On the last page, you tell about the problem in the Pass Non-PHP
Requests
to PHP section, you seem to point in the right direction in the Proxy
everything section, but not for the right reasons.
You tell people to use an ‘if’ to check for file existence, but the use
of
‘try’ is much better, a you know it since you redirect to the IfIsEvil
page.
The article I gave you reference to offers 5 different wys to secure the
server. The ‘try_files $uri =404;’ seems to be a nice way of preventing
non-PHP script from being executed, isn’t it?
Thanks,
You tell people to use an ‘if’ to check for file existence, but the use of
‘try’ is much better, a you know it since you redirect to the IfIsEvil page.
The article I gave you reference to offers 5 different wys to secure the
server. The ‘try_files $uri =404;’ seems to be a nice way of preventing
non-PHP script from being executed, isn’t it?
I generally use the following template for serving PHP via FastCGI:
The ‘if’ statement causes 404 to be returned unless the requested file
actually exists. Making sure that people can’t upload files ending in
‘.php’ is a separate mater, but I believe that this configuration
takes care of the security issue described in your first link.
For the given example, nginx detects that NameBright - Coming Soon doesn’t
refer to an actual php file, so nothing is passed to the interpreter.
Your use of the if switch is enlisted in the pitfalls page of
nginxhttp://wiki.nginx.org/Pitfalls(see Check IF File Exists section) :o)
It is said you should use the try one!
My message was: is using the try switch with the ‘=404’ the right way?
If
yes can someone add that to the nginx wiki?
It doesn’t matter whether you use if or try_files. If people would
actually read the if is evil page then it specifically states that “It
is important to note that the behaviour of if is not inconsistent, given
two identical requests it will not randomly fail on one and work on the
other, with proper testing and understanding ifs can be used.”
If you prefer if then use an if, if you prefer try_files then use a
try_files, there’s really no reason to agonize over this issue.
Posted at Nginx Forum:
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.