Develop Reference

prevent static files access with nginx

I have the following nginx.conf
problem
folder /legacy/app has some files that I don't want to be accessible,
I thought the following location redirects all requests to php:
location / { try_files $uri $uri/ /index.php?$query_string;}
but I can open files like site.com/php-fpm.conf for example which I want to avoid.
question
What would be the best solution to prevent opening such static files without having custom locations like
location ~ \.(md|conf)$ {deny all;}
nginx.conf
worker_processes 1;
daemon off;
worker_rlimit_nofile 8192;
pid /tmp/nginx.pid;
user nginx;
error_log stderr;
events {
worker_connections 4096;
}
http {
client_body_temp_path /tmp/client_body_temp_path;
proxy_temp_path /tmp/nginx-proxy-temp-path;
fastcgi_temp_path /tmp/fastcgi_temp_path;
include .nginx/mime.types;
include .nginx/proxy.conf;
include .nginx/fastcgi.conf;
index index.php;
log_format client_logs
'$remote_addr - $remote_user [$time_local] $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
default_type application/octet-stream;
tcp_nodelay on;
sendfile on;
tcp_nopush on;
server_names_hash_bucket_size 128;
keepalive_timeout 120;
port_in_redirect off; # Ensure that redirects don't include the internal container PORT - 8080
gzip on;
server {
server_name localhost;
listen 8080;
access_log /dev/stdout client_logs;
error_log /dev/stderr;
root /legacy/app;
index index.php;
error_page 500 502 503 504 /50x.html;
# do not list us in search engines
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
access_log off;
log_not_found off;
}
location ~ ^/(images|javascript|js|css|fonts|static|assets)/ {
root /legacy/app/;
expires 30d;
add_header Cache-Control public;
access_log off;
}
location ~ \.php$ {
root /legacy/app;
fastcgi_pass 127.0.0.1:9000;
fastcgi_read_timeout 600s;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
}
location / {
try_files $uri $uri/ /index.php?$query_string;
}
}
}

What try_files does is look for the file in the order you specify and the last argument is the fallback url.
So basically try_files $uri $uri/ /index.php?$query_string; looks for file $url and serves it if it exists. Then it looks for directory $url/ and serves it if it exists. If both the file and directory does not exist, it will fallback to the php file.
So if going by this approach you can try something like this:
location / {
try_files _ /index.php?$query_string;
}
This will look for a file with name _ which should not exist in your document root and will issue an internal redirect to index.php.
You can also set status code like this:
location / {
try_files _ =403;
}

Nginx slim framework keep pointing to the main index in root folder

I am trying to set the slimframework on nginx webserver. Below is my current settings. I am using the slim/slim-skeleton. Whenever I run e.g. http://myip/apiv1 it points to the index.php in /var/www/html. Even I run anything example http://myip/apiv1/token its the same as above. I tried changing the root /var/www/html/apiv1/public; to alias /var/www/html/apiv1/public; its the same. What else does nginx require any special settings.
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server_tokens off;
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/blockuseragents.rules;
limit_conn_zone $binary_remote_addr zone=addr:5m;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
#root /usr/share/nginx/html;
root /var/www/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
try_files $uri $uri/ index.php?$query_string;
}
location /apiv1 {
root /var/www/html/apiv1/public;
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 444;
}
limit_conn addr 1;
}

nginx subdirectory - primary script unknown

I'm trying to figure out why I keep receiving a file not found.
I have a directory with multiple directories within that contain php files in them. I'm not sure how to configure my conf file to execute these files.
I get the following in the error log.
*133 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 172.17.8.1, server: 172.17.8.101, request: "GET /design_files/tmpls/podcastSilk/L4_index.php HTTP/1.1", upstream: "fastcgi://unix:/tmp/php-fpm.sock:", host: "172.17.8.101:8001"
The directory structure of the application is as follows
/tmplbuilder
/design_files
/tmpls
/Folder2
L4_index.php
/Folder1
L3_index.php
/public
index.php
Here is my nginx.conf file.
daemon off;
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes 4;
error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log info;
pid /var/run/nginx.pid;
events {
worker_connections 2048;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
client_header_timeout 60;
send_timeout 160;
client_max_body_size 50M;
fastcgi_keep_conn off;
gzip on;
gzip_comp_level 2;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain application/x-javascript text/xml text/css application/xml;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
index index.php index.html index.htm ;
server {
listen 80;
server_name 172.17.8.101 192.168.254.96;
root /var/www/tmplbuilder;
#try_files $uri $uri/ /index.php$uri /index.php?$args;
location ~* \.(jpg|jpeg|gif|png|html|htm|css|zip|tgz|gz|rar|doc|xls|pdf|ppt|tar|wav|bmp|rtf|swf|flv|txt|xml|docx|xlsx|js)$ {
try_files $uri $uri/ public$uri public/index.php$uri =404;
access_log off;
expires 30d;
}
location /design_files/ {
root /var/www/tmplbuilder/design_files;
try_files $uri $uri/;
#root /var/www/tmplbuilder/design_files;
#autoindex on;
location ~* \.php$ {
#try_files $uri $uri/ $document_root$fastcgi_script_name;
fastcgi_pass unix:/tmp/php-fpm.sock;
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(.*)$;
#fastcgi_index L4_index.php;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#return 200 $document_root$uri;
}
}
location /public/{
#return 200 $uri;
#alias /var/www/tmplbuilder/public;
root /var/www/tmplbuilder/public;
try_files $uri $uri/ /index.php index.php$uri$args;
# unless the request is for a valid file (image, js, css, etc.), send to bootstrap
if (!-e $request_filename)
{
rewrite ^/(.*)$ /public/index.php?/$1 last;
break;
}
location ~ \.php$ {
return 200 $uri;
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
}
}
}
}
When I run return 200 $document_root$fastcgi_script_name. I get the appropriate path to the file in question. Is this the path nginx can't find? The permissions are 755 on the file.

