Allow index a folder, but don't serve files - nginx

I want to allow Nginx to autoindex a folder, but not serve the files.
In my app, the files are stocked in a protected-files folder and this folder isn't accessible for users. When a user calls a file (eg: my-website.com/files/my-great-files.pdf), in reality, he was redirected on a PHP script that verify if the user have the rights to call this file. I know how to do that, and it's ok.
But actually, I want use a JS plugin named jBrowse, and this program need to access to a lot of files, and to the index of a folder to have the files list in it.
And I don't know how to do this... Can we return a file index in PHP ?
Or an other idea, permit to Nginx to return the index of a folder with empty files. And when a user or the plugin want access to the file, he's redirect on the PHP script that control the rights.
I've mind this:
location /files {
autoindexon;
}
location ~* \.(doc|pdf)$ {
deny all;
}
This is ok, the user can navigate in the folder, see the files, but if he click on, he has an 403 error. But I can't replace the deny all, by a redirection to php...
This is my default.conf file:
server {
server_name project.dev;
root /home/docker/web;
location / {
# try to serve file directly, fallback to app.php
#try_files $uri /app.php$is_args$args;
try_files $uri /app_dev.php$is_args$args;
}
location /protected_files {
internal;
alias /home/docker/protected-files;
}
location /files {
autoindex on;
}
location ~* \.(doc|pdf)$ {
try_files $uri /app_dev.php$is_args$args;
}
# DEV
# This rule should only be placed on your development environment
# In production, don't include this and don't deploy app_dev.php or config.php
location ~ ^/(app_dev|config)\.php(/|$) {
fastcgi_pass engine:9000;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
# When you are using symlinks to link the document root to the
# current version of your application, you should pass the real
# application path instead of the path to the symlink to PHP
# FPM.
# Otherwise, PHP's OPcache may not properly detect changes to
# your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
# for more information).
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
}
# PROD
location ~ ^/app\.php(/|$) {
fastcgi_pass engine:9000;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
# When you are using symlinks to link the document root to the
# current version of your application, you should pass the real
# application path instead of the path to the symlink to PHP
# FPM.
# Otherwise, PHP's OPcache may not properly detect changes to
# your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
# for more information).
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/app.php/some-path
# Remove the internal directive to allow URIs like this
#internal;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}

You can replace the deny all with a rewrite directive to perform an internal redirect to your php handler.
location /files {
autoindex on;
}
location ~* ^/files.*\.(doc|pdf)$ {
rewrite ^ /app_dev.php last;
}
See this document for details.
EDIT: You may want to make your regex more specific so that only URIs beginning with /files and ending with .doc or .pdf match. Either change the regex (as above) or nest it within the location /files block, as follows:
location /files {
autoindex on;
location ~* \.(doc|pdf)$ {
rewrite ^ /app_dev.php last;
}
}

Related

Why is my site downloaded instead of running?

I'm trying to install Wordpress on a Ubuntu 18.04 on a subdomain. I set the Nginx files on sites-available, but I get a 502 error on browser because Wordpress is using a .php file type for the index, so I added "index.php" on the list in sites-available. Well after adding "index.php" on the list when I try to access the URL in browser it downloads a file named with the subdomain address.
Here's my code in sites-available
server {
listen 80;
listen [::]:80;
root /var/www/apt;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html index.php;
server_name apt.forrum.ro;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
Please let me know how to fix it.
This is simplified, basically Nginx uses the try_files directive to serve the file to user in the folder. This is why your php file is being sent to the user, it's then downloaded rather than shown as browsers don't really know how to show PHP to the user.
What you need to do is tell Nginx to run the file. In the case of PHP you can use FastCGI. There are many guides to doing this on ubuntu such as This One.
Once you have it installed, all the directives for FastCGI are described by Nginx themselves Here.
Their example is posted here:
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
# include the fastcgi_param setting
include fastcgi_params;
# SCRIPT_FILENAME parameter is used for PHP FPM determining
# the script name. If it is not set in fastcgi_params file,
# i.e. /etc/nginx/fastcgi_params or in the parent contexts,
# please comment off following line:
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}

Nginx rewrite to prevent PHP file direct access

I'm trying to setup some rewrites so that
(1) .com/images/* will load naturally
(2) .com/* will be rewritten to .com/loader.php?control=*
However the code below works perfectly except it will execute .com/config.php instead of rewriting it to .com/loader.php?control=config.php
How can I prevent my rewrite being overridden? I only want .php files to be executed if it's loader.php or in the images folder. (Been trying for hours)
server {
listen 80;
root /mnt/web/test_com/public_html;
server_name test.com;
index index.html index.php index.htm;
location ~ .php(.*)$ {
fastcgi_pass unix:/tmp/php-70-cgi.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $DOCUMENT_ROOT$fastcgi_script_name;
fastcgi_param PATH_INFO $2;
include fcgi.conf;
}
location / {
rewrite ^/(.*)$ /loader.php?control=$1 last;
}
location /images/ {
}
}
Thanks!
You should look into the try_files directive
Like the return and rewrite directives, the try_files directive is placed in a server or location block. As parameters, it takes a list of one or more files and directories and a final URI
Read the whole blog-post written on the nginx blog here:
https://www.nginx.com/blog/creating-nginx-rewrite-rules/

