prevent static files access with nginx - nginx

I have the following nginx.conf
problem
folder /legacy/app has some files that I don't want to be accessible,
I thought the following location redirects all requests to php:
location / { try_files $uri $uri/ /index.php?$query_string;}
but I can open files like site.com/php-fpm.conf for example which I want to avoid.
question
What would be the best solution to prevent opening such static files without having custom locations like
location ~ \.(md|conf)$ {deny all;}
nginx.conf
worker_processes 1;
daemon off;
worker_rlimit_nofile 8192;
pid /tmp/nginx.pid;
user nginx;
error_log stderr;
events {
worker_connections 4096;
}
http {
client_body_temp_path /tmp/client_body_temp_path;
proxy_temp_path /tmp/nginx-proxy-temp-path;
fastcgi_temp_path /tmp/fastcgi_temp_path;
include .nginx/mime.types;
include .nginx/proxy.conf;
include .nginx/fastcgi.conf;
index index.php;
log_format client_logs
'$remote_addr - $remote_user [$time_local] $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
default_type application/octet-stream;
tcp_nodelay on;
sendfile on;
tcp_nopush on;
server_names_hash_bucket_size 128;
keepalive_timeout 120;
port_in_redirect off; # Ensure that redirects don't include the internal container PORT - 8080
gzip on;
server {
server_name localhost;
listen 8080;
access_log /dev/stdout client_logs;
error_log /dev/stderr;
root /legacy/app;
index index.php;
error_page 500 502 503 504 /50x.html;
# do not list us in search engines
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
access_log off;
log_not_found off;
}
location ~ ^/(images|javascript|js|css|fonts|static|assets)/ {
root /legacy/app/;
expires 30d;
add_header Cache-Control public;
access_log off;
}
location ~ \.php$ {
root /legacy/app;
fastcgi_pass 127.0.0.1:9000;
fastcgi_read_timeout 600s;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location / {
try_files $uri $uri/ /index.php?$query_string;
}
}
}

What try_files does is look for the file in the order you specify and the last argument is the fallback url.
So basically try_files $uri $uri/ /index.php?$query_string; looks for file $url and serves it if it exists. Then it looks for directory $url/ and serves it if it exists. If both the file and directory does not exist, it will fallback to the php file.
So if going by this approach you can try something like this:
location / {
try_files _ /index.php?$query_string;
}
This will look for a file with name _ which should not exist in your document root and will issue an internal redirect to index.php.
You can also set status code like this:
location / {
try_files _ =403;
}

Related

Nginx slim framework keep pointing to the main index in root folder

I am trying to set the slimframework on nginx webserver. Below is my current settings. I am using the slim/slim-skeleton. Whenever I run e.g. http://myip/apiv1 it points to the index.php in /var/www/html. Even I run anything example http://myip/apiv1/token its the same as above. I tried changing the root /var/www/html/apiv1/public; to alias /var/www/html/apiv1/public; its the same. What else does nginx require any special settings.
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server_tokens off;
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/blockuseragents.rules;
limit_conn_zone $binary_remote_addr zone=addr:5m;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
#root /usr/share/nginx/html;
root /var/www/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
try_files $uri $uri/ index.php?$query_string;
}
location /apiv1 {
root /var/www/html/apiv1/public;
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 444;
}
limit_conn addr 1;
}

nginx isn't loading (include additional-hosts/*.conf;) wont change directory? centos7

I'm fairly new to Linux and I'm having a little trouble setting up my web server... I am using LEMP with Varnish and phpMyAdmin. The server is running and I can access phpMyAdmin over https etc. Now I'm trying to setup Wordpress on another directory using the include /directory/*.conf; however it doesn't seem to load the file(s). It will only load the default directory set in nginx.conf
Here's my nginx.conf,
user nginx;
worker_processes 4;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
include /etc/nginx/v-hosts/*.conf;
index index.php index.html index.htm;
server {
listen 127.0.0.1:8080;
root /usr/share/nginx/html;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
location ~ \.php$ {
root /usr/share/nginx/html;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
include fastcgi_params;
}
location ~* ^/stolenmx.com/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { root /srv/www/;
}
location ~ \.php$ {
root /usr/share/nginx/html;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 443;
client_max_body_size 80M;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location ~* ^/phpMyAdmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { root /usr/share/;
}
location ~ \.php$ {
root /usr/share/nginx/html;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
include fastcgi_params;
}
}
}
And here's my file i'm trying to load for wordpress,
server {
server_name stolenmx.com;
listen 8080;
access_log /var/log/nginx/stolenmx.com-access.log;
error_log /var/log/nginx/stolenmx.com-error.log;
root /srv/www/stolenmx.com;
location / {
index index.php;
}
# Disable favicon.ico logging
location = /favicon.ico {
log_not_found off;
access_log off;
}
# Allow robots and disable logging
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Enable permalink structures
if (!-e $request_filename) {
rewrite . /index.php last;
}
# Handle php requests
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /srv/www/stolenmx.com$fastcgi_script_name;
}
# Disable static content logging and set cache time to max
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
# Deny access to htaccess and htpasswd files
location ~ /\.ht {
deny all;
}
}
I have included this files directory in nginx.conf "include /etc/nginx/v-hosts/*.conf;" but for some reason it's not loading it and won't point the server_name to /srv/www/ ?
Does anyone have any suggestions as to why it won't load additional server.conf ?
I can drag the wordpress install into /usr/share/nginx/html and it works but then I can't have any more than one server. I think it's something to do with my nginx.conf but not sure what to change / add?
Regards Crafty
Before changes can affect you need to restart/reload your nginx, in CentOS it's done by running:
/etc/init.d/nginx restart
(If you are not root use sudo)
You are requiring that all your included files will be suffixed with '.conf', please make sure your file has this extension. Last thing, you configured your Wordpress server to listen on 8080, did you checked on this port?

