On 09/30/2011 10:45 PM, Slavko wrote:
Hi,
Hi Slavko.
it must be misconfiguration, while for me:
Yes, exactly, the problem is resolved by changing the configuration of
nginx, to protect php files.
HEAD http://bridge.skk/netem.png
200 OK
Connection: close
Date: Fri, 30 Sep 2011 20:41:09 GMT
Accept-Ranges: bytes
Server: nginx/1.1.2
Content-Length: 38217
Content-Type: image/png
Last-Modified: Fri, 30 Sep 2011 20:39:05 GMT
Client-Date: Fri, 30 Sep 2011 20:41:11 GMT
Client-Peer: 192.168.0.20:80
Client-Response-Num: 1
HEAD http://bridge.skk/netem.png/daco.php
404 Not Found
Connection: close
Date: Fri, 30 Sep 2011 20:41:19 GMT
Server: nginx/1.1.2
Content-Length: 168
Content-Type: text/html
Client-Date: Fri, 30 Sep 2011 20:41:21 GMT
Client-Peer: 192.168.0.20:80
Client-Response-Num: 1
It means your server is already protected.
For me it returns a 403, but you are right, a 404 error is more logical.
try this:
location ~ \.php$ {
try_files $uri @404;
...
}
location @404 {
return 404;
}
The thing I don't like is this configuration, it's everytime nginx will
access to a .php file, he will check it's availability on the disk,
which might be more slow than just checking the complete URL, and
checking if there's a .*/.*.php with a regex.
But for the 404 error, you are right, it's the more logical and less
hint giving (with a 403, somebody might wonder why it's forbidden).
For the moment, there is no such warning in the sample configuration,
and I think it could be useful to have this kind of warning, and sample
for protection.
Even if a majority of websites giving howtos on Nginx + PHP doesn't talk
about this problem, it will be a protection for Debian packagers,
because if somebody opens a bug because his website was crushed due to
this security issue, we could answer there's a protection proposed in
the samples.
By the way, we can also discuss about which of the protection offers the
best security level and the less performance loss.
regards
Thank you.
--
Cyril "Davromaniak" Lavier
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]