0

I got an idea for to write a simple script to create an Nginx config file based on a set of files that would be allowed to be run. In my case they would be .php files from an application. The script would simply create an Nginx config entry for every single .php file in a directory, where the .php files would be.

In my view specifying every single application file would prohibit unauthorized execution, and when the application in question is run very simply from said php files, it should be easy to implement in an Nginx config. Perhaps the script could also be able understand to set general ratelimits for user accessible php files and files that would never need to be seen by the user.

Thus how I see an ideal script, it would create config based on at least these properties:

  • executable name, .php, .py, .pl etc
  • folders not required to be directly accessible (but still create config based on every file in these folders)
  • ratelimits per folder, or at least for the user facing files

I am asking the question in order to gather evidence for going further, and also since I couldn't readily find a script that would be directed at such config creation for nginx. (Maybe just because it is so easy to write..). Ultimately the goal is extra security, and thus I'm also seeking opinions on how such configuration of Nginx would affect it, and if it is a good idea at all.

rkantos
  • 101
  • 1
  • 3

1 Answers1

1

A web service is usually a public service. Everything (every file) you store within your web root folder or any sub folder of your web root folder is public. You can define exceptions of this behavior in your web server configuration.

To protect files, scripts and folders from public access I recommend to store them not in or below of your web root folder.

Following these generic rules is a good approach in getting a secure web server or web application server.

To be more specific regarding your case I would recommend to store (as Michael Hampton already mentioned) only your index.php (and all required images and public JavaScripts) in your web root folder.

All the PHP classes you will need to provide your API or application should be stored apart from your web root folder as well as your Composer files (usually stored in the folder "vendor").

Example structure:

/project_root
  /htdocs (web root folder)
    index.php
    favicon.ico
    robots.txt
    /images
      logo.png
      background.png
    /javascript
      script.js
  /src
    /php
      /api
        /controller
          /overview
            get.php
          /login
            get.php
            put.php
            delete.php
            post.php
    /javascript
      base.js
      /reload
        plugin.js
  /vendor
    autoload.php

For above example following Nginx config would provide your application:

server {

  ...

  # take care to deliver public static content if file exists
  # or execute /index.php if not
  location / {
    try_files $uri /index.php;
  }

  ...

  # do not execute /index.php if requested image or JavaScript does not exists
  location ~ ^/(images|javascript)/ {
    try_files $uri =404;
  }

  ...

  # execute PHP files
  location ~ \.php$ {
    try_files            $uri /index.php;
    include              fastcgi_params;
    fastcgi_keep_conn    on;
    fastcgi_pass         unix:/run/php/php7.2-fpm.sock;
    fastcgi_param        SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param        SCRIPT_NAME     $fastcgi_script_name;
  }
}
Jens Bradler
  • 6,503
  • 2
  • 17
  • 13