From MoodleDocs

I've removed the lines from this page instructing users to set the php configuration parameter cgi.fix-pathinfo=0

This line is included in a lot of on-line how-to guides for Nginx/PHP and is explained as a security restriction, see, here and here

In summary, within the context of Nginx and php-fpm the best(?) way to handle potential PATH_INFO vulnerabilities as described in those articles is to use the default behaviour of php-fpm, i.e. within,

/etc/php5/fpm/pool.d/www.conf (debianised)

security.limit_extensions = .php

Either way will work just fine, but this is one step less with no real down sides...


I want to propose to add the information how to get Nginx working in MAMP to be able to develop with the same server potentially used on a live site. I needed to research a long time to find this information.

For MAMP add the following two Lines on the Nginx settings page for »Additional parameters ...«

rewrite ^/(.*)/(.*\.php)(/)(.*)$ /$1/$2?file=/$4 last; rewrite ^/(.*\.php)(/)(.*)$ /$1?file=/$3 last;

Support installations in a subpath (subdirectory)

The directives and the examples assume that Moodle is installed at the top directory: - it is available at - and not at

In the latter case the nginx rules will fail to match.