wordpress nginx config wont let me open pages using ?page_id=

I am trying to configure wordpress and came to the step when i want to use sample or my own pages. Unfortunately it seems like i didnt configure nginx correctly but i just cant seem to find howto. Either its an old or irrelevant to my version of nginx(1.2.1-2.2+wheezy2) or just incomplete. Can somebody provide a sample nginx wordpress config or just tell me which of the following is most correct to get it working?
location /wordpress {
try_files $uri $uri/ /etc/wordpress/index.php?$args;
}
or
location /wp/wp-content/ {
alias /usr/share/wordpress/wp-content/;
autoindex on;
allow 127.0.0.1;
allow ::1;
deny all;
}
or something else?
Here is the nginx conf file I am using on my local mac for local development in case it helps:
user matt staff;
worker_processes 4;
events {
worker_connections 768;
}
http {
client_max_body_size 100M;
include mime.types;
types_hash_max_size 2048;
default_type text/plain;
server_tokens off;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
index index.html index.php;
log_format main '[$time_local]: $domain - "$request" '
'status:$status bytes:$body_bytes_sent "$http_referer" ';
access_log /Users/matt/Library/Logs/nginx/access.log main;
error_log /Users/matt/Library/Logs/nginx/error.log;
upstream www-upstream-pool {
server unix:/var/run/php5-fpm.sock;
}
server {
listen 80;
server_name ~^(?:(?<subdomain>\w*)\.)?(?<domain>\w+)\.wp$;
set $basepath "/Users/matt/pls-sites";
set $rootpath "${domain}";
if ($domain ~ 'wordpress'){
set $rootpath "wordpress/httpdocs/web";
}
root $basepath/$rootpath;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?$args; # /index.html;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location ~ .php$ {
fastcgi_split_path_info ^(.+.php)(/.+)$;
fastcgi_pass www-upstream-pool;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_read_timeout 300;
}
}
}

