关于Nginx Fastcgi的目录安全问题

没有在Nginx的配置中找到Apache中针对每个虚拟主机设置open_basedir的设置,目前只有禁止在某些特定目录下的php解析。
引用官方配置:
Too many example configs fail to secure the "uploads" directory of the application. Remember that if someone can upload a file named xyz.php and the uploads dir is publically accessible then you have given the attacker an easy way to insert PHP onto your site…

So if your app has an upload dir "/images/" then adjust your fastcgi call along the lines of:
http {
index index.php;
root  /var/www/htdocs;
# .php
location ~ .*\.php$ {
include /etc/nginx/fcgi.conf;
if ( $uri !~ "^/images/") {
fastcgi_pass  127.0.0.1:10004;
}
fastcgi_index index.php;
}
}
文件夹路径支持正则表达式。如$uri !~ "/*images*/"表示所有含有images字串的文件夹。找到更好的方法再贴出来。

Leave a Reply

Your email address will not be published.