Apr 8 2011

Securing PHP-FastCGI on Nginx

Via Hacker News. Setting up PHP-FastCGI and nginx? Don’t trust the tutorials: check your configuration! I have in fact written quite a few tutorials and published automated scripts that are vulnerable. Seems the easiest way to prevent this issue is by adding a try_files statement (or a if (-f $request_filename) if Nginx -V < 0.7.27) into location ~ \.php block. For example

location ~ \.php$ { # For nginx -V >= 0.7.27
  try_files $uri =404;
  fastcgi_pass localhost:8080;
  ...
}
location ~ \.php$ { # For nginx -V < 0.7.27, i.e. Debian 5
  if (-f $request_filename) {
    fastcgi_pass localhost:8080;
  }
  ...
}

2 Comments

  1. Eddie on 13 Apr 2011 at 5:15 am #

    Thank you for pointing this out, I updated my nginx.conf file yesterday. It just goes to show how comfortable we have grown to using tutorials / google. :|

  2. Frank on 11 Jan 2012 at 8:47 pm #

    Any solution for this problem that works with (legit!) urls like:

    /foo.php/bar/something

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>