This type of configuration is insecure since there's no whitelisting of the PHP scripts to be processed.
----appa On Thu, Feb 13, 2014 at 1:34 PM, Maxim Dounin <[email protected]> wrote: > Hello! > > On Wed, Feb 12, 2014 at 03:23:05PM -0800, Grant wrote: > > > I've found that if I don't specify: > > > > index index.html index.htm index.php; > > > > in the server blocks where I use fastcgi, I can get a 403 due to the > > forbidden directory index. I would have thought 'fastcgi_index > > index.php;' would take care of that. If this is the expected > > behavior, should the index directive be added to the fastcgi wiki? > > This is the expected and documented behaviour. > > The "fastcgi_index" directive is to instruct a fastcgi backend > which file to use if a request with an URI ending with "/" is > passed to the backend. That is, it makes sense in a configuration > like this: > > location / { > fastcgi_pass localhost:9000; > fastcgi_index index.php; > include fastcgi.conf; > } > > It doesn't make sense in configurations with only *.php file > passed to fastcgi backends though. E.g., in a configuration like > this it doesn't make sense and should be removed: > > location ~ \.php$ { > fastcgi_pass localhost:9000; > # wrong: fastcgi_index doesn't make sense here > fastcgi_index index.php; > include fastcgi.conf; > } > > In this case, normal index processing applies. It is explained in > details in an introduction article here: > > > http://nginx.org/en/docs/http/request_processing.html#simple_php_site_configuration > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx >
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
