Accept cookies for analytics, social media, and advertising, or learn more and adjust your preferences. These cookies are on by default for visitors outside the UK and EEA. Privacy Notice.
server {
server_name quantifiedselfforum.com;
access_log logs/qsforum.access;
error_log logs/qsforum.error error;
root /var/www/qsforum;
location / {
index index.php;
}
# Deny access to internal files.
location ~ /(inc|uploads/avatars) {
deny all;
}
# Pass the php scripts to fastcgi server
location ~ \.php$ {
fastcgi_pass unix:/tmp/php.socket;
# Necessary for php.
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# Unmodified fastcgi_params from nginx distribution.
include fastcgi_params;
}
}
There is a potential security flaw, e.g. if a user uploads an avatar images pic.gif with valid PHP-Code and calls it with /uploades/avatars/pic.gif/foo.php. The issue is discussed here <pitfalls.uncontrollable_requests_to_php_>. Because the link is ending with .php, NGINX is passing it to the PHP interpreter. PHP can’t find the file /uploades/avatars/pic.gif/foo.php, but it tries to be smart and executes /uploades/avatars/pic.gif as an PHP-script. To avoid this, you need to set cgi.fix_pathinfo=0 in your php.ini, which is set to cgi.fix_pathinfo=1 as default (unfortunately).
See PHP FastCGI Example for details on creating the UNIX socket and this forum post on enabling human-understandable (aka SEO-friendly or human-readable) URLs using the Google SEO plugin.