1

I want to use nginx for both Symfony2 sites and other software like phpMyAdmin.

I've read the nginx docs on setting up Symfony2 and came across this issue: http://www.webhostingtalk.com/showthread.php?p=6807475#post6807475

Can I just use security.limit_extensions=php and then use something like this safely?

location \.php$ {
  ...
}

This blog seems to indicate this is a workaround for the security issue with file uploads: http://kaiwangchen.com/blog/2012/10/understand-the-cgi-fix_pathinfo-security-issue/

But most places with tutorials for setting up nginx recommend the old solutions of just restricting php to specific files. So I wasn't sure if this actually avoids the arbitrary code injection.

Or should I use try_files?

Matt
  • 135
  • 1
  • 7

1 Answers1

0

Use a combination of try_files and security.limit_extensions=php and simply make sure that the uploads folder you've created has absolutely no chance to execute any code. The last thing is the most important thing and the only thing that will keep you secure of this issue till the end of time.

Example:

/var/www/src      ->  execute PHP files
/var/www/uploads  ->  only accessible for static delivery
Fleshgrinder
  • 3,798
  • 2
  • 17
  • 20
  • That sounds reasonable. Ideally I want a simple nginx configuration that doesn't need to be customized too much for a different php application. Speaking of "make sure that the uploads folder you've created has absolutely no chance to execute any code", can you use the `x` part of the file permission to explicitly allow running only trusted files through the php interpreter? Can I configure php-fpm to only run scripts with the `x` permission? – Matt Oct 14 '13 at 22:17
  • PHP doesn't need the execute part because PHP files are not executed, they are parsed and executed by the PHP interpreter. You could use the `chdir` configuration in your php-fpm configuration or solve it with a user group combination. But remember that permissions will give you a headache as soon as you want to delete an upload. I'd solve it in the nginx configuration because that one can be complicated without hurting performance. – Fleshgrinder Oct 14 '13 at 22:28
  • If you need help with the configuration, say so, I could come up with something. Otherwise I hope that I was able to answer your question. :) – Fleshgrinder Oct 14 '13 at 23:18