[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
branch master updated: services: nginx: Harden php-location settings.
|
From: |
guix-commits |
|
Subject: |
branch master updated: services: nginx: Harden php-location settings. |
|
Date: |
Fri, 07 Jul 2023 10:21:45 -0400 |
This is an automated email from the git hooks/post-receive script.
nckx pushed a commit to branch master
in repository guix.
The following commit(s) were added to refs/heads/master by this push:
new cbc14b3bae services: nginx: Harden php-location settings.
cbc14b3bae is described below
commit cbc14b3baea457cf2718b85f767d39ff3911ce91
Author: Bruno Victal <mirai@makinata.eu>
AuthorDate: Wed Apr 5 16:34:08 2023 +0100
services: nginx: Harden php-location settings.
* gnu/services/web.scm (nginx-php-location): Only pass existing PHP files
to the back end. Mitigate httpoxy vulnerability.
---
gnu/services/web.scm | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index 45897d7d6f..818226a4f7 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -1144,6 +1144,14 @@ a webserver.")
(uri "~ \\.php$")
(body (list
"fastcgi_split_path_info ^(.+\\.php)(/.+)$;"
+
+ ;; Include some upstream recommendations from
+ ;; https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi
+ ;; Mitigate https://httpoxy.org/ vulnerabilities
+ "fastcgi_param HTTP_PROXY \"\";"
+ ;; Only pass existing php files to the backend.
+ "if (!-f $document_root$fastcgi_script_name) { return 404; }"
+
(string-append "fastcgi_pass unix:" socket ";")
"fastcgi_index index.php;"
(list "include " nginx-package "/share/nginx/conf/fastcgi.conf;")))))
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- branch master updated: services: nginx: Harden php-location settings.,
guix-commits <=