I'm running nginx/1.1.19 and php-fpm/5.4.6 under Ubuntu 12.04. Previously, all my virtual hosts were on a box with Apache, so I'm porting everything over. Mostly, this is going well. My problem happens with scripts that rely on URLs like domain.com/script.php/extra/info?query=foo. Despite everything I've tried (gathered from various tutorials, forums, blogs, etc.), I still can't get 3 things happening:

1. When I try and set PATH_TRANSLATED the "standard" way, I get Access Denied errors.
2. PHP_SELF is either empty or different than it was in Apache (/extra/info vs /script.php/extra/info).
3. I can't find a setting for try_files that would give a level of security.

My nginx.conf file is the default, although I have tried it with and without the following lines in the http { ... } block (as suggested here http://forum.nginx.org/read.php?11,212439,219664#msg-219664):

map $uri $script_url {
~^(?<script_filename>.+\.(php|html))(?<path_info>.+)$ $path_info;
~^(?<script_filename>.+\.(php|html))$ $script_filename;
}

My vhost files look like this (relevant portions):

server {
server_name domain.com;
root /var/www/domain.com;
location ~ \.php
{
include php_params;
}
}

And the /etc/nginx/php_params file looks like this:

fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;

# This doesn't work, but I should do some checking here I feel
#try_files $fastcgi_script_name 404;

fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param HTTPS $https;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;

# Uncommenting this line causes "Access denied." errors
#fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;

fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;

Any suggestions on what to do?

After much gnashing of teeth, changing cgi.fix_pathinfo in php.ini to 1 solved the first two problems. PATH_TRANSLATED can now be set correctly, and PHP_SELF matches the value my scripts expect (same as under Apache).

So the last step is whether my systems are secure without a try_files line. I did try making a PHP script called "image.gif" and requesting domain.com/image.gif/foo.php and I get appropriately denied due to security.limit_extensions, so I think I'm good.

I think the only limitation I will face is that I used to have some PHP scripts with no extension, and handled them in Apache with ForceType application/x-httpd-php