0

My nginx server block

server {
listen     80;
root /var/www/html/blog;
index index.php index.html index.htm;

server running wordpress. I want to limit PHP to access /var/www/html/blog only. Request to access other directory like /var/www/html/web will be blocked.

What I've tried-

location ~ ^/(?!(blog)/?) { 
    deny all;
    access_log off;
    log_not_found off;
}

How to do that?

Zils
  • 403
  • 2
  • 4
  • 19
  • If you have `root /var/www/html/blog;` then `/var/www/html/web` is outside the document root. You do not need to deny it, it is already inaccessible. – Richard Smith Jan 25 '21 at 15:15
  • But php can access it. if i call include_once('/var/www/html/web/index.php') then it can include it – Zils Jan 25 '21 at 16:25
  • 2
    PHP doesn't use Nginx to access the file system, so Nginx cannot prevent PHP from using `include_once` to find files outside the document root. – Richard Smith Jan 25 '21 at 16:28
  • You may need to run PHP in a chroot-ed environment. This may be helpful - https://www.vennedey.net/resources/3-Secure-webspaces-with-NGINX-PHP-FPM-chroots-and-Lets-Encrypt – IVO GELOV Jan 25 '21 at 18:14

0 Answers0