Try matching the uri in regular expressions ($1) and then feed that as a script name to php-fpm.
location ~ ^(.*\.php)(.*)$ {
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$1;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
}

nginx isn't loading (include additional-hosts/*.conf;) wont change directory? centos7

I'm fairly new to Linux and I'm having a little trouble setting up my web server... I am using LEMP with Varnish and phpMyAdmin. The server is running and I can access phpMyAdmin over https etc. Now I'm trying to setup Wordpress on another directory using the include /directory/*.conf; however it doesn't seem to load the file(s). It will only load the default directory set in nginx.conf
Here's my nginx.conf,
user nginx;
worker_processes 4;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
include /etc/nginx/v-hosts/*.conf;
index index.php index.html index.htm;
server {
listen 127.0.0.1:8080;
root /usr/share/nginx/html;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
location ~ \.php$ {
root /usr/share/nginx/html;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
include fastcgi_params;
}
location ~* ^/stolenmx.com/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { root /srv/www/;
}
location ~ \.php$ {
root /usr/share/nginx/html;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 443;
client_max_body_size 80M;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location ~* ^/phpMyAdmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { root /usr/share/;
}
location ~ \.php$ {
root /usr/share/nginx/html;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
include fastcgi_params;
}
}
}
And here's my file i'm trying to load for wordpress,
server {
server_name stolenmx.com;
listen 8080;
access_log /var/log/nginx/stolenmx.com-access.log;
error_log /var/log/nginx/stolenmx.com-error.log;
root /srv/www/stolenmx.com;
location / {
index index.php;
}
# Disable favicon.ico logging
location = /favicon.ico {
log_not_found off;
access_log off;
}
# Allow robots and disable logging
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Enable permalink structures
if (!-e $request_filename) {
rewrite . /index.php last;
}
# Handle php requests
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /srv/www/stolenmx.com$fastcgi_script_name;
}
# Disable static content logging and set cache time to max
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
# Deny access to htaccess and htpasswd files
location ~ /\.ht {
deny all;
}
}
I have included this files directory in nginx.conf "include /etc/nginx/v-hosts/*.conf;" but for some reason it's not loading it and won't point the server_name to /srv/www/ ?
Does anyone have any suggestions as to why it won't load additional server.conf ?
I can drag the wordpress install into /usr/share/nginx/html and it works but then I can't have any more than one server. I think it's something to do with my nginx.conf but not sure what to change / add?
Regards Crafty

Before changes can affect you need to restart/reload your nginx, in CentOS it's done by running:
/etc/init.d/nginx restart
(If you are not root use sudo)
You are requiring that all your included files will be suffixed with '.conf', please make sure your file has this extension. Last thing, you configured your Wordpress server to listen on 8080, did you checked on this port?

Contents are not served with "Access denied" error in Nginx

I'm getting a Access denied message any time I try to access the WebServer through http://dev or http://devserver address. I don't know what is wrong on my Nginx config. Below is the config.php and default site configuration:
/etc/nginx/nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
## Load virtual host conf files. ##
include /etc/nginx/sites-enabled/*;
}
This file has a symbolic link to /etc/nginx/sites-enabled so it's enabled:
/etc/nginx/sites-available/default
server {
listen 80 default;
listen [::]:80 default ipv6only=on;
# Make site accessible from http://localhost/ or server IP-address
server_name dev devserver;
server_name_in_redirect off;
charset utf-8;
root /var/www/html;
index index.php index.html index.htm;
location / {
# First attempt to serve request as file, then
# as directory, then trigger 404
try_files $uri $uri/ =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT /var/www/html;
# send bad requests to 404
fastcgi_intercept_errors on;
include fastcgi_params;
}
}
I'm on CentOS 6.6 with Nginx 1.6.2 and PHP 5.5.18 with PHP-FPM. Also I have SELinux disabled and the only thing I have there is Iptables. Other sites runs fine and by sites I mean any that points to the root directory, for example this one which is a Symfony2 project:
server {
server_name newsite.dev newsite.webvm newsite;
root /var/www/html/newsite.dev/web;
location / {
# try to serve file directly, fallback to app.php
try_files $uri /app.php$is_args$args;
}
location ~ ^/(app|app_dev|config)\.php(/|$) {
#fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
access_log /var/log/nginx/newsite.dev/access.log;
error_log /var/log/nginx/newsite.dev/error.log;
}
In that case calling http://newsite.dev or http://newsite.webvm or http://newsite I get the expected result, the site but the first is not working and I do not know what else to do, so any help or advice around the configuration and why contents are not served?