ~ ^/(status|ping)$ {
deny all;
}

This is only a workaround and it remains risky because I might forget to add these instructions on a new server one day.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 99
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready