Dangerous difference between NGINX/PHP conifg and other servers
November 01, 2012 01:28AM
Somebody please correct me if I'm wrong, but I'm seeing a serious difference between how NGINX is configured for PHP relative to Lighty or Apache. I'm new to NGINX, but attempting to disect each line of a recommended config file, so bare with me.

On Lighty or Apache, php is configured on a more global basis. That is, php files should always be parsed/interpreted. A client will never see raw PHP for any normal situation.

With NGINX, I'm seeing a lot of config files that suggest handling php with a single location directive (~ \.php$), neglecting the fact that other location directives (with no fastcgi_pass declared) may also refer to site locations with php files. With the lack of fastcgi_pass in these other location directives, raw php can be served to the client. Serving raw PHP to clients seems pretty dangerous no?

Is there something very fundemental I'm missing here that would prevent NGINX from serving raw PHP code, regardless of how individual location directives are configured? Or is this really just the way it works?
Re: Dangerous difference between NGINX/PHP conifg and other servers
November 01, 2012 08:00PM
Ok, after more testing and reading I'm pretty sure I have this right. I also found an article where somebody points out the same flaw in another 'published' configuration.

So if you're using PHP and coming from Apache or Lighty, make sure you FULLY understand the location directive. Pay extra close attention to the documentation (http://wiki.nginx.org/HttpCoreModule#location), particularly how precedence among multiple location directives takes place.

If you don't do this, you can end up feeding hackers your raw PHP code!
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 246
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready