Nginx with PHP on Windows

So i am curious on the security impacts on a windows server running
nginx
and php

And if you have the following php.ini settings disabled.
“cgi.force_redirect = 0”

I saw itpp2012 posted the following
[PATH=s:/webroot/domain.nl]
open_basedir = s:/webroot/domain.nl
doc_root = s:/webroot/domain.nl
error_reporting = E_ALL & ~E_NOTICE
error_log = s:/logging/php/domain.nl.errors.log
upload_tmp_dir = s:/webroot/domain.nl/uploads
session.save_path = s:/webroot/domain.nl/sessions
upload_max_filesize = 32M
post_max_size = 8M
disable_functions =
“curl_exec,curl_multi_exec,dl,exec,parse_ini_file,passthru,popen,proc_open,proc_close,shell_exec,show_source,symlink,system”

But in regards to specific settings what should and should not be
enabled or
disabled for best Nginx and PHP security on windows does anyone know ?

I google and find so much to do with IIS but there is nothing for Nginx
on
Windows and PHP so i am not sure if the same rules apply ?

Posted at Nginx Forum:

Apart from those settings, jailing php just like nginx as we do with
‘Install_nginx_php_services.zip’ and following its advice about further
jailing, there is only one thing you could do and that’s create more php
jailed users, one for each instance and jailing them to their
environment
(www.sitea.nl using a different jailed upstream then www.sitab.nl).

Following these ‘basic’ recommendations, which are no different then you
would do on linux, I have yet to see after millions of attacks anyone
breaking through. Here on our clusters we see more then 1 million
attacks
each month.

Stupid configurations, programming without thinking, ignorance, are of
course excluded.

Posted at Nginx Forum:

Thanks itpp2012 i also am curious if there are any specific or
recommended
naxsi firewall configs or things to use too other than the default
config
you supply with your builds ?

Posted at Nginx Forum:

A WAF, even the simple one we supply in /conf, is only a tool for an
application-fool :slight_smile: Both take some white-listing experience before it
all
works but also requires more then basic knowledge to prevent legitimate
posts from getting blocked.

You might read through
https://groups.google.com/forum/#!forum/naxsi-discuss
and see Harry’s posts about rule-set updates for naxsi.

One men’s data is another men’s code.

Posted at Nginx Forum:

Well yeah you only need a WAF if your web application or server is
insecure
in some way but you also have to look at the extra benefit it holds what
is
if you are using Public web based app’s such as Drupal, Wordpress,
Joomla,
ClipBucket any kind of content management system because they are open
source when security exploits are found or arise it does help block and
slow
down hackers until fixes or updates are made.

Posted at Nginx Forum:

Should i have cgi.force_redirect enabled or disabled with Nginx because
everywhere i look sort of contradicts eachother.

Some say have it enabled some say have it disabled and this site has two
seperate security posts that say you should have it disabled in one then
enabled in another ?

http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html

http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html

Posted at Nginx Forum:

It makes no difference as this combo;

root ‘/path/’;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

open_basedir = ‘/path/’
doc_root = ‘/path/’

Next to jailing, this boxes everything in.

With location /…/ ‘.php’ you fine-tune where scripts live which may be
run.

I’d leave cgi.force_redirect commented, ea. not set to anything at all.

Posted at Nginx Forum: