Can't figure out secure PHP incantation for owncloud

Server NGINX
1

Hi, I’m using php-fpm to run an “owncloud” install. The application in
question is a bit icky in that it has PHP files spread across the
filesystem, uploadable data files in the htdocs root, all PHP files
default to writeable (erk) and there is extensive use of both path_info
and parameters. I’m struggling to figure out a a secure implementation
for the php execution which guarantees that the PHP files in question
exist and aren’t in the upload directory.

So example (expected) php URLs would be:

with path_info and params

(index|remote|public|status).php/some/long/path?possibly=withparams
(public|remote|index).php?some=params

scattered around the filesystem in various (limited) subdirs

(apps|search|core)/./..php?some=params

needing default index file (grr)

/?app=gallery&getfile=ajax%2Fthumbnail.php&filepath=blah

to return asset files (eek?)

/remote.php?core.css
/remote.php/core.css

I’m struggling to figure out how to use try_files to ensure that the php
file in question really exists, because it seems like using try_files
changes the URI and removes the path_info part?

(Also note that some asset files are returned by php scripts and we
desire to match those urls and set various expiry/cache times on them.)

At present I have:

fastcgi2.conf is a copy of fastcgi.conf with one change:
fastcgi_param REQUEST_URI $uri$is_args$args;

nginx config:

     server {
             listen 443;
             server_name cloud.example.com;

             ssl on;
             ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
             ssl_certificate_key

/etc/ssl/nginx/cloud.example.com.key;

             access_log /var/log/nginx/cloud.example.com.access_log

main;
error_log /var/log/nginx/cloud.example.com.error_log
info;

             root /var/www/$server_name/htdocs;

             client_max_body_size 1200M;
             fastcgi_buffers 64 4K;

             index index.php;

             location ~

^/(data|config|.ht|db_structure.xml|README) {
deny all;
}

             location / {
                     rewrite ^/.well-known/host-meta

/public.php?service=host-meta last;
rewrite ^/.well-known/carddav
/remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav
/remote.php/caldav/ redirect;

                     try_files $uri $uri/ index.php;
             }

             location ~ ^(?P<script_name>.+\.php)(/|$) {
                     fastcgi_split_path_info ^(.+\.php)(/.*)$;
                     if (!-f $script_name) {
                             #return 404;
                             break;
                     }
                     include fastcgi2.conf;
                     fastcgi_pass 127.0.0.1:9000;
             }

             location ~* ^.+.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$

{
expires 30d;
access_log off;
}

     }

Can anyone please help me do better with the php section? In particular
for some reason if I use “return 404” then the app breaks, seems like
the URL paths get messed up (why?), however, leaving it as is, then
missing files return a 403 response…

Thanks for any help (I guess it can go on the wiki once thrashed out?)

Ed W