Just wanted to point out that in your sample nginx configuration you write:

locate ^~ /progress {
   report_uploads uploads;
}

That "locate" should of course be "location".

-----------

Your next bit is a bit unusual and therefore threw me off at first, because you assign fastcgi explicitly to index.php.

location = /index.php {
   include fastcgi.conf;
   fastcgi_pass phpcgi;
   track_uploads uploads 60s;
}

A more typical configuration probably looks something like:

location ~ \.php$ {
  fastcgi_pass unix:/var/run/php5-fpm.sock;
  fastcgi_index index.php;
  include fastcgi_params;
  track_uploads uploads 60s;
}

Comments

ralf.strobel’s picture

ralf.strobel CreditAttribution: ralf.strobel commented
Title: Errors in nginx configuration example » Better nginx configuration example
Priority: Normal » Minor

Oh, but after I had figured out these minor problems, your module now works like a charm for us. Thanks a lot for this!

perusio’s picture

perusio CreditAttribution: perusio commented

It's not:

assign fastcgi explicitly to index.php.

but rather that your config is unsafe. Instead by using an exact location I'm constraining $fastcgi_script_name to be index.php. Meaning that everything goes through index.php. Therefore any other PHP file must be explicitly allowed through an exact location.

perusio’s picture

perusio CreditAttribution: perusio commented

Fixed the typo on the project page. Thanks.

perusio’s picture

perusio CreditAttribution: perusio commented
Assigned: Unassigned » perusio
Status: Active » Fixed
ralf.strobel’s picture

ralf.strobel CreditAttribution: ralf.strobel commented
Status: Fixed » Active

I know what your intention was with the index.php. My point was just that very few people do this, and since this is example code, it'll throw some people off since they don't understand it.

If you want to keep it in like that, at least you should comment on it.

I don't think my configuration is "unsafe", actually. It's the default behavior of most web servers (e.g. Apache + modphp). As a web admin, you should make sure that there are no other script files out there that can be called directly and will do something harmful.

Did you check that in your config, calling a php script other than index.php will not lead to it's code being displayed publicly? If not I could call your settings.php and I see your hash salt and database password.

perusio’s picture

perusio CreditAttribution: perusio commented

Nope. You can try it. There's a catch all PHP location right at the end.

## Any other attempt to access PHP files returns a 404.
location ~* ^.+\.php$ {
    return 404;
}

Also check this thread out.

dropbydrop’s picture

dropbydrop CreditAttribution: dropbydrop commented

i agree with ralf

perusio’s picture

perusio CreditAttribution: perusio commented

The catch all PHP location is unsafe. It's now even listed at the Nginx Wiki Pitfalls page why should we propagate an error?

Just because "everybody does it" doesn't mean that it's acceptable.

perusio’s picture

perusio CreditAttribution: perusio commented
Status: Active » Closed (won't fix)
ralf.strobel’s picture

ralf.strobel CreditAttribution: ralf.strobel commented

My point was never that your example code was wrong. My point was that people might not recognize and understand it. You can keep it this way, but you should probably explain it in a comment then and refer back to the code more people will know.

ralf.strobel’s picture

ralf.strobel CreditAttribution: ralf.strobel commented
Issue summary: View changes

More precise explanation