NGINX PHP FPM - Download prompt when accessing directories

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

NGINX PHP FPM - Download prompt when accessing directories

Laura Smith
Hi,

I have a largely working NGINX config as below.  The only problem is that when "/administrator" or "/administrator/" or "administrator/foo.php" is called, I always get prompted to download the PHP file rather than it be executed by PHP FPM.  Meanwhile, calls to "/" or "/foo.php" operate as expected  (i.e. executed correctly by PHP FPM).

Thanks in advance for you help

Laura

#### CONFIG START
server {                                                                                                                                              
  listen 192.0.2.43:80;                                                                                                                            
  listen [2001:db8:69d0:723c:1cba::1173]:80;                                                                                                  
  server_tokens off;                                                                                                                                  
  server_name  example.com  www.example.com  ;                                                                           
  if ($request_method !~ ^(GET|HEAD)$ )                                                                                                               
  {                                                                                                                                                   
     return 405;                                                                                                                                      
  }                                                                                                                                                   
  return 301 https://example.com$request_uri;                                                                                                 
}                    
server {                                                                                                                                     
  listen 192.0.2.43:443 ssl http2;                                                                                                                 
  listen [2001:db8:69d0:723c:1cba::1173]:443 ssl http2;                                                                                       
  server_tokens off;                                                                                                                                  
  server_name  example.com www.example.com ;                                                                           
  root /usr/share/nginx/foo;                                                                                                                  
  index index.php index.html index.htm default.html default.htm;                                                                                      
  ssl_certificate /etc/ssl/example.com/example.com.pem;                                                                   
  ssl_certificate_key /etc/ssl/example.com/example.com.key;                                                               
  ssl_dhparam /etc/ssl/example.com/example.com.dhp;                                                                       
  ssl_session_timeout 1d;                                                                                                                             
  ssl_session_cache shared:MozSSL:10m;                                                                                                                
  ssl_session_tickets off;                                                                                                                            
  ssl_protocols TLSv1.2 TLSv1.3;                                                                                                                      
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA2$
-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;                                                            
  ssl_prefer_server_ciphers on;                                                                                                                       
  ssl_stapling on;                                                                                                                                    
  ssl_stapling_verify on;                                                                                                                             
  ssl_trusted_certificate /etc/ssl/example.com/example.com.chain;                                                         
  resolver 198.51.100.25 203.0.113.25 [2001:db8::aaaa:20] [2001:db8::aaaa:25];                                                                        
  gzip on;                                                                                                                                            
  gzip_vary on;                                                                                                                                       
  gzip_comp_level 5;                                                                                                                                  
  gzip_proxied expired no-cache no-store private auth;                                                                                                
  gzip_types text/html text/plain text/css text/javascript application/x-javascript;                                                                  
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;preload";                                                                 
  add_header X-Frame-Options SAMEORIGIN;                                                                                                              
  add_header X-Content-Type-Options nosniff;                                                                                                          
  add_header X-XSS-Protection "1; mode=block";
  add_header Content-Security-Policy "referrer no-referrer";
  add_header Referrer-Policy "no-referrer";
  add_header Cache-Control private,max-age=300,no-transform;
  expires 300;
 if ($request_method !~ ^(GET|HEAD|POST|)$ )
  {
    return 405;
  }
  location /log {
    return 403;
  }
  location /logs {
    return 403;
  }
      location ^~ /administrator/ {
        limit_except GET HEAD POST  {
          deny all;
        }
      try_files $uri /index.php /index.html;
        auth_basic "Hello";
        auth_basic_user_file /etc/nginx/salt_htpasswd/htpasswd_foo;
    }
  location / {
    try_files $uri $uri/ /index.php$is_args$args;
        if ($query_string ~ "base64_encode[^(]*\([^)]*\)"){
            return 403;
        }
        if ($query_string ~* "(<|%3C)([^s]*s)+cript.*(>|%3E)"){
            return 403;
        }
        if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})"){
            return 403;
        }
        if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})"){
            return 403;
        }
        auth_basic "Hello";
        auth_basic_user_file /etc/nginx/salt_htpasswd/htpasswd_foo;
  }
  # PHP config from https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/
  location ~ [^/]\.php(/|$) {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    if (!-f $document_root$fastcgi_script_name) {
      return 404;
    }
    fastcgi_param HTTP_PROXY "";
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  limit_except GET HEAD POST  {
    deny all;
  }
  }
}#### CONFIG END
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: NGINX PHP FPM - Download prompt when accessing directories

Francis Daly
On Sun, Aug 30, 2020 at 04:43:27PM +0000, Laura Smith wrote:

Hi there,

> I have a largely working NGINX config as below.  The only problem is that when "/administrator" or "/administrator/" or "administrator/foo.php" is called, I always get prompted to download the PHP file rather than it be executed by PHP FPM.  Meanwhile, calls to "/" or "/foo.php" operate as expected  (i.e. executed correctly by PHP FPM).
>

In nginx, one request is handled in one location{}.

Your

>       location ^~ /administrator/ {

will handle all requests that start with /administrator/; that location
does not do any special handling of php requests; all it will do is
serve files from the filesystem.

Depending on how you want the requests handled, possibly removing the
"^~" will work (that would mean that any requests that match other
regex-location{}s will not be handled in this location); or possibly
creating a nested regex location for "~php" within this location will
work (with contents very like the "main" php location).


(Your config seems to want basic authentication for "file" requests,
but not for "php" requests; that may well be what you intend.) (And the
limit_except lines seem redundant with the "if ($request_method" line;
but if what you have works, it works.)

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: NGINX PHP FPM - Download prompt when accessing directories

Laura Smith



Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, August 30, 2020 11:08 PM, Francis Daly <[hidden email]> wrote:

Hi,

Thanks for your reply.

> Your
>
> > location ^~ /administrator/ {
>
> will handle all requests that start with /administrator/; that location
> does not do any special handling of php requests; all it will do is
> serve files from the filesystem.
>

But then is that not the case for my 'location / {' as well ?  That section also does not do any special handling of php requests and yet the php works ?

Laura
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: NGINX PHP FPM - Download prompt when accessing directories

Francis Daly
On Sun, Aug 30, 2020 at 11:15:03PM +0000, Laura Smith wrote:

Hi there,

> > > location ^~ /administrator/ {
> >
> > will handle all requests that start with /administrator/; that location
> > does not do any special handling of php requests; all it will do is
> > serve files from the filesystem.

> But then is that not the case for my 'location / {' as well ?  That section also does not do any special handling of php requests and yet the php works ?
>

You have:

==
  location ^~ /administrator/ {

  location / {

  location ~ [^/]\.php(/|$) {
    fastcgi_pass
==

It is the case that any request that is handled in the second location
will be served from the filesystem.

But it is not the case that any request that starts with / will be
handled in the second location.

The various characters after the word "location" change how you have
asked nginx to handle different requests.

http://nginx.org/r/location has more details.

Cheers,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx