Hi Cyril,

Dňa Fri, 30 Sep 2011 22:59:35 +0200 Cyril Lavier
<[email protected]> napísal:

> > try this:
> >
> > location ~ \.php$ {
> >      try_files  $uri @404;
> >      ...
> > }
> >
> > location @404 {
> >      return 404;
> > }
> The thing I don't like is this configuration, it's everytime nginx will 
> access to a .php file, he will check it's availability on the disk, 
> which might be more slow than just checking the complete URL, and 
> checking if there's a .*/.*.php with a regex.

I am don't using the nginx for real sites, maybe you can do some
performance tests with and without this.

> But for the 404 error, you are right, it's the more logical and less 
> hint giving (with a 403, somebody might wonder why it's forbidden).
> 
> For the moment, there is no such warning in the sample configuration, 
> and I think it could be useful to have this kind of warning, and sample 
> for protection.
> 
> Even if a majority of websites giving howtos on Nginx + PHP doesn't talk 
> about this problem, it will be a protection for Debian packagers, 
> because if somebody opens a bug because his website was crushed due to 
> this security issue, we could answer there's a protection proposed in 
> the samples.

you are right, adding this (or some other solution) to default config is
good idea, but i cannot help more with this. IMHO, the best place to talk
the best solution are nginx's developers. Or mention more solutions in
README.Debian?

regards

-- 
Slavko
http://slavino.sk

Attachment: signature.asc
Description: PGP signature

Reply via email to