Last active
January 12, 2019 15:54
-
-
Save tokudan/a527d8b4c632bd4a17460b458a57c323 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
fastcgi_param QUERY_STRING $query_string; | |
fastcgi_param REQUEST_METHOD $request_method; | |
fastcgi_param CONTENT_TYPE $content_type; | |
fastcgi_param CONTENT_LENGTH $content_length; | |
fastcgi_param SCRIPT_NAME $fastcgi_script_name; | |
fastcgi_param REQUEST_URI $request_uri; | |
fastcgi_param DOCUMENT_URI $document_uri; | |
fastcgi_param DOCUMENT_ROOT $document_root; | |
fastcgi_param SERVER_PROTOCOL $server_protocol; | |
fastcgi_param REQUEST_SCHEME $scheme; | |
fastcgi_param HTTPS $https if_not_empty; | |
fastcgi_param GATEWAY_INTERFACE CGI/1.1; | |
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; | |
fastcgi_param REMOTE_ADDR $remote_addr; | |
fastcgi_param REMOTE_PORT $remote_port; | |
fastcgi_param SERVER_ADDR $server_addr; | |
fastcgi_param SERVER_PORT $server_port; | |
fastcgi_param SERVER_NAME $server_name; | |
# PHP only, required if PHP was built with --enable-force-cgi-redirect | |
fastcgi_param REDIRECT_STATUS 200; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
user nginx nginx; | |
error_log stderr; | |
daemon off; | |
events { | |
} | |
http { | |
include /nix/store/vq7b87c3ds9kfvcdd71xa50kcazzpzvf-nginx-1.14.1/conf/mime.types; | |
include /nix/store/vq7b87c3ds9kfvcdd71xa50kcazzpzvf-nginx-1.14.1/conf/fastcgi.conf; | |
include /nix/store/vq7b87c3ds9kfvcdd71xa50kcazzpzvf-nginx-1.14.1/conf/uwsgi_params; | |
ssl_protocols TLSv1.2; | |
ssl_ciphers EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL; | |
# $connection_upgrade is used for websocket proxying | |
map $http_upgrade $connection_upgrade { | |
default upgrade; | |
'' close; | |
} | |
client_max_body_size 10m; | |
server_tokens off; | |
server { | |
listen 0.0.0.0:80 ; | |
listen [::]:80 ; | |
server_name mailtest ; | |
root /nix/store/hn719gylar3n8bh6x1660l0x6n1z2n46-postfixadmin-3.2/public; | |
access_log /tmp/nginx/log/$host combined; | |
charset utf-8; | |
index index.php; | |
# block these file types | |
#location ~* \.(tpl|md|tgz|log|out|tar|gz|db)$ { | |
#deny all; | |
#} | |
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 | |
# or a unix socket | |
location ~* \.php$ { | |
# Zero-day exploit defense. | |
# http://forum.nginx.org/read.php?2,88845,page=3 | |
# Won't work properly (404 error) if the file is not stored on this | |
# server, which is entirely possible with php-fpm/php-fcgi. | |
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on | |
# another machine. And then cross your fingers that you won't get hacked. | |
try_files $uri =404; | |
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini | |
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
# With php5-cgi alone: | |
fastcgi_pass 127.0.0.1:9000; | |
fastcgi_index index.php; | |
fastcgi_param QUERY_STRING $query_string; | |
fastcgi_param REQUEST_METHOD $request_method; | |
fastcgi_param CONTENT_TYPE $content_type; | |
fastcgi_param CONTENT_LENGTH $content_length; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
fastcgi_param SCRIPT_NAME $fastcgi_script_name; | |
fastcgi_param PATH_INFO $fastcgi_path_info; | |
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; | |
fastcgi_param REQUEST_URI $request_uri; | |
fastcgi_param DOCUMENT_URI $document_uri; | |
fastcgi_param DOCUMENT_ROOT $document_root; | |
fastcgi_param SERVER_PROTOCOL $server_protocol; | |
fastcgi_param GATEWAY_INTERFACE CGI/1.1; | |
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; | |
fastcgi_param REMOTE_ADDR $remote_addr; | |
fastcgi_param REMOTE_PORT $remote_port; | |
fastcgi_param SERVER_ADDR $server_addr; | |
fastcgi_param SERVER_PORT $server_port; | |
fastcgi_param SERVER_NAME $server_name; | |
fastcgi_param HTTPS $https; | |
fastcgi_param HTTP_PROXY ""; | |
} | |
} | |
} | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ config, lib, pkgs, ... }: | |
let | |
postfixadminpkg = (pkgs.callPackage ./pkg-postfixadmin.nix { | |
config = (pkgs.writeText "postfixadmin-config.local.php" '' | |
<?php | |
$CONF['configured'] = true; | |
$CONF['setup_password'] = 'changeme'; | |
$CONF['database_type'] = 'sqlite'; | |
$CONF['database_name'] = '${dataDir}/postfixadmin.db' | |
?> | |
''); | |
cacheDir = "${cacheDir}"; | |
} ); | |
phppoolName = "postfixadmin_pool"; | |