Nginx load subpath as wordpress root

I'm trying to set up a Wordpress in a system that has another php application installed, using nginx as web server.
I've simplified my config file to the maximun. The following confi is serving one post of my blog:
server {
listen 80;
server_name blog.ct.com;
root /home/ff/www/blog/;
index index.php index.html;
location / {
try_files $uri $uri/ /index.php?$uri&$args =405;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_buffer_size 128k;
fastcgi_buffers 64 32k;
fastcgi_busy_buffers_size 128k;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param APPLICATION_ENV development;
fastcgi_param HTTP_X_FORWARDED_PROTO https;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
}
}
But, due my system's requirements I need to serve the blog from within a sub path (In my final system http://blog.ct.com/ should be serving my custom php app and http://blog.ct.com/vendor should be serving the wordpress blog).
The local root directory from wordpress must be /home/ff/www/blog/ (this cannot be changed, while my custom app's directory is /home/ff/www/myapp/). So I think I need to reserve location / for my custom app, I have to create a location /vendor
If I add /vendor and I return 403 in / (just to debug easier), the browser says 405 (notice the =405 in /vendor, also to debug easier):
location /vendor {
try_files $uri $uri/ /index.php?$uri&$args =405;
}
location / {
return 403;
}
So I think nginx is going into location /vendor but is not finding my php script in /home/ff/www/blog/index.php so its returning the fallback 405.
Any idea why this could happen?
How can I achieve to load http://blog.ct.com/vendor as the root from wordpress but keeping http://blog.ct.com/ using another php script?
I've found out the following hints that gave me the clue to fix the problem (in case someone has the same problem than me, this may help)
Using location /path is not the same as using location ~(/path) (regex have different priority, so maybe they are not being checked in the order you think)
Adding error_log /your/path/log/error.log debug; to any location block may help you to see how is nginx serving every request (e.g. to location fastcgi, location \vendor, or the server{ block).
alias /var/www/path/vendor works different than root /var/www/path/vendor (check Nginx -- static file serving confusion with root & alias);
In case of the root directive, full path is appended to the root including the location part, whereas in case of the alias directive, only the portion of the path NOT including the location part is appended to the alias.
using rewrite with alias can help you parse the php file you want independent of the path
if (!-f $request_filename) {
rewrite ^ $document_root/index-wp.php last;
}
Take care of the SCRIPT_FILENAME you are using (check it with error_log, see above), maybe you need fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; but you are loading fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; so depending on your previous config you may be attaching the document root twice.
Two different configurations for fastcgi can be used if you change your index.php file names. E.g. location ~ wp\.php$ { will work with wp.php while location ~ \.php$ { will work with all other php files like index.php.

Ubuntu Nginx - changing the server root directory

I really depends on changing the server root directory from /var/www to the /srv/http.
Because if I sue:
server {
server_name www.domain.tld;
root /srv/http/project/web;
location / {
# try to serve file directly, fallback to app.php
try_files $uri /app.php$is_args$args;
}
# DEV
# This rule should only be placed on your development environment
# In production, don't include this and don't deploy app_dev.php or config.php
location ~ ^/(app_dev|config)\.php(/|$) {
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
# When you are using symlinks to link the document root to the
# current version of your application, you should pass the real
# application path instead of the path to the symlink to PHP
# FPM.
# Otherwise, PHP's OPcache may not properly detect changes to
# your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
# for more information).
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
}
# PROD
location ~ ^/app\.php(/|$) {
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
# When you are using symlinks to link the document root to the
# current version of your application, you should pass the real
# application path instead of the path to the symlink to PHP
# FPM.
# Otherwise, PHP's OPcache may not properly detect changes to
# your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
# for more information).
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
# Prevents URIs that include the front controller. This will 404:
# http://domain.tld/app.php/some-path
# Remove the internal directive to allow URIs like this
internal;
}
# return 404 for all other php files not matching the front controller
# this prevents access to other php files you don't want to be accessible.
location ~ \.php$ {
return 404;
}
error_log /var/log/nginx/project_error.log;
access_log /var/log/nginx/project_access.log;
}
does not work.
The system is Ubuntu 16.04 and server Nginx.
Thanks in advance for your help.
First of all your root directory is /srv/http/project/web but not /var/www, and in order to change it to /srv/http, you got to find root /srv/http/project/web; in above configuration(which is third line of the same) and change it to root /srv/http;. -Thank You :)

Nginx: Setting a default file extension

What rule would I use for nginx so my default file extension is .php?
I currently access a pages using www.mywebsite.com/home.php but I want to just use www.mywebsite.com/home
Thanks
Assuming you also want to serve static files, you could use something like this:
server {
server_name example.com;
# Set the docroot directly in the server
root /var/www;
# Allow index.php or index.html as directory index files
index index.html index.php;
# See if a file or directory was requested first. If not, try the request as a php file.
location / {
try_files $uri $uri/ $uri.php?$args;
}
location ~ \.php$ {
# If the php file doesn't exist, don't pass the request to php, just return a 404
try_files $uri =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass your_php_backend_address;
}
}

Resources