Created
December 11, 2012 21:04
-
-
Save xeoncross/4262132 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Creates unlimited domains for PHP sites | |
| server { | |
| listen 80; | |
| index index.html index.htm index.php; | |
| # Test 1 | |
| server_name ~^(.+)\.frameworks\.loc$; | |
| set $file_path $1; | |
| root /var/www/frameworks/$file_path/public; | |
| include /etc/nginx/php.conf; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Working localhost script | |
| server { | |
| listen 80 default; | |
| server_name localhost; | |
| root /var/www/localhost; | |
| index index.html index.htm index.php; | |
| include /etc/nginx/php.conf; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Route all requests for non-existent files to index.php | |
| location / { | |
| try_files $uri $uri/ /index.php$is_args$args; | |
| } | |
| # Pass PHP scripts to php-fastcgi listening on port 9000 | |
| location ~ \.php$ { | |
| # Zero-day exploit defense. | |
| # http://forum.nginx.org/read.php?2,88845,page=3 | |
| # Won't work properly (404 error) if the file is not stored on | |
| # this server, which is entirely possible with php-fpm/php-fcgi. | |
| # Comment the 'try_files' line out if you set up php-fpm/php-fcgi | |
| # on another machine. And then cross your fingers that you won't get hacked. | |
| try_files $uri =404; | |
| include fastcgi_params; | |
| fastcgi_index index.php; | |
| # Keep these parameters for compatibility with old PHP scripts using them. | |
| fastcgi_param PATH_INFO $fastcgi_path_info; | |
| fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| # Some default config | |
| fastcgi_connect_timeout 20; | |
| fastcgi_send_timeout 180; | |
| fastcgi_read_timeout 180; | |
| fastcgi_buffer_size 128k; | |
| fastcgi_buffers 4 256k; | |
| fastcgi_busy_buffers_size 256k; | |
| fastcgi_temp_file_write_size 256k; | |
| fastcgi_intercept_errors on; | |
| fastcgi_ignore_client_abort off; | |
| fastcgi_pass 127.0.0.1:9000; | |
| } | |
| # PHP search for file Exploit: | |
| # The PHP regex location block fires instead of the try_files block. Therefore we need | |
| # to add "try_files $uri =404;" to make sure that "/uploads/virusimage.jpg/hello.php" | |
| # never executes the hidden php code inside virusimage.jpg because it can't find hello.php! | |
| # The exploit also can be stopped by adding "cgi.fix_pathinfo = 0" in your php.ini file. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment