Note: You are currently viewing documentation for Moodle 2.9. Up-to-date documentation for the latest stable version of Moodle may be available here: Nginx.

Talk:Nginx

From MoodleDocs
Revision as of 09:25, 4 September 2015 by Paul Verrall (talk | contribs) (Created page with "I've removed the lines from this page instructing users to set the php configuration parameter [http://php.net/manual/en/ini.core.php#ini.cgi.fix-pathinfo cgi.fix-pathinfo]=0...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

I've removed the lines from this page instructing users to set the php configuration parameter cgi.fix-pathinfo=0

This line is included in a lot of on-line how-to guides for Nginx/PHP and is explained as a security restriction, see, here and here

In summary, within the context of Nginx and php-fpm the best(?) way to handle potential PATH_INFO vulnerabilities as described in those articles is to use the default behaviour of php-fpm, i.e. within,

/etc/php5/fpm/pool.d/www.conf (debianised) 

security.limit_extensions = .php

Links:
https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/
http://serverfault.com/questions/627903/is-the-php-option-cgi-fix-pathinfo-really-dangerous-with-nginx-php-fpm

Retrieved from "https://docs.moodle.org/29/en/index.php?title=Talk:Nginx&oldid=119732"
Powered by MediaWiki