Block PHP source and hidden files
January 29, 2010 02:55AM
php5-cgi crashes on occasion and nginx serves the files as plain text and forces the browser to download them.

This is a huge security concern for me cause they can see the contents of my PHP files.

1. Is there anyway to make it so files with the extension .php return a 403 forbidden status code if for some reason fastcgi isn't working?

2. I'm having the same issue with files that start with a dot showing up. I have a lot of files that start with a period like .module, .htpasswd, .settings, etc. that contain sensitive information that the user shouldn't be able to see/download.

I just want to return 403 errors for all these files.
Re: Block PHP source and hidden files
January 29, 2010 06:15AM
aliakbar Wrote:
-------------------------------------------------------
> php5-cgi crashes on occasion and nginx serves the
> files as plain text and forces the browser to
> download them.
>
> This is a huge security concern for me cause they
> can see the contents of my PHP files.

Use a process manager like php-fpm or supervisord which will restart php-cgi processes when (not if) they crash

>
> 1. Is there anyway to make it so files with the
> extension .php return a 403 forbidden status code
> if for some reason fastcgi isn't working?

See above. If you have it configured that all files that end in .php are passed to a fastcgi backend and that fastcgi backend is dead nginx should return a 502 (Bad Gateway), not the text of the file.

>
> 2. I'm having the same issue with files that start
> with a dot showing up. I have a lot of files that
> start with a period like .module, .htpasswd,
> .settings, etc. that contain sensitive information
> that the user shouldn't be able to see/download.
>
> I just want to return 403 errors for all these
> files.

[code]
location ~ /\.htpasswd {
deny all;
}

location ~ /\.settings {
deny all;
}

location ~ /\.module {
deny all;
}
[/code]

--
Jim Ohlstein
Re: Block PHP source and hidden files
January 29, 2010 07:51AM
Oh, I'm REALLY sorry for wasting your time it turns out my cached version of the page was set to serve it as a file it does return a 502 error (phew!) I was really worried. I use Monit actually does supervisord have any performance benefits over it? I didn't like PHP-FPM or spawn-fcgi cause they my scripts seemed to execute slower then when I just used a shell script to start and stop php5-cgi, which seems to be working fine and wayyy more stable than spawn-fcgi. Also, I use Ubuntu and didn't want to compile PHP from source though I did compile nginx from source that way I could always get the latest stable releases.

Thanks for the thing with the files that should be hidden that helps a lot I remember seeing that somewhere don't know what I was thinking, I guess I wanted to just match all files that started with a . with one rule would ^~ /\.+ work?

Next time I'll try and think through my questions better (and clear my site's file cache!) =P
Re: Block PHP source and hidden files
January 29, 2010 08:53AM
aliakbar Wrote:
-------------------------------------------------------
> Oh, I'm REALLY sorry for wasting your time it
> turns out my cached version of the page was set to
> serve it as a file it does return a 502 error
> (phew!) I was really worried.

That's what I figured. No worries.

I use Monit actually
> does supervisord have any performance benefits
> over it?

It's an actual process manger and will see to it that you have the number of child processes, etc. I use Monit to make sure that supervisord is running (really paranoid).

>
> Thanks for the thing with the files that should be
> hidden that helps a lot I remember seeing that
> somewhere don't know what I was thinking, I guess
> I wanted to just match all files that started with
> a . with one rule would ^~ /\.+ work?

If they are not in the root directory, probably. If not, you may want to omit the forward slash but then you will need more specific matches like above:

[code]
location ~ \.htpasswd {
deny all;
}

location ~ \.settings {
deny all;
}

location ~ \.module {
deny all;
}
[/code]

Otherwise anything with a dot in the name will match.

--
Jim Ohlstein
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 86
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready