In order to make SimpleSAMLphp work properly on newer Ubuntu/Debian with a default nginx configuration, you may have to change the nginx virtual host configuration as follows:
If the PHP location block in the /etc/nginx/sites-available/default
file (or whatever your default virtual host file is called) looks like this:
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_read_timeout 600;
# With php7.0-fpm:
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
it needs to be changed to look like this:
location ~ \.php(/|$) {
include snippets/fastcgi-php.conf;
fastcgi_read_timeout 600;
# With php7.0-fpm:
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
Note the (/|$)
change at the end of the location line, which is required to support SimpleSAMLphp URLs that look like /simplesaml/www/module.php/core/metadata.php/1
.
In this case you want to match /simplesaml/www/module.php
as the file, even though the URL does not end with .php
.
This is the first fix, which will match the URL, but there's a potential second issue:
If the /etc/nginx/snippets/fastcgi-php.conf
file looks like this:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
it needs to be changed to look like this:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.+)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
Note the subtle change in the fastcgi_split_path_info ^(.+?\.php)(/.+)$;
line where a ?
was added to the (.+?
expression to make the matching non-greedy and stop at the first .php
it finds, so that in a URL like /simplesaml/www/module.php/core/metadata.php/1
we are matching /simplesaml/www/module.php
as the filename and the rest of the URL is set as the $path_info
variable.
In the default config, /simplesaml/www/module.php/core/metadata.php
would be captured as the script filename (with only /1
set as $path_info
), which would then trigger a 404 in the try_files
line that comes after since that file doesn't actually exist.