Fastcgi & index

I’ve found that if I don’t specify:

index index.html index.htm index.php;

in the server blocks where I use fastcgi, I can get a 403 due to the
forbidden directory index. I would have thought ‘fastcgi_index
index.php;’ would take care of that. If this is the expected
behavior, should the index directive be added to the fastcgi wiki?

http://wiki.nginx.org/HttpFastcgiModule

  • Grant

Hello!

On Wed, Feb 12, 2014 at 03:23:05PM -0800, Grant wrote:

I’ve found that if I don’t specify:

index index.html index.htm index.php;

in the server blocks where I use fastcgi, I can get a 403 due to the
forbidden directory index. I would have thought ‘fastcgi_index
index.php;’ would take care of that. If this is the expected
behavior, should the index directive be added to the fastcgi wiki?

This is the expected and documented behaviour.

The “fastcgi_index” directive is to instruct a fastcgi backend
which file to use if a request with an URI ending with “/” is
passed to the backend. That is, it makes sense in a configuration
like this:

location / {
    fastcgi_pass  localhost:9000;
    fastcgi_index index.php;
    include       fastcgi.conf;
}

It doesn’t make sense in configurations with only *.php file
passed to fastcgi backends though. E.g., in a configuration like
this it doesn’t make sense and should be removed:

location ~ \.php$ {
    fastcgi_pass  localhost:9000;
    # wrong: fastcgi_index doesn't make sense here
    fastcgi_index index.php;
    include       fastcgi.conf;
}

In this case, normal index processing applies. It is explained in
details in an introduction article here:

http://nginx.org/en/docs/http/request_processing.html#simple_php_site_configuration


Maxim D.
http://nginx.org/

This type of configuration is insecure since there’s no whitelisting of
the
PHP scripts to be processed.

----appa

No I mean the .php regex based one.

It’s just that it opens the door to a lot of problems by allowing all
.php
scripts to be
processed.

Furthermore it’s even mentioned on the wiki Pitfalls page:
http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP

----appa

It doesn’t make sense in configurations with only *.php file
passed to fastcgi backends though. E.g., in a configuration like
this it doesn’t make sense and should be removed:

location ~ \.php$ {
    fastcgi_pass  localhost:9000;
    # wrong: fastcgi_index doesn't make sense here
    fastcgi_index index.php;
    include       fastcgi.conf;
}

In that case, should it be removed from the example here:

http://wiki.nginx.org/PHPFcgiExample

  • Grant

Hello!

On Thu, Feb 13, 2014 at 02:09:34PM +0100, António P. P. Almeida wrote:

This type of configuration is insecure since there’s no whitelisting of the
PHP scripts to be processed.

You mean “location / { fastcgi_pass … }”? This type of
configuration assumes that any files under “/” are php scripts,
and it’s ok to execute them.

Obviously it won’t be secure if you allow utrusted parties to put
files there. But the problem is what you allow, not the
configuration per se.


Maxim D.
http://nginx.org/

Trivial and correct fix for the problem mentioned on the wiki is
to properly configure php, with cgi.fix_pathinfo=0.

I would also recommend not allowing php at all under the locations
where you allow untrusted parties to put files - or, rather, only
allow php under locations where are untrusted parties are not
allowed to put files, by properly isolating .php$ location.

But again, there is nothing wrong with the configuration per se.

Is the example from the wiki a good one to use?

location ~ [^/].php(/|$) {

http://wiki.nginx.org/PHPFcgiExample

  • Grant

Hello!

On Thu, Feb 13, 2014 at 02:47:35PM +0100, António P. P. Almeida wrote:

No I mean the .php regex based one.

So now you probably know why top-posting is discouraged. :wink:

It’s just that it opens the door to a lot of problems by allowing all .php
scripts to be
processed.

Furthermore it’s even mentioned on the wiki Pitfalls page:
http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP

Trivial and correct fix for the problem mentioned on the wiki is
to properly configure php, with cgi.fix_pathinfo=0.

I would also recommend not allowing php at all under the locations
where you allow untrusted parties to put files - or, rather, only
allow php under locations where are untrusted parties are not
allowed to put files, by properly isolating .php$ location.

But again, there is nothing wrong with the configuration per se.


Maxim D.
http://nginx.org/

Trivial and correct fix for the problem mentioned on the wiki is
to properly configure php, with cgi.fix_pathinfo=0.

I didn’t realize the PHP config should be changed for nginx. Are
there other important changes to make besides ‘cgi.fix_pathinfo=0’?

  • Grant

Hello!

On Thu, Feb 13, 2014 at 06:12:58AM -0800, Grant wrote:

In that case, should it be removed from the example here:

http://wiki.nginx.org/PHPFcgiExample

Yes, feel free to do so.


Maxim D.
http://nginx.org/

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs