From cbc14b3baea457cf2718b85f767d39ff3911ce91 Mon Sep 17 00:00:00 2001 From: Bruno Victal Date: Wed, 5 Apr 2023 16:34:08 +0100 Subject: services: nginx: Harden php-location settings. * gnu/services/web.scm (nginx-php-location): Only pass existing PHP files to the back end. Mitigate httpoxy vulnerability. --- gnu/services/web.scm | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'gnu/services') diff --git a/gnu/services/web.scm b/gnu/services/web.scm index 45897d7d6f..818226a4f7 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -1144,6 +1144,14 @@ a webserver.") (uri "~ \\.php$") (body (list "fastcgi_split_path_info ^(.+\\.php)(/.+)$;" + + ;; Include some upstream recommendations from + ;; https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi + ;; Mitigate https://httpoxy.org/ vulnerabilities + "fastcgi_param HTTP_PROXY \"\";" + ;; Only pass existing php files to the backend. + "if (!-f $document_root$fastcgi_script_name) { return 404; }" + (string-append "fastcgi_pass unix:" socket ";") "fastcgi_index index.php;" (list "include " nginx-package "/share/nginx/conf/fastcgi.conf;"))))) -- cgit 1.4.1