I just stumbled upon the 0 day exploit
and some discussions about it
https://forum.nginx.org/read.php?2,88845,page=3
https://serverfault.com/questions/690983/which-try-files-nginx-directive-is-best-for-the-zero-day-exploit
that zero day exploit looks scary.
And all php apps like laravel are affected? Wordpress? everything?
what other exploits are out there that I don't know about but should know about?
I am confused, and preoccupied.
So to fix nginx, I need to have something like this:
server {
listen 80;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name dev.MyApp.com;
root /var/www/html/dev.MyApp.com/public;
index index.html index.htm index.php;
access_log /var/log/nginx/mylog.com.access.log;
error_log /var/log/nginx/mylog.com.error.log;
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
}
location ~ \.php$ {
try_files $uri =404;
proxy_intercept_errors on;
error_page 500 501 502 503 = #fallback;
fastcgi_buffers 8 256k;
fastcgi_buffer_size 128k;
fastcgi_intercept_errors on;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
}
location #fallback {
try_files $uri =404;
fastcgi_buffers 8 256k;
fastcgi_buffer_size 128k;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
}
location ~* .(css|js|png|jpg|jpeg|gif|ico)$ { expires 1d; }
}
where try_files $uri =404; fixes the security issue. What else do i have to do? e.g. what other exploits are out there?
Related
I'am running ddev under macos with apple silicon m1.
I'am trying to open a phar (Contao-Manager.phar.php) file in the browser but got a 404.
webroot is correctly set, because its is possible to open a test.php in same webroot in the browser.
Here Is My nginx-conf:
server {
listen 80 default_server;
listen 443 ssl default_server;
root /var/www/html/web;
ssl_certificate /etc/ssl/certs/master.crt;
ssl_certificate_key /etc/ssl/certs/master.key;
include /etc/nginx/monitoring.conf;
index index.php index.htm index.html;
sendfile off;
error_log /dev/stdout info;
access_log /var/log/nginx/access.log;
location / {
absolute_redirect off;
try_files $uri $uri/ /index.php?$query_string;
}
location #rewrite {
rewrite ^ /index.php;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass unix:/run/php-fpm.sock;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_intercept_errors off;
fastcgi_read_timeout 10m;
fastcgi_param SERVER_NAME $host;
fastcgi_param HTTPS $fcgi_https;
}
location ~* /\.(?!well-known\/) {
deny all;
}
location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {
deny all;
}
include /etc/nginx/common.d/*.conf;
include /mnt/ddev_config/nginx/*.conf;
}
Try to change your default location to this (didn't check if works):
location / {
absolute_redirect off;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
try_files $fastcgi_script_name $uri $uri/ /index.php?$query_string;
}
And check your access.log and error.log if it's not working.
The problem is somewhere between fastcgi_split_path_info and your location order (which location actually handles *.php request first).
It is also possible that your regular expression in fastcgi_split_path_info doesn't match Contao-Manager.phar.php (file has 2 extensions).
I have a react application running on / on nginx. I want to enable a wordpress blog on /blog
This is my current config:
http {
upstream reactapp
{
server 127.0.0.1:3000;
}
}
server {
gzip on;
gzip_disable "msie6";
gzip_vary on;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
root /var/www/html;
index index.php index.html index.htm;
server_name www.xxxxxxx.com;
location / {
proxy_pass http://reactapp;
}
location /blog {
index index.php index.html;
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_read_timeout 3600s;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 128k;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
}
I want to run wordpress on the /blog sub directory and it's located /var/www/html/blog but it only loads the root pages, all sub pages do not work, either gives 404 or goes to /.
I want to create dockerized Wordpress with nginx that will use /kokpit instead of /wp-admin I'm using nginx:latest container with default config. And declared my server block for Wordpress like below
server {
listen 443 ssl;
ssl_certificate /etc/nginx/localhost.crt;
ssl_certificate_key /etc/nginx/localhost.key;
server_name dimidia.dev.com;
root /var/www/html;
index index.php;
error_log /var/log/nginx/stderr_dimidia debug;
access_log /var/log/nginx/stdout_dimidia;
location /media
{
rewrite ^/media/(.+) /wp-content/themes/mytheme/$1;
}
location /
{
try_files $uri $uri/ /index.php?$args;
}
location /kokpit
{
rewrite ^/kokpit(.*) /wp-admin$1;
}
location ~ \.php$ {
fastcgi_read_timeout 300;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
client_max_body_size 50m;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_pass dimidia_php:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
However when I reach to /kokpit files like load-scripts.php are returning 404 instead of scripts, and I cannot reach any php files inside kokpit (all are returning 404) big question is: why?
(first at all, sorry for english it's not my native :/ )
I have a problem with my NGINX conf, I have 2 symfony2 projects in 2 folders. The first one is my root dir (www.mywebsite.com/) in my nginx conf and I would have the second like this www.mywebsite.com/secondwebsite.
The first website works fine on port 80 (with classic nginx config).
My second website works fine on the port 82 (www.mywebsite.com:82) for example with this conf :
server {
listen 82;
server_name mywebsite.com *.mywebsite.;
root /var/www/project/dev/secondwebsite/web/;
index app_dev.php;
location / {
# try to serve file directly, fallback to app.php
try_files $uri /app_dev.php$is_args$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
include fastcgi_params;
add_header Access-Control-Allow-Origin *;
}
}
But I get a problem when I try to access like this www.mywebsite.com/secondwebsite, all my symfony2 routes does not work (I get a 404 on each), I put my app_dev.php as index to get more details
Here is the conf of my nginx conf :
server {
listen 80;
server_name mywebsite.com *.mywebsite.com;
index app.php;
root /var/www/project/dev/mywebsite/web;
error_log /var/log/nginx/mywebsite.error.log;
access_log /var/log/nginx/mywebsite.access.log;
if ($http_host != "www.mywebsite.com"){
rewrite ^ http://www.mywebsite.com$request_uri permanent;
}
location / {
# try to serve file directly, fallback to app.php
try_files $uri /app.php$is_args$args;
}
location /secondwebsite/ {
alias /var/www/project/dev/secondwebsite/web/;
index app_dev.php;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index app_dev.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
add_header Access-Control-Allow-Origin *;
}
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
include fastcgi_params;
add_header Access-Control-Allow-Origin *;
}
}
I've search many times but nothing works, I really need help ^^
So I'm trying to create a mechanism to handle friendly urls with NGINX/PHP-FPM using the basic configuration further below.
When I run an address with a non-existent uri like:
http://example.com/blah/whatever
All the styling from the default page just goes away. I thought I had a sense of what's going on and searched exhaustively, but there's nothing on stack or in the logs or that comes through in Firebug or Chrome that confirms my intuition.
Following is my nginx config:
server
listen 192.168.1.80:80 default_server;
listen 192.168.1.80:443 default_server ssl;
root /home/main/jb/www/;
client_max_body_size 30M;
# access_log logs/host.access.log main;
location / {
# try_files $uri $uri/ /index.php;
try_files $uri $uri/ /index.php?$uri&$args;
index index.php;
include mime.types;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ \.php$ {
root /home/main/jb/www/;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_ignore_client_abort on;
fastcgi_param SERVER_NAME $http_host;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
}
location ~ /\.ht {
deny all;
}
Disclaimer: This was extracted from the question.
I seemed to have solved the problem by adding a full url to all the respective script and link tabs where before I was just using relative paths. Not sure if I fully understand the dynamics of the solution, but I hope this helps.