-
-
Notifications
You must be signed in to change notification settings - Fork 615
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve Nginx Documentation #343
Comments
Hi, I'm the same Robby from IRC. While your proposed solution works, the solution I'm using is actually to include the PHP location block in each location block where I need it. To avoid having to duplicate this in too many places I put the PHP location block in a snippet file and include it in each location block as needed. The reason I'm currently doing it like this is because of the following. Not sure if this is useful for the situation described in this issue, but here is a problem I had: The following links has relevant reading material on nginx and (nested) location blocks: Back to pico.
But, the above does not block access to So, taking into account the information in the 2 links I mentioned above, the following location block does block access to
Other than that, my current location block for pico is like this:
My snippets/fastcgi-php-custom.conf contents, based on the information in this link:
Note that I'm not knowledgeable about regex, so most likely there's a better way to do some of the things I mentioned. I just wanted to share my findings. |
In order to block access to config or other folders, I think you'd need to match it with regex similar to this:
The important part being that you'd need to tell it to match anything in the config folder, not just the folder itself. If you haven't checked it out yet, there's some more examples at d8f9166. The discussion started there, but should really be continued here. It's a really funny coincidence that you brought up the Nginx issues when you did because I just decided to check it out. Together it seems we've generated a bit of interest on the topic. Not sure if I'd agree with the idea of including the php block in every location block... but I didn't even know you could nest location blocks. I've got a lot of similar sections across several different site configs, so I plan to explore using So far it sounds like we have three different approaches to the subject that each have some benefits and drawbacks. Ultimately, there may not be a "right" answer, but we'll have to decide what would be the best configuration for new users. An experienced Nginx user will likely be able to take whatever example we provide and fit it to their own needs/preferences anyway. |
So, there's a few criteria that I think should be focused on for the example config:
Just some food for thought to hopefully spark more discussion. |
@smcdougall To block access to folders and files this rule is enough, no need for more regex. location ~* /(config|content|content-sample|lib|vendor) The essential part is WHERE you place this. It MUST be before the php processing rule in order to block also php files. Processing order is the word. I testet it and posted a config here: d8f9166 |
Ah, that makes sense. Good to know. Do you have any other input on the criteria I thought up? You seem like you're probably the most experienced of the four of us right now. 😃 |
So what has worked well for me was a separate
index index.html index.htm index.php;
location ~* /\.ht {
deny all;
}
location ~* /(config|content|content-sample|lib|vendor) {
return 404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ ^/(.*) {
try_files $uri $uri/ /?$1&$args;
}
What I'm aiming for here is simplicity. I like writing something once and using it everywhere. Just wanted to share what seems to be working well for me. I plan to draft up a Docs page about Nginx configuration sometime later today. My plan is to extend the existing section slightly, then link to another page entirely about Nginx. The page will be able to go in depth about the how's and why's of different configuration tips. It'll touch on important points, like Nginx's processing order, the fact that Nginx uses a centralized configuration (and how that makes configuring Pico a little harder), etc. Obviously I'm by no means an expert on the topic, but I think I've gathered enough information to provide a good write-up on the subject. After I get the initial write-up done, it'd of course be open to further contribution. @iwedler, I'd especially like it if you could weigh in a little on your config, such as why you prefer your I'll link the page and the PR here once I've written it. |
Great to hear! Looking forward to your PR 👍 😃 Just a minor suggestion: You don't need a regex when installing Pico to the root directory (the regex's objective is to remove the subdirectory part of the URL). The following works just fine in this particular case: location / {
try_files $uri $uri/ /?$uri&$args
} |
That's true I suppose. It got lost somewhere in my quest for a universal config. 😆 Would you rather I restore that example to the Docs and use the |
I'm not sure yet, depends on how the docs page will look like. |
Random discovery:
No more That'll definitely be going in the Nginx page. I'm partway done with it so far, but it's taking longer than I though. Probably won't have it up today, but it's definitely in progress. |
I finished a rough draft of the page. Take a look at #345. Any input is appreciated. 😃 |
Looks great so far! The only issue is the php example location block, it poses a security risk. It is best to use the example from the nginx wiki due to security reasons mentioned here. Using the example mentioned in the first link doesn't require changing the |
It should be sufficient to let the PHP location block match |
I had forgotten about Also, I'd like to make the PHP block as simple as possible. While the other blocks are meant to be copied, the PHP block is really just an example. I'll try to emphasize this a little more. Since PHP configuration is somewhat dependent on the user's system, I don't want them to just copy and paste it. It should only be used as a reference. |
😕 I've actually flip-flopped on this and I think I'd rather just mention I've had time to reread my page and remember that I planned to link to a I don't like the Nginx Wiki's example because it uses an Although I like the elegance of specifically matching
On top of that, I think I'd have to break PHP Configuration into "Document Root" and "Subfolder" sections, which would make it more confusing. |
I know its meant as an example, but people are people and will copy paste, so its better to have a secure example in there in the first place. Also, do keep in mind people who may also wish to run other .php files on a Pico site, I'm sure there's people out there that would or do. What's the problem with the |
Reading the above, I feel more than one example configuration seems to be needed. For people that use Pico and also have other .php files, so it can't be locked down to just index.php (and then the |
