Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


A little assistance with nginx and php-fpm config
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

A little assistance with nginx and php-fpm config

mikhomikho Member, Host Rep
edited September 2012 in Help

I'm having some trouble after adding an IP check on a subdirectory.

        location ~ ^/info {
                allow 192.168.1.88/32; # To give one ip access
        ##      allow 192.168.1.0/24; # To give a whole network access
                deny all;
                include /etc/nginx/php.conf;
        }

the block works, only the dedicated IP can access this directory, problem is that the index.php gets downloaded.

this is the php.conf

# Route all requests for non-existent files to index.php
location ~* / {
        try_files $uri $uri/ ~* /index.php$is_args$args;
}

# Pass PHP scripts to php-fastcgi listening on port 9000
location ~ \.php$ {

        # Zero-day exploit defense.
        # http://forum.nginx.org/read.php?2,88845,page=3
        # Won't work properly (404 error) if the file is not stored on
        # this server,  which is entirely possible with php-fpm/php-fcgi.
        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi
        # on another machine.  And then cross your fingers that you won't get hacked.
        try_files $uri =404;

        include fastcgi_params;

        # Keep these parameters for compatibility with old PHP scripts using them.
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

        # Some default config
        fastcgi_connect_timeout        20;
        fastcgi_send_timeout          180;
        fastcgi_read_timeout          180;
        fastcgi_buffer_size          128k;
        fastcgi_buffers            4 256k;
        fastcgi_busy_buffers_size    256k;
        fastcgi_temp_file_write_size 256k;
        fastcgi_intercept_errors    on;
        fastcgi_ignore_client_abort off;
        fastcgi_pass 127.0.0.1:9000;

}
# PHP search for file Exploit:
# The PHP regex location block fires instead of the try_files block. Therefore we need
# to add "try_files $uri =404;" to make sure that "/uploads/virusimage.jpg/hello.php"
# never executes the hidden php code inside virusimage.jpg because it can't find hello.php!
# The exploit also can be stopped by adding "cgi.fix_pathinfo = 0" in your php.ini file.

I had to change the first location path to the above to avoid an error when reloading/restarting nginx.
This config breaks it.

location  / {
        try_files $uri $uri/ /index.php$is_args$args;
}

So could anyone please give me some direction on what is wrong and what I need to do to get it to work.

Comments

  • Does this only happen to index.php, or any file originating with a .php in its name?

  • GarrettGarrett Member
    edited September 2012

    I'm no expert, but I think you need to put all the location blocks on the same level. The contents of your php.conf file are being ignored because they are included inside the "location ~ ^/info" block.

    I'd try moving the contents of the php.conf file into your main site config, either directly or with an include option, then putting the ip check location near the bottom, eg:

    include /etc/nginx/php.conf
    location ~ ^/info {
            allow 192.168.1.88/32;
            deny all;
    }
    

    EDIT: Markdown, how does it work?!
    EDIT: Not like that :\
    Final edit: the long example http://pastebin.com/CTWqgh21

  • mikhomikho Member, Host Rep

    @Wintereise
    I only have a index.pho in that directory but i vill test with another .php file

    @Garret
    If you look at my config, the include part is within the location {}
    The ipcheck part is working but it lets me download .php files from that directory.

    Extra info: php files work in the root, using the same php.conf file (included from site.conf file

  • Could you paste the full site.conf?

  • mikhomikho Member, Host Rep

    @Garrett said: Could you paste the full site.conf?

    /etc/nginx/sites-enabled/site-config.conf
    http://pastebin.com/p2D79tJj

    /etc/nginx/php.conf
    http://pastebin.com/PYkskVZd

  • mikhomikho Member, Host Rep

    @Wintereise said: Does this only happen to index.php, or any file originating with a .php in its name?

    tested now and it happens to any .php file in that directory, html files are loaded correct.

  • OK, did some testing, my old theory was wrong, you actually can nest location blocks inside each other.

    New theory: Maybe the php.conf location directives are being ignored because that ^ thing

    location ~ ^/info {
            allow 192.168.1.88/32;
            deny all;
    }
    

    tells nginx to stop processing location blocks?

    (I have no idea what I'm doing)

  • mikhomikho Member, Host Rep

    @Garrett said: tells nginx to stop processing location blocks?

    If I understand the nginx documentation correct it will stop processing the conf file after it finds the first location block that "fits the criteria"... thats why a include is need inside the location blocks

  • telephonetelephone Member
    edited September 2012

    I'm not too sure on your setup, but this works on an old install of Minimal/Server (predecessor of Minstall).

    location ^~ /info/ {
            allow 192.168.1.88/32;
            deny all;
            location ~ \.php$ {
                    fastcgi_pass unix:/dev/shm/php-fastcgi.socket;
                    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                    include /etc/nginx/fastcgi_params;
                    try_files $uri =404;
            }
    }
    
  • mikhomikho Member, Host Rep

    @telephone
    I'm trying to use include files instead of having a lot of places to update if something changes.

    somewhere along the line I f*ked up royally and will reinstall and start over.

  • Try using

    location ^~ /info {

    Instead of

    location ~ ^/info {

    There's a difference is how nginx treats it.

  • mikhomikho Member, Host Rep
    edited September 2012

    @sleddog

    this is the result of that change:

    nginx: [emerg] location "\.php$" cannot be inside the exact location "^~/info" in /etc/nginx/php.conf:7
    nginx: configuration file /etc/nginx/nginx.conf test failed
    
  • sleddogsleddog Member
    edited September 2012

    Not sure why you're getting that. I have almost the identical configuration and it works fine.

    Try with a space, which is what I have: ^~ /info instead of ^~/info

  • mikhomikho Member, Host Rep

    @sleddog
    result with the space ==

    [emerg] invalid number of arguments in "location" directive in
    

    I'm leaving this for awhile, to clear my head.. any more ideas and I will gladly test them ..

  • Which version of nginx are you trying this on? I feel like that might be a core part of how location directives are treated.

    Because it doesn't act like this in any of our deployments, as apparent.

  • mikhomikho Member, Host Rep

    nginx/1.2.4

  • @MikHo Check out this two blogs for good Nginx info: http://kbeezie.com/

    Second one: http://michael.lustfield.net/category/linux/nginx

  • Weird, I have 1.2.4 running too, and my config more or less exactly looks like yours (Save for the allow/deny part)

    o_O;

  • mikhomikho Member, Host Rep

    I used a version of a 'setup leb vps' script that i never used before could be something thats missing in that script.
    Will reinstall debian (since its a new vps) and use minstall or something ive used before.

  • NomadNomad Member
    edited January 2015

    Mistake...
    Just delete my post.
    :D

  • matthewvzmatthewvz Member, Host Rep

    @Nomad said:
    Can you try changing this part:
    I'm not a hundred percent sure but... Give it a try.

    Necro thread much?

    Thanked by 20xdragon bersy
Sign In or Register to comment.