Welcome! Log In Create A New Profile

Advanced

Выполнение php-файлов в запрещенных к доступу папкам

Posted by avi9526 
Разбираюсь с NGINX на localhost.
Суть в том, что к некоторым папкам в корневом каталоге запрещен доступ, например
location "/restricted/"
{
auth_basic "Restricted";
auth_basic_user_file htpasswd;
}

Но файл "/restricted/info.php" открывается без какого либо запроса аутентификации.

Как это можно побороть? Спасибо!

Далее привожу файл /etc/nginx/sites-available/default

server {
#listen :80; ## listen for ipv4; this line is default and implied
#listen [::]:80 default_server ipv6only=on; ## listen for ipv6

root /var/www;
index index.php index.html index.htm;

# Make site accessible from http://localhost/
server_name ********** www.**********;

# Deny access to important files
# Deny access to important places of Dokuwiki (see https://www.dokuwiki.org/security#web_access_security)
# Deny access to .htaccess & .htpasswd files
location ~* "/(\.ht.*|engine|inc|data|conf|bin|info|install|module|profile|po|sh|\..*sql|theme|tpl(.php)?|xtmpl)((/.*)?)$"
{
deny all;
return 404;
}

location "/"
{
index index.php index.html index.htm;
}

location "/repository/"
{
autoindex on;
allow all;
# Nice looking index h5ai
index /_h5ai/server/php/index.php;
}

location "/ftp/"
{
autoindex on;
allow all;
# Nice looking index h5ai
index /_h5ai/server/php/index.php;
}

location "/restricted/"
{
auth_basic "Restricted";
auth_basic_user_file htpasswd;
}

location "/doc/"
{
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
allow ::1;
deny all;
}

##
# Pass the PHP scripts to FastCGI server listening on TCP port or UNIX socket
##
# You should have "cgi.fix_pathinfo = 0;" in php.ini
##
# NOTE: Check if "security.limit_extensions" in "/etc/php5/fpm/pool.d/www.conf" is set to
# security.limit_extensions = .php .php3 .php4 .php5
##
# Use "\.php((/.+)?)$" if You want to handle requests like "/index.php/Special:Preferences" (see mediawiki in some circumstances)
# But it will enable some vulnerability (see below)
location ~ "\.php$"
{
# Defense against 0-day exploit (see http://forum.nginx.org/read.php?2,88845,page=3)
# Won't work properly (You will get 404 error) if file stored on the different server, which is possible when using php-fpm/php-fcgi.
# Comment the "try_files" line out if php-fpm/php-fcgi is set up on another machine and be ready to get hacked.
# Bad when using links like "/foo.php/MainPage" (check Mediawiki)
try_files $uri $uri/ /index.php?q=$uri&$args /index.php =404;

# Another way (bad, but maybe useful) to disable php execution into "upload" folders
# "IF" statement can be used here, but it's bad (see http://wiki.nginx.org/IfIsEvil)
# Nested locations also bad (can't find why), but...
location ~* "/(upload(s?)|image(s?))/"
{
return 404;
}

# Disable loading of, for example, /hello.gif/foo.php
location ~ "\..*/.*\.php$"
{
return 404;
}

# Edit php-fpm listening port in /etc/php5/fpm/pool.d/www.conf
# php5-cgi running alone (listening TCP port):
# fastcgi_pass 127.0.0.1:9000;
# running php5-fpm (PHP listening on UNIX socket):
fastcgi_pass unix:/var/run/php5-fpm.sock;

fastcgi_split_path_info ^(.+\.php)(.*)$;

# Order is important - first must be "include fastcgi_params"
include fastcgi_params;

# Here can be used "$document_root", it's bad (see http://wiki.nginx.org/Pitfalls), but not critical
fastcgi_param SCRIPT_FILENAME /var/www/$fastcgi_script_name;
fastcgi_param PATH_TRANSLATED /var/www/$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;

fastcgi_param SERVER_ADMIN avi9526@********;
fastcgi_param SERVER_SIGNATURE nginx/$nginx_version;

fastcgi_index index.php;
}
}
- location "/restricted/"
+ location ^~ "/restricted/"

как оказалось, это все что требовалось
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 75
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready