Hi Cyril, Dňa Fri, 30 Sep 2011 22:59:35 +0200 Cyril Lavier <[email protected]> napísal:
> > try this:
> >
> > location ~ \.php$ {
> > try_files $uri @404;
> > ...
> > }
> >
> > location @404 {
> > return 404;
> > }
> The thing I don't like is this configuration, it's everytime nginx will
> access to a .php file, he will check it's availability on the disk,
> which might be more slow than just checking the complete URL, and
> checking if there's a .*/.*.php with a regex.
I am don't using the nginx for real sites, maybe you can do some
performance tests with and without this.
> But for the 404 error, you are right, it's the more logical and less
> hint giving (with a 403, somebody might wonder why it's forbidden).
>
> For the moment, there is no such warning in the sample configuration,
> and I think it could be useful to have this kind of warning, and sample
> for protection.
>
> Even if a majority of websites giving howtos on Nginx + PHP doesn't talk
> about this problem, it will be a protection for Debian packagers,
> because if somebody opens a bug because his website was crushed due to
> this security issue, we could answer there's a protection proposed in
> the samples.
you are right, adding this (or some other solution) to default config is
good idea, but i cannot help more with this. IMHO, the best place to talk
the best solution are nginx's developers. Or mention more solutions in
README.Debian?
regards
--
Slavko
http://slavino.sk
signature.asc
Description: PGP signature

