Posted by RedRat on March 24, 2013 at 11:51am
First of all, excuse my English. I hope you can understand what I want to ask.
For a long time I have used this NginX config as a template for mine own, but I am very unsatisfied with it's security concerning PHP files. I mean, there are only some PHP files which a really needed for Drupal to work: index.php, update.php and cron.php (install.php used only once and I don't use any features of xmlrpc.php). So I want to rewrite my NginX config to grant access only for enlisted PHP files.
But I have some doubts about such approach. Also I suspect there are may be more PHP files in the core or modules that must be accessible from browser. Can you point me on such examples?
Categories: access, access control, FastCGI, nginx
Comments
Perusio's config is very thorough.
https://github.com/perusio/drupal-with-nginx
Yes, I know about this
Yes, I know about this project and even tried to use it some years ago. But his config is way too thorough, if you know what I mean. ;-)
Anyway I will try to shrink it to reasonable set of features.
This might be worth checking out
From Aegir -
http://drupalcode.org/project/provision.git/blob/refs/heads/7.x-2.x:/htt...
There's also a simple one, but there doesn't seem to be much difference with a quick scroll (haven't looked close or diffed).
Pretty straightforward
Pretty straightforward config, I see already some things that I'll borrow from it. Thanks!
I will suggest studying and using [omega8cc] Nginx BOA Nginx
See:
1) https://github.com/omega8cc/nginx-for-drupal/tree/master/aegir/conf
and
2) https://github.com/omega8cc/provision/tree/master/http/Provision/Config/...
Stability within the BOA Nginx config's is excellence and maturity!
Just take some time to read the doc's and scripts on the 1st link.
--
Linux: Web Developer
Peter Bowey Computer Solutions
Australia: GMT+9:30
( ̄`·..·[ Peter ]·..· ́ ̄)
Piter, thanks for a links,
Piter, thanks for a links, I'll give it a shot!
If you use Drush to do cron
If you use Drush to do cron runs and database updates, than update.php and cron.php are not needed either - index.php is all that is necessary.
That being said, the smartest approach really is to not reinvent the wheel and just use perusio's tried and true config. It's already well-tuned for security out of the box.
The Boise Drupal Guy!
@RedRat why don't you just
@RedRat why don't you just pick out the bits from perusio's you need instead of wasting time trying to figure this out yourself. It's all there...
## Replicate the Apache <FilesMatch> directive of Drupal standard## .htaccess. Disable access to any code files. Return a 404 to curtail
## information disclosure. Hide also the text files.
location ~* ^(?:.+.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|sh|.sql|test|theme|tpl(?:.php)?|xtmpl)|code-style.pl|/Entries.|/Repository|/Root|/Tag|/Template)$ {
return 404;
}
its one, i'll let you find the rest ;)
bending technology to fit businesses.
Yes, it's exactly what I plan
Yes, it's exactly what I plan to do: "Anyway I will try to shrink it to reasonable set of features".
So pity that nobody corrected template config on the NginX wiki. :-\