Skip to content

Improved nginx config to not expose other php files #6008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

Improved nginx config to not expose other php files #6008

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e8b542e
Improved nginx config to not expose other php files
peterrehm Dec 13, 2015
b445018
Updated according to comments
peterrehm May 22, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 10 additions & 4 deletions cookbook/configuration/web_server_configuration.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,12 @@ The **minimum configuration** to get your application running under Nginx is:
# Remove the internal directive to allow URIs like this
internal;
}

# return 404 for all other php files not matching the front controller
# this prevents access to other php files you don't want to be accessible.
location ~ \.php$ {
return 404;
}

error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
Expand All @@ -310,10 +316,10 @@ The **minimum configuration** to get your application running under Nginx is:
.. tip::

This executes **only** ``app.php``, ``app_dev.php`` and ``config.php`` in
the web directory. All other files will be served as text. You **must**
also make sure that if you *do* deploy ``app_dev.php`` or ``config.php``
that these files are secured and not available to any outside user (the
IP address checking code at the top of each file does this by default).
the web directory. All other files will be denied. You **must** also make
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All other files ending in .php will be denied.

sure that if you *do* deploy ``app_dev.php`` or ``config.php`` that these
files are secured and not available to any outside user (the IP address
checking code at the top of each file does this by default).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this last sentence no longer makes sense, if you do deploy app_dev.php or config.php, a 404 is returned so you don't have to secure it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still the user should be aware of it... If he removes the config above he will get the issue again.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, perhaps we should just talk about the end result to avoid.

  1. Move this out of a tip block - just make it an explanation
  2. Turn the following into a caution block.
.. caution::

    After you deploy to production, make sure that you **cannot** access the ``app_dev.php``
    or ``config.php`` scripts (i.e. ``http://example.com/app_dev.php`` and ``http://example.com/config.php``).
    If you *can* access these, be sure to remove the ``DEV`` section from the above configuration.


If you have other PHP files in your web directory that need to be executed,
be sure to include them in the ``location`` block above.
Expand Down