On 09/30/2011 10:45 PM, Slavko wrote:
Hi,

Hi Slavko.

it must be misconfiguration, while for me:
Yes, exactly, the problem is resolved by changing the configuration of nginx, to protect php files.
HEAD http://bridge.skk/netem.png
200 OK
Connection: close
Date: Fri, 30 Sep 2011 20:41:09 GMT
Accept-Ranges: bytes
Server: nginx/1.1.2
Content-Length: 38217
Content-Type: image/png
Last-Modified: Fri, 30 Sep 2011 20:39:05 GMT
Client-Date: Fri, 30 Sep 2011 20:41:11 GMT
Client-Peer: 192.168.0.20:80
Client-Response-Num: 1

HEAD http://bridge.skk/netem.png/daco.php
404 Not Found
Connection: close
Date: Fri, 30 Sep 2011 20:41:19 GMT
Server: nginx/1.1.2
Content-Length: 168
Content-Type: text/html
Client-Date: Fri, 30 Sep 2011 20:41:21 GMT
Client-Peer: 192.168.0.20:80
Client-Response-Num: 1
It means your server is already protected.

For me it returns a 403, but you are right, a 404 error is more logical.
try this:

location ~ \.php$ {
     try_files  $uri @404;
     ...
}

location @404 {
     return 404;
}
The thing I don't like is this configuration, it's everytime nginx will access to a .php file, he will check it's availability on the disk, which might be more slow than just checking the complete URL, and checking if there's a .*/.*.php with a regex.

But for the 404 error, you are right, it's the more logical and less hint giving (with a 403, somebody might wonder why it's forbidden).

For the moment, there is no such warning in the sample configuration, and I think it could be useful to have this kind of warning, and sample for protection.

Even if a majority of websites giving howtos on Nginx + PHP doesn't talk about this problem, it will be a protection for Debian packagers, because if somebody opens a bug because his website was crushed due to this security issue, we could answer there's a protection proposed in the samples.

By the way, we can also discuss about which of the protection offers the best security level and the less performance loss.
regards
Thank you.

--
Cyril "Davromaniak" Lavier




--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to