Nah, now that I've thought about it, I don't want to lock it down to And Nginx even states that If is Evil. 😆 The thing is though, if they haven't followed another guide to properly setup I think a good, "Warning:" should be sufficient to inform a user about the security issue. Ultimately though, nothing we're providing in this example is at fault for the security issue. 😕 |
Yeah, I've seen that |
It's a tough call. I really don't want to make the example code more complicated than it has to be. Also, to me, it feels a lot like a workaround to what is clearly an insecure default setting for I will give it credit that it's the official recommendation of the Nginx Wiki though. I can see merits to doing it either way. @PhrozenByte, @iwedler, what do you think? I'll go whichever way the crowd goes on this issue. |
I don't feel like having the appropriate background knowledge to tell what solution is better... The only thing I can say is that Pico neither uses |
I'll likely include the Ultimately, if the user wants to remove that line because they feel they know better, they can! A user who isn't as experienced though would benefit from this extra included protection. I suppose it's on the same level as blocking |
On the subject of The general example floating around the web is to use Returning 404 on the other hand, would be the same response they'd get if the file really didn't exist. I'm sure there's a good reason that |
Just a short question about the |
I've come up with an elegant way to fix this:
This makes Pico return its own 404 instead of nginx's own errors, which is even better I think. |
If you mean the path for config, content, etc, I don't think you'd have to adjust it for a subdomain. Since your regex doesn't begin with I hadn't thought of adding those other files to the 404 rule. That's a good idea. I'll test it out sometime and add something similar to the example. @PhrozenByte Those files should probably be added to Pico's This doesn't actually answer the question you quoted from me though. I was asking specifically about the |
@smcdougall, your thoughts about the reasons for using Unfortunately I don't like extending the However, using Pico's |
My assumption for his reasoning is that these are files that are included by default in Pico, but not intended to be accessed on the webserver. Although they pose no security risk, they are files that a determined user could navigate to. I don't know if they should be blocked or not, but I had never thought about the fact that they can be accessed. When I read his comment, I had a moment where I thought "you can't do that... can you?". Sure enough, if I navigate to It just feels a little uncomfortable. I just went through the "Pico Showcase" on the Wiki... all but three entries willingly offered me their I don't know what else to say about it (plus, I'm tired and his is going to be my last comment for the night). I just hadn't even thought about the fact that obviously these files would be accessible. I'd assume the same probably holds true for the owners of all the Pico sites I just probed. 😒 Anyway, I still don't know if they should be blocked by default, but was my reaction after reading @Robby-'s comment. |
I should never say something is my last comment for the night 😒 Just caught up on some of the commits from the last few hours. I'll add |
Starting with Pico 1.1 you can use |
I'll have a chance to finish this up tomorrow (4/27). Do you want me to focus on I should be able to easily get the existing examples finalized, merged, and then work on |
That's probably the best way to deal with it 😃 |
I thought so too. 👍 I'm going to finish it up with the examples we had finalized a few days ago. Things like using Pico's internal error page can be an enhancement for 1.1. It's a simple enough idea, but it will take a little more debugging before I'm sure we have a bullet-proof example. With that in mind, it might as well be done with the new infrastructure in 1.1. |
Sorry for the late response. @smcdougall I also think 404 is the better response, instead of a 403. @PhrozenByte My reason for adding these files to the 404 block is just personal preference I guess. |
Indeed. I think it still deserves more discussion going forward. For now I'm working to finalize what we had, and we can address the rest afterward. In 1.1, it'll be much easier to use Pico's internal error page for things as well. I could also potentially add a tip near the bottom about blocking access to those other files. I definitely understand where you're coming from. |
Hmm... Yeah, hiding the version number isn't a bad idea (i.e. blocking access to |
I'm really not sure where I stand on the issue. I'd rather keep the examples simple, but if it could be a security issue then maybe it needs to change. Right now, I'm looking at keeping feature parity with By the way, I noticed something that might need to be fixed in I've done that in my current copy of |
I think I've addressed most of the concerns we've discussed here, minus the ones postponed for 1.1. I'd call this page ready for review now. There's probably still some last minute fixes to make, so tell me what you think. Go ahead and tear it apart. 😉 http://smcdougall.github.io/Pico/nginx/ |
Great, now I need to update it again. 😒 |
@smcdougall's nginx configuration page finally got merged and he IMHO did a great job! 😃 You can find the final document at http://picocms.org/in-depth/nginx/. Any further thoughts about this @ALL? |
Pico's Nginx documentation is practically non-existent. It should be improved and provide some detailed examples equivalent to what is provided for Apache in
.htaccess
.A discussion has already begun on d8f9166. It seems there is a lot to consider when using a Regex Location Block for Pico's rewriting, as Nginx will only use the first matching rule it finds. Since a typical Nginx setup also uses Regex to detect when to send a page to PHP, a misconfiguration can easily break PHP detection altogether.
The solution seems to be placing the PHP Location Block above any Pico rewrite blocks, that way any requests to
index.php
get properly matched.In the current example,
location ~ ^/pico(.*)
matches both the Page ID you're trying to rewrite (eg/pico/page
) and also the index itself (at/pico/index.php
, resolved from the URI/pico/?page
).Since
/pico/index.php
matcheslocation ~ ^/pico(.*)
, Nginx has succeeded in finding a match and will not move on to match it tolocation ~ \.php$
. The PHP page gets served as a download file instead of interpreted by PHP.The text was updated successfully, but these errors were encountered: