Note: You are currently viewing documentation for Moodle 3.1. Up-to-date documentation for the latest stable version of Moodle is probably available here: Nginx.

Talk:Nginx

From MoodleDocs
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

I've removed the lines from this page instructing users to set the php configuration parameter cgi.fix-pathinfo=0

This line is included in a lot of on-line how-to guides for Nginx/PHP and is explained as a security restriction, see, here and here

In summary, within the context of Nginx and php-fpm the best(?) way to handle potential PATH_INFO vulnerabilities as described in those articles is to use the default behaviour of php-fpm, i.e. within,

/etc/php5/fpm/pool.d/www.conf (debianised) 

security.limit_extensions = .php

Either way will work just fine, but this is one step less with no real down sides...

Links:
https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/
http://serverfault.com/questions/627903/is-the-php-option-cgi-fix-pathinfo-really-dangerous-with-nginx-php-fpm

Retrieved from "https://docs.moodle.org/31/en/index.php?title=Talk:Nginx&oldid=120108"
Powered by MediaWiki