Nginx rewrite assistance request

To make a long story short, I have an osCommerce installation that has been running on an Apache server for years using osCommerce's "Search Engine Friendly links" so that the links look like product_info.php/products_id/26 instead of product_info.php?products_id=26.
Well, now I've moved to an Nginx server with PHP5 and the Search Engine Friendly links just won't work for me now. BUT I have links all across the web pointing to my shop using the "friendly" links, so I have to figure out a way to redirect any url that is like this:
product_info.php/products_id/26
into this
product_info.php?products_id=26
and
index.php/cPath/19
into
index.php?cPath=19
and
product_info.php/cPath/19/products_id/207
into
product_info.php?cPath=19&products_id=207
Anyone good with Nginx rewrite rules, or who knows how to make the osCommerce built-in SEO urls work with Nginx? The osCommerce urls don't require any htaccess rewrite rules; it looks like it's all taken care of using PHP code.
nginx.conf:
user nginx;
worker_processes 4;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
server_names_hash_bucket_size 10240;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-available/*.vhost;
}
site.com.vhost:
server {
listen *:80;
server_name site.com www.site.com;
root /var/www/clients/client23/web5/web;
index index.php index.html index.htm;
#location ~ \.shtml$ {
# ssi on;
#}
error_log /var/log/ispconfig/httpd/site.com/error.log;
access_log /var/log/ispconfig/httpd/site.com/access.log combined;
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location /stats {
index index.html index.php;
auth_basic "Members Only";
auth_basic_user_file /var/www/clients/client23/web5/web/stats/.htpasswd_stats;
}
location ^~ /awstats-icon {
alias /usr/share/awstats/icon;
}
location ~ \.php$ {
try_files /5lbe4fd76b7f89.htm #php;
}
location #php {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/lib/php5-fpm/web2.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}
# Static Contents
location ~* ^.+.(jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off;
log_not_found off;
expires 1y;
}
# CSS and JS
location ~* ^.+.(css|js)$ {
access_log off;
log_not_found off;
}
server_tokens off;
error_page 400 /400.php;
error_page 401 /401.php;
error_page 403 /403.php;
error_page 404 /404.php;
error_page 405 /405.php;
error_page 500 /500.php;
error_page 502 /502.php;
error_page 503 /503.php;
recursive_error_pages off;
fastcgi_intercept_errors on;
# Inaccessible locations
location ~ ^/includes/.*\.php$ { return 404; }
location ~ ^/administrator/includes/.*\.php$ { return 404; }
location ^~ /administrator/backups { return 404; }
location ^~ /download { return 404; }
location ^~ /cgi-bin { return 404; }
location ^~ /mail { return 404; }
location ^~ /pub { return 404; }
location ^~ /sql { return 404; }
location ^~ /temp { return 404; }
location ~ /\. { deny all; access_log off; log_not_found off; }
location ~ \.(tpl|log|sql)$ {deny all; access_log off; log_not_found off; }
location / {
#if (!-e $request_filename) { rewrite ^(.*)$ /index.php; }
fastcgi_pass unix:/var/lib/php5-fpm/web2.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
rewrite ^/(.*)-(.*).html$ /index.php?cPath=$2&$query_string;
rewrite ^/(.*)-m-([0-9]+).html$ /index.php?manufacturers_id=$2&$query_string;
rewrite ^/(.*)-pi-([0-9]+).html$ /popup_image.php?pID=$2&$query_string;
rewrite ^/(.*)-t-([0-9]+).html$ /articles.php?tPath=$2&$query_string;
rewrite ^/(.*)-a-([0-9]+).html$ /article_info.php?articles_id=$2&$query_string;
rewrite ^/(.*)-pr-([0-9]+).html$ /product_reviews.php?products_id=$2&$query_string;
rewrite ^/(.*)-pri-([0-9]+).html$ /product_reviews_info.php?products_id=$2&$query_string;
rewrite ^/(.*)-i-([0-9]+).html$ /information.php?info_id=$2&$query_string;
}
location /administrator/ {
auth_basic "Members Only";
auth_basic_user_file /var/www/clients/client23/web5/web/administrator/.htpasswd;
location ~ \.php$ {
try_files /wj70wjksdkj2jiejlsjdslj.htm #php;
}
}
}
Here we go:
rewrite "^/product_info.php/products_id/(\d+)" /product_info.php?products_id=$1 permanent;
rewrite "^/index.php/cPath/(\d+)" /index.php?cPath=$1 permanent;
rewrite "^/product_info.php/cPath/(\d+)/products_id/(\d+)" /product_info.php?cPath=$1&products_id=$2 permanent;

Can't open index.php by default with nginx

What's wrong with my server definition? If I try to access to "www.testing.com" I get a binary to download instead of the index.php, instead if I try to access to "testing.com" I get the index.php.
I already tried to set servername to:
servername testing.com;
servername testing.com www.testing.com;
servername testing.com www.testing.com *.testing.com;
Same behavior: I can't get index.php with "www.testing.com", just with "testing.com".
(off course testing.com is not mine is just for example).
user nginx;
worker_processes 4;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type text/plain;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
fastcgi_intercept_errors on;
sendfile on;
keepalive_timeout 65;
gzip on;
index index.php index.html index.htm;
server {
listen 80;
server_name www.testing.com;
root /home/vhosts/testing;
location / {
try_files $uri $uri/ /index.php index.php;
}
location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
expires max;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location ~* \.php$ {
try_files $uri =404;
include fastcgi.conf;
fastcgi_pass 127.0.0.1:9000;
}
}
}
first you need to check your php-fpm settings (maybe you using socket connection instead of port in your php-fpm configuration) and add index by default in your location "/"
location / {
index index.php index.html index.htm;
try_files $uri $uri/ =404;
}
Add fastcgi_index index.php; in location ~* \.php$:
location ~* \.php$ {
try_files $uri =404;
include fastcgi.conf;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
}
This one worked for me:
location = / {
index index.php index.html index.htm;
try_files $uri /index.html;
}
The whole location config with proxy is:
location = / {
index index.php index.html index.htm;
try_files $uri /index.html;
proxy_pass http://localhost:8081;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
Check so fpm is running on 127.0.0.1:9000
location ~ \.php$ {
try_files $uri =404;
include fastcgi.conf;
fastcgi_pass 127.0.0.1:9000;
}
also log error and check:
error_log /var/log/nginx/error.log debug;
For a sample configuration check:
https://github.com/rtCamp/easyengine/blob/master/conf/nginx/singlesite/basic.conf
You can have more than one servername line, it will set up a VHOST on all of them.

Resources