Mobile app version of vmapp.org
Login or Join
Michele947

: Block access to php files in folder in nginx under ispconfig I am using nginx / ispconfig and want to block access to any php file under a directory using server directives. My directive looks

@Michele947

Posted in: #Nginx

I am using nginx / ispconfig and want to block access to any php file under a directory using server directives.

My directive looks like this:

location / {

location ~ /notallowed/(.+).php$ {
deny all;
}
}


The idea is that I match for / first, to make sure this is prioritised over any regex locations, and then match for the specific directory within the location block. This is because the directives are added after all of the default vhost content in ispconfig.

There isn't another / location block it can be matching prior to this, yet this is not firing - php files are accessible in the folder. Is there a way to troubleshoot the matching rules in a host config?

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Michele947

2 Comments

Sorted by latest first Latest Oldest Best

 

@Barnes591

For once this is working:

location = /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
}


Notice the = It has precedence to the wildcard match.

If you have more files to match then you need to work more and use @user269173 advice.

10% popularity Vote Up Vote Down


 

@Shelley277

I had the same problem, as you stated the default vhost directive is put before so the resulting config is like this:

location ~ .php$ {
try_files /2e602f1b7f73a97412af065eb54a58c4.htm @php ;
}

location @php {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:9040;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}
...
location ~* ^/wp-content/.*.(php|phps)$ {
deny all;
}


Since the default directive is a regular expression that matches every .php file request, it matches and stops location evaluation, so your custom directive won't never be reached.

The only way I found is to override the default configuration, if you have complete access to server you can do it just by copying /usr/local/ispconfig/server/conf/nginx_vhost.conf.master to /usr/local/ispconfig/server/conf-custom/nginx_vhost.conf.master and putting the section

<tmpl_loop name="nginx_directives">
<tmpl_var name='nginx_directive'>
</tmpl_loop>


before

<tmpl_if name='php' op='==' value='php-fpm'>


This will be applied to any vhost configured on the server, so you should check carefully if this doesn't have side-effects.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme