Welcome! Log In Create A New Profile

Advanced

PH Fast-CGI security pitfall

B.R.
November 22, 2011 02:34PM
Hello,

I juste read this
articlehttps://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/which
highlight a common security pitfall to serve PHP files.
I don't see any similar advice in your PHP on Fast-CGI
tutorialhttp://wiki.nginx.org/PHPFcgiExamplenor your
pitfalls page http://wiki.nginx.org/Pitfalls.

On the last page, you tell about the problem in the *Pass Non-PHP Requests
to PHP* section, you seem to point in the right direction in the *Proxy
everything* section, but not for the right reasons.
You tell people to use an 'if' to check for file existence, but the use of
'try' is much better, a you know it since you redirect to the IfIsEvil page.

The article I gave you reference to offers 5 different wys to secure the
server. The 'try_files $uri =404;' seems to be a nice way of preventing
non-PHP script from being executed, isn't it?
Thanks,
---
*B. R.*
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

PH Fast-CGI security pitfall

B.R. November 22, 2011 02:34PM

Re: PH Fast-CGI security pitfall

Maxim Khitrov November 22, 2011 03:00PM

Re: PH Fast-CGI security pitfall

B.R. November 22, 2011 03:06PM

Re: PH Fast-CGI security pitfall

Roman Vasilyev November 22, 2011 03:08PM

Re: PH Fast-CGI security pitfall

Ensiferous November 22, 2011 03:28PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 246
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready