Skip to content

Instantly share code, notes, and snippets.

@sbarre

sbarre/gist:9df20d5258aa847bcbba2d94608b36a4

Last active March 23, 2017 13:56
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sbarre/9df20d5258aa847bcbba2d94608b36a4 to your computer and use it in GitHub Desktop.
Save sbarre/9df20d5258aa847bcbba2d94608b36a4 to your computer and use it in GitHub Desktop.
Download ZIP
Fixing Debian/Ubuntu's default nginx configuration to work with SimpleSAMLphp
Raw
gistfile1.md

In order to make SimpleSAMLphp work properly on newer Ubuntu/Debian with a default nginx configuration, you may have to change the nginx virtual host configuration as follows:

If the PHP location block in the /etc/nginx/sites-available/default file (or whatever your default virtual host file is called) looks like this:

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;

                fastcgi_read_timeout 600;

                # With php7.0-fpm:
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        }

it needs to be changed to look like this:

        location ~ \.php(/|$) {
                include snippets/fastcgi-php.conf;

                fastcgi_read_timeout 600;

                # With php7.0-fpm:
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        }

Note the (/|$) change at the end of the location line, which is required to support SimpleSAMLphp URLs that look like /simplesaml/www/module.php/core/metadata.php/1.

In this case you want to match /simplesaml/www/module.php as the file, even though the URL does not end with .php.

This is the first fix, which will match the URL, but there's a potential second issue:

If the /etc/nginx/snippets/fastcgi-php.conf file looks like this:

# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$;

# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;

# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

fastcgi_index index.php;
include fastcgi.conf;

it needs to be changed to look like this:

# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.+)$;

# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;

# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

fastcgi_index index.php;
include fastcgi.conf;

Note the subtle change in the fastcgi_split_path_info ^(.+?\.php)(/.+)$; line where a ? was added to the (.+? expression to make the matching non-greedy and stop at the first .php it finds, so that in a URL like /simplesaml/www/module.php/core/metadata.php/1 we are matching /simplesaml/www/module.php as the filename and the rest of the URL is set as the $path_info variable.

In the default config, /simplesaml/www/module.php/core/metadata.php would be captured as the script filename (with only /1 set as $path_info), which would then trigger a 404 in the try_files line that comes after since that file doesn't actually exist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment