Skip to content

Instantly share code, notes, and snippets.

Created Oct 28, 2019
What would you like to do?
Minimal server block for nginx to demonstrate php-fpm security vulnerability
# See article at
# Location: /etc/nginx/sites-enabled/default
server {
listen 80 default_server;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.php;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# pass PHP scripts to FastCGI server
location ~ [^/].php(/|$) {
include fastcgi.conf;
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+.php)(/.+)$;
# Check that the PHP script exists before passing it
#try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see:
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment