Talk:Nginx

Revision as of 08:52, 20 February 2019 by Urs Hunkler (talk | contribs)

Jump to: navigation, search

I've removed the lines from this page instructing users to set the php configuration parameter cgi.fix-pathinfo=0

This line is included in a lot of on-line how-to guides for Nginx/PHP and is explained as a security restriction, see, here and here

In summary, within the context of Nginx and php-fpm the best(?) way to handle potential PATH_INFO vulnerabilities as described in those articles is to use the default behaviour of php-fpm, i.e. within,

/etc/php5/fpm/pool.d/www.conf (debianised)

security.limit_extensions = .php

Either way will work just fine, but this is one step less with no real down sides...

Links:
https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/
http://serverfault.com/questions/627903/is-the-php-option-cgi-fix-pathinfo-really-dangerous-with-nginx-php-fpm

I want to propose to add the information how to get Nginx working in MAMP.

For MAMP add the following two Lines on the Nginx settings page for »Additional parameters ...«

rewrite ^/(.*)/(.*\.php)(/)(.*)$ /$1/$2?file=/$4 last;
rewrite ^/(.*\.php)(/)(.*)$ /$1?file=/$3 last;