I juste read this
highlight a common security pitfall to serve PHP files.
I don’t see any similar advice in your PHP on Fast-CGI
pitfalls page http://wiki.nginx.org/Pitfalls.
On the last page, you tell about the problem in the Pass Non-PHP
to PHP section, you seem to point in the right direction in the Proxy
everything section, but not for the right reasons.
You tell people to use an ‘if’ to check for file existence, but the use
‘try’ is much better, a you know it since you redirect to the IfIsEvil
The article I gave you reference to offers 5 different wys to secure the
server. The ‘try_files $uri =404;’ seems to be a nice way of preventing
non-PHP script from being executed, isn’t it?