cacheDir = "/var/cache/postfixadmin"; | |
dataDir = "/var/lib/postfixadmin"; | |
pfauser = "pfauser"; | |
pfagroup = "pfagroup"; | |
in | |
{ | |
# Setup the user and group | |
users.groups."${pfagroup}" = { }; | |
users.users."${pfauser}" = { | |
isSystemUser = true; | |
group = "${pfagroup}"; | |
description = "PHP User for postfixadmin"; | |
}; | |
# Setup nginx | |
networking.firewall.allowedTCPPorts = [ 80 ]; | |
services.nginx.enable = true; | |
services.nginx.virtualHosts."mailtest" = { | |
forceSSL = false; | |
enableACME = false; | |
root = "${postfixadminpkg}/public"; | |
extraConfig = '' | |
access_log /tmp/nginx/log/$host combined; | |
charset utf-8; | |
index index.php; | |
# block these file types | |
#location ~* \.(tpl|md|tgz|log|out|tar|gz|db)$ { | |
#deny all; | |
#} | |
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 | |
# or a unix socket | |
location ~* \.php$ { | |
# Zero-day exploit defense. | |
# http://forum.nginx.org/read.php?2,88845,page=3 | |
# Won't work properly (404 error) if the file is not stored on this | |
# server, which is entirely possible with php-fpm/php-fcgi. | |
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on | |
# another machine. And then cross your fingers that you won't get hacked. | |
try_files $uri =404; | |
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini | |
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
# With php5-cgi alone: | |
fastcgi_pass 127.0.0.1:9000; | |
fastcgi_index index.php; | |
fastcgi_param QUERY_STRING $query_string; | |
fastcgi_param REQUEST_METHOD $request_method; | |
fastcgi_param CONTENT_TYPE $content_type; | |
fastcgi_param CONTENT_LENGTH $content_length; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
fastcgi_param SCRIPT_NAME $fastcgi_script_name; | |
fastcgi_param PATH_INFO $fastcgi_path_info; | |
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; | |
fastcgi_param REQUEST_URI $request_uri; | |
fastcgi_param DOCUMENT_URI $document_uri; | |
fastcgi_param DOCUMENT_ROOT $document_root; | |
fastcgi_param SERVER_PROTOCOL $server_protocol; | |
fastcgi_param GATEWAY_INTERFACE CGI/1.1; | |
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; | |
fastcgi_param REMOTE_ADDR $remote_addr; | |
fastcgi_param REMOTE_PORT $remote_port; | |
fastcgi_param SERVER_ADDR $server_addr; | |
fastcgi_param SERVER_PORT $server_port; | |
fastcgi_param SERVER_NAME $server_name; | |
fastcgi_param HTTPS $https; | |
fastcgi_param HTTP_PROXY ""; | |
} | |
''; | |
}; | |
systemd.services."postfixadmin-setup" = { | |
serviceConfig.Type = "oneshot"; | |
wantedBy = [ "multi-user.target" ]; | |
script = '' | |
# Setup the data directory with the database and the cache directory | |
mkdir -p ${dataDir} | |
chmod -c 751 ${dataDir} | |
chown -c ${pfauser}:${pfagroup} ${dataDir} | |
mkdir -p ${cacheDir}/templates_c | |
chown -Rc ${pfauser}:${pfagroup} ${cacheDir}/templates_c | |
chmod -Rc 751 ${cacheDir}/templates_c | |
''; | |
}; | |
services.phpfpm.pools."${phppoolName}" = { | |
listen = "127.0.0.1:9000"; | |
extraConfig = '' | |
user = ${pfauser} | |
pm = dynamic | |
pm.max_children = 75 | |
pm.min_spare_servers = 5 | |
pm.max_spare_servers = 20 | |
pm.max_requests = 10 | |
catch_workers_output = 1 | |
php_admin_value[upload_max_filesize] = 42M | |
php_admin_value[post_max_size] = 42M | |
php_admin_value[memory_limit] = 128M | |
php_admin_value[cgi.fix_pathinfo] = 0 | |
''; | |
}; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Trying to access http://mailtest/index.php yields in
Jan 12 15:32:53 mailtest php-fpm[30644]: [WARNING] [pool postfixadmin_pool] child 30656 said into stderr: "NOTICE: Access to the script '/nix/store/hn719gylar3n8bh6x1660l0x6n1z2n46-postfixadmin-3.2/public' has been denied (see security.limit_extensions)"
Indicating that somewhere the "index.php" seems to have been lost and only the directory survives.
nginx shows this in its log:
Jan 12 15:32:53 mailtest nginx[7074]: 2019/01/12 15:32:53 [error] 7082#7082: *1 FastCGI sent in stderr: "Access to the script '/nix/store/hn719gylar3n8bh6x1660l0x6n1z2n46-postfixadmin-3.2/public' has been denied (see security.limit_extensions)" while reading response header from upstream, client: 192.168.X.X, server: mailtest, request: "GET /index.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "mailtest"