Block PHP source and hidden files
Posted by aliakbar
|
Block PHP source and hidden files January 29, 2010 02:55AM |
Registered: 14 years ago Posts: 6 |
php5-cgi crashes on occasion and nginx serves the files as plain text and forces the browser to download them.
This is a huge security concern for me cause they can see the contents of my PHP files.
1. Is there anyway to make it so files with the extension .php return a 403 forbidden status code if for some reason fastcgi isn't working?
2. I'm having the same issue with files that start with a dot showing up. I have a lot of files that start with a period like .module, .htpasswd, .settings, etc. that contain sensitive information that the user shouldn't be able to see/download.
I just want to return 403 errors for all these files.
This is a huge security concern for me cause they can see the contents of my PHP files.
1. Is there anyway to make it so files with the extension .php return a 403 forbidden status code if for some reason fastcgi isn't working?
2. I'm having the same issue with files that start with a dot showing up. I have a lot of files that start with a period like .module, .htpasswd, .settings, etc. that contain sensitive information that the user shouldn't be able to see/download.
I just want to return 403 errors for all these files.
|
Re: Block PHP source and hidden files January 29, 2010 06:15AM |
Admin Registered: 15 years ago Posts: 574 |
aliakbar Wrote:
-------------------------------------------------------
> php5-cgi crashes on occasion and nginx serves the
> files as plain text and forces the browser to
> download them.
>
> This is a huge security concern for me cause they
> can see the contents of my PHP files.
Use a process manager like php-fpm or supervisord which will restart php-cgi processes when (not if) they crash
>
> 1. Is there anyway to make it so files with the
> extension .php return a 403 forbidden status code
> if for some reason fastcgi isn't working?
See above. If you have it configured that all files that end in .php are passed to a fastcgi backend and that fastcgi backend is dead nginx should return a 502 (Bad Gateway), not the text of the file.
>
> 2. I'm having the same issue with files that start
> with a dot showing up. I have a lot of files that
> start with a period like .module, .htpasswd,
> .settings, etc. that contain sensitive information
> that the user shouldn't be able to see/download.
>
> I just want to return 403 errors for all these
> files.
[code]
location ~ /\.htpasswd {
deny all;
}
location ~ /\.settings {
deny all;
}
location ~ /\.module {
deny all;
}
[/code]
--
Jim Ohlstein
-------------------------------------------------------
> php5-cgi crashes on occasion and nginx serves the
> files as plain text and forces the browser to
> download them.
>
> This is a huge security concern for me cause they
> can see the contents of my PHP files.
Use a process manager like php-fpm or supervisord which will restart php-cgi processes when (not if) they crash
>
> 1. Is there anyway to make it so files with the
> extension .php return a 403 forbidden status code
> if for some reason fastcgi isn't working?
See above. If you have it configured that all files that end in .php are passed to a fastcgi backend and that fastcgi backend is dead nginx should return a 502 (Bad Gateway), not the text of the file.
>
> 2. I'm having the same issue with files that start
> with a dot showing up. I have a lot of files that
> start with a period like .module, .htpasswd,
> .settings, etc. that contain sensitive information
> that the user shouldn't be able to see/download.
>
> I just want to return 403 errors for all these
> files.
[code]
location ~ /\.htpasswd {
deny all;
}
location ~ /\.settings {
deny all;
}
location ~ /\.module {
deny all;
}
[/code]
--
Jim Ohlstein
|
Re: Block PHP source and hidden files January 29, 2010 07:51AM |
Registered: 14 years ago Posts: 6 |
Oh, I'm REALLY sorry for wasting your time it turns out my cached version of the page was set to serve it as a file it does return a 502 error (phew!) I was really worried. I use Monit actually does supervisord have any performance benefits over it? I didn't like PHP-FPM or spawn-fcgi cause they my scripts seemed to execute slower then when I just used a shell script to start and stop php5-cgi, which seems to be working fine and wayyy more stable than spawn-fcgi. Also, I use Ubuntu and didn't want to compile PHP from source though I did compile nginx from source that way I could always get the latest stable releases.
Thanks for the thing with the files that should be hidden that helps a lot I remember seeing that somewhere don't know what I was thinking, I guess I wanted to just match all files that started with a . with one rule would ^~ /\.+ work?
Next time I'll try and think through my questions better (and clear my site's file cache!) =P
Thanks for the thing with the files that should be hidden that helps a lot I remember seeing that somewhere don't know what I was thinking, I guess I wanted to just match all files that started with a . with one rule would ^~ /\.+ work?
Next time I'll try and think through my questions better (and clear my site's file cache!) =P
|
Re: Block PHP source and hidden files January 29, 2010 08:53AM |
Admin Registered: 15 years ago Posts: 574 |
aliakbar Wrote:
-------------------------------------------------------
> Oh, I'm REALLY sorry for wasting your time it
> turns out my cached version of the page was set to
> serve it as a file it does return a 502 error
> (phew!) I was really worried.
That's what I figured. No worries.
I use Monit actually
> does supervisord have any performance benefits
> over it?
It's an actual process manger and will see to it that you have the number of child processes, etc. I use Monit to make sure that supervisord is running (really paranoid).
>
> Thanks for the thing with the files that should be
> hidden that helps a lot I remember seeing that
> somewhere don't know what I was thinking, I guess
> I wanted to just match all files that started with
> a . with one rule would ^~ /\.+ work?
If they are not in the root directory, probably. If not, you may want to omit the forward slash but then you will need more specific matches like above:
[code]
location ~ \.htpasswd {
deny all;
}
location ~ \.settings {
deny all;
}
location ~ \.module {
deny all;
}
[/code]
Otherwise anything with a dot in the name will match.
--
Jim Ohlstein
-------------------------------------------------------
> Oh, I'm REALLY sorry for wasting your time it
> turns out my cached version of the page was set to
> serve it as a file it does return a 502 error
> (phew!) I was really worried.
That's what I figured. No worries.
I use Monit actually
> does supervisord have any performance benefits
> over it?
It's an actual process manger and will see to it that you have the number of child processes, etc. I use Monit to make sure that supervisord is running (really paranoid).
>
> Thanks for the thing with the files that should be
> hidden that helps a lot I remember seeing that
> somewhere don't know what I was thinking, I guess
> I wanted to just match all files that started with
> a . with one rule would ^~ /\.+ work?
If they are not in the root directory, probably. If not, you may want to omit the forward slash but then you will need more specific matches like above:
[code]
location ~ \.htpasswd {
deny all;
}
location ~ \.settings {
deny all;
}
location ~ \.module {
deny all;
}
[/code]
Otherwise anything with a dot in the name will match.
--
Jim Ohlstein
Sorry, only registered users may post in this forum.
Online Users
Guests:
156
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|