From bb175f3d4e1fb34c16cc435ee77ae303956c8aa2 Mon Sep 17 00:00:00 2001 From: Diogo Cordeiro Date: Wed, 29 May 2019 13:14:11 +0100 Subject: [PATCH] [NGINX conf] Fix PHP files being served as files. --- nginx.conf.sample | 47 ++++++++++++++++++++++++++--------------------- 1 file changed, 26 insertions(+), 21 deletions(-) diff --git a/nginx.conf.sample b/nginx.conf.sample index bf787e6983..94aa2d7232 100644 --- a/nginx.conf.sample +++ b/nginx.conf.sample @@ -2,7 +2,7 @@ server { listen [::]:80; listen 80; -# FIXME: change domain name here (and also make sure you do the same in the next 'server' section) +# FIXME: Change domain name here (and also make sure you do the same in the next 'server' section) server_name social.example.org; # redirect all traffic to HTTPS @@ -10,52 +10,56 @@ server { } server { -# HTTPS is mandatory on GNU social unless you are using Tor network. Seriously. Set it up with a cert (any cert) before you run the install. +# HTTPS is mandatory on GNU social unless you are using Tor network. Seriously. +# Set it up with a cert (any cert) before you run the install. listen [::]:443 ssl http2; listen 443 ssl http2; # Root -# Change the path below to where you installed -# GNU social +# FIXME: Change the path below to where you installed GNU social root /path/to/gnusocial/root; # Server name -# Change "social.example.org" to your site's domain name +# FIXME: Change "social.example.org" to your site's domain name # GNU social MUST be installed in the domain root server_name social.example.org; # SSL -# Uncomment and change the paths to setup -# your SSL key/cert. See https://cipherli.st/ -# for more information +# FIXME: Change the paths to setup your SSL key/cert. See https://cipherli.st/ for more information ssl_certificate ssl/certs/social.example.org.crt; ssl_certificate_key ssl/private/social.example.org.key; # Logs -# Uncomment and change the paths to setup -# logging -#access_log /path/to/access.log; -#error_log /path/to/error.log; +# FIXME: Uncomment and change the paths to setup logging + # access_log /path/to/access.log; + # error_log /path/to/error.log; # Index index index.php; # PHP - location /index.php { + location ~ /index.php { include fastcgi_params; include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; fastcgi_param SCRIPT_FILENAME $request_filename; - # Further optional configuration - #fastcgi_buffer_size 128K; - #fastcgi_buffers 4 256K; - #fastcgi_busy_buffers_size 256K; - #fastcgi_read_timeout 600s; - #fastcgi_send_timeout 300s; - #fastcgi_connect_timeout 75s; - #http2_push_preload on; +# Further optional configuration +# fastcgi_buffer_size 128K; +# fastcgi_buffers 4 256K; +# fastcgi_busy_buffers_size 256K; +# fastcgi_read_timeout 600s; +# fastcgi_send_timeout 300s; +# fastcgi_connect_timeout 75s; +# http2_push_preload on; + } + +# Don't allow any PHP file other than index.php to be executed +# This will ensure that nor config.php nor plugin files with eventual hardcoded security information are downloadable +# And this is better than allowing php files to be executed in case of forgotten `if (!defined('GNUSOCIAL')) { exit(1); }` + location ~ \.php$ { + deny all; } # Location @@ -97,3 +101,4 @@ server { # log_not_found off; # } } + -- 2.39.5