New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
A little assistance with nginx and php-fpm config
I'm having some trouble after adding an IP check on a subdirectory.
location ~ ^/info { allow 192.168.1.88/32; # To give one ip access ## allow 192.168.1.0/24; # To give a whole network access deny all; include /etc/nginx/php.conf; }
the block works, only the dedicated IP can access this directory, problem is that the index.php gets downloaded.
this is the php.conf
# Route all requests for non-existent files to index.php location ~* / { try_files $uri $uri/ ~* /index.php$is_args$args; } # Pass PHP scripts to php-fastcgi listening on port 9000 location ~ \.php$ { # Zero-day exploit defense. # http://forum.nginx.org/read.php?2,88845,page=3 # Won't work properly (404 error) if the file is not stored on # this server, which is entirely possible with php-fpm/php-fcgi. # Comment the 'try_files' line out if you set up php-fpm/php-fcgi # on another machine. And then cross your fingers that you won't get hacked. try_files $uri =404; include fastcgi_params; # Keep these parameters for compatibility with old PHP scripts using them. fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # Some default config fastcgi_connect_timeout 20; fastcgi_send_timeout 180; fastcgi_read_timeout 180; fastcgi_buffer_size 128k; fastcgi_buffers 4 256k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_intercept_errors on; fastcgi_ignore_client_abort off; fastcgi_pass 127.0.0.1:9000; } # PHP search for file Exploit: # The PHP regex location block fires instead of the try_files block. Therefore we need # to add "try_files $uri =404;" to make sure that "/uploads/virusimage.jpg/hello.php" # never executes the hidden php code inside virusimage.jpg because it can't find hello.php! # The exploit also can be stopped by adding "cgi.fix_pathinfo = 0" in your php.ini file.
I had to change the first location path to the above to avoid an error when reloading/restarting nginx.
This config breaks it.
location / { try_files $uri $uri/ /index.php$is_args$args; }
So could anyone please give me some direction on what is wrong and what I need to do to get it to work.
Comments
Does this only happen to index.php, or any file originating with a .php in its name?
I'm no expert, but I think you need to put all the location blocks on the same level. The contents of your php.conf file are being ignored because they are included inside the "location ~ ^/info" block.
I'd try moving the contents of the php.conf file into your main site config, either directly or with an include option, then putting the ip check location near the bottom, eg:
EDIT: Markdown, how does it work?!
EDIT: Not like that
Final edit: the long example http://pastebin.com/CTWqgh21
@Wintereise
I only have a index.pho in that directory but i vill test with another .php file
@Garret
If you look at my config, the include part is within the location {}
The ipcheck part is working but it lets me download .php files from that directory.
Extra info: php files work in the root, using the same php.conf file (included from site.conf file
Could you paste the full site.conf?
/etc/nginx/sites-enabled/site-config.conf
http://pastebin.com/p2D79tJj
/etc/nginx/php.conf
http://pastebin.com/PYkskVZd
tested now and it happens to any .php file in that directory, html files are loaded correct.
OK, did some testing, my old theory was wrong, you actually can nest location blocks inside each other.
New theory: Maybe the php.conf location directives are being ignored because that ^ thing
tells nginx to stop processing location blocks?
(I have no idea what I'm doing)
If I understand the nginx documentation correct it will stop processing the conf file after it finds the first location block that "fits the criteria"... thats why a include is need inside the location blocks
I'm not too sure on your setup, but this works on an old install of Minimal/Server (predecessor of Minstall).
@telephone
I'm trying to use include files instead of having a lot of places to update if something changes.
somewhere along the line I f*ked up royally and will reinstall and start over.
Try using
location ^~ /info {
Instead of
location ~ ^/info {
There's a difference is how nginx treats it.
@sleddog
this is the result of that change:
Not sure why you're getting that. I have almost the identical configuration and it works fine.
Try with a space, which is what I have:
^~ /info
instead of^~/info
@sleddog
result with the space ==
I'm leaving this for awhile, to clear my head.. any more ideas and I will gladly test them ..
Which version of nginx are you trying this on? I feel like that might be a core part of how location directives are treated.
Because it doesn't act like this in any of our deployments, as apparent.
nginx/1.2.4
@MikHo Check out this two blogs for good Nginx info: http://kbeezie.com/
Second one: http://michael.lustfield.net/category/linux/nginx
Weird, I have 1.2.4 running too, and my config more or less exactly looks like yours (Save for the allow/deny part)
o_O;
I used a version of a 'setup leb vps' script that i never used before could be something thats missing in that script.
Will reinstall debian (since its a new vps) and use minstall or something ive used before.
Mistake...
Just delete my post.
Necro thread much?