我很难让nginx在magento安装的上传目录中停止执行PHP。 我已经尝试了很多指令的组合,当* .php匹配那个目录时,它应该发送一个503或者类似的命令,但是我仍然可以在那里执行PHP。 当然,代码解决scheme是防止.php文件被上传,但我不明白如何从nginx的angular度来防止执行。
map $http_x_ssl_offloaded $fastcgi_https { default off; on on; } server { listen 80; server_name store.xxxx.com; root /var/www/store.xxxx.com; #charset koi8-r; #access_log /var/log/nginx/store.xxxx.com-access.log main; access_log /var/log/nginx/store.xxxx.com-access.log; error_log /var/log/nginx/store.xxxx.com-error.log; gzip on; gzip_disable msie6; gzip_static on; gzip_comp_level 9; gzip_proxied any; gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; location / { index index.html index.php; try_files $uri $uri @handler; expires 30d; ## Assume all files are cachable } ## Location for media to prevent execution of php location ^~ /media/ {} ## These locations would be hidden by .htaccess normally location ^~ /app/ { deny all; } location ^~ /includes/ { deny all; } location ^~ /lib/ { deny all; } location ^~ /media/downloadable/ { deny all; } location ^~ /pkginfo/ { deny all; } location ^~ /report/config.xml { deny all; } location ^~ /var/ { deny all; } location /var/export/ { ## Allow admins only to view export folder auth_basic "Restricted"; ## Message shown in login window auth_basic_user_file htpasswd; ## See /etc/nginx/htpassword autoindex on; } location /. { ## Disable .htaccess and other hidden files return 404; } location @handler { ## Magento uses a common front handler rewrite / /index.php; } location ~ .php/ { ## Forward paths like /js/index.php/x.js to relevant handler rewrite ^(.*.php)/ $1 last; } # Pass all PHP scripts to the PHP-FPM location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } expires off; ## Do not cache dynamic content fastcgi_pass 127.0.0.1:9000; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param MAGE_RUN_CODE en_us; fastcgi_param MAGE_RUN_TYPE store; fastcgi_param SSL_OFFLOADED $fastcgi_https; fastcgi_param HTTPS $fastcgi_https; fastcgi_read_timeout 6000; } location /api { rewrite ^/api/rest /api.php?type=rest last; rewrite ^/api/v2_soap /api.php?type=v2_soap last; rewrite ^/api/soap /api.php?type=soap last; } location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; deny all; } # deny running scripts inside writable directories location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ { return 403; error_page 403 /403_error.html; } # caching of files location ~* \.(ico|pdf|flv)$ { expires 1y; } location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ { expires 14d; } # redirect server error pages to the static page /40x.html # error_page 404 /404.html; location = /40x.html { } # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { } # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # location ~ /\.ht { deny all; } } 官方文件说 :
…正则表达式按照它们在配置文件中出现的顺序进行检查。 正则表达式的搜索在第一次匹配时终止,并使用相应的配置。
因此,您拒绝脚本的位置应在执行脚本的位置之前。
我在这里不太确定,但我认为这是行不通的:
## Location for media to prevent execution of php location ^~ /media/ {}
…是因为它没有立竿见影的效果,编译器完全优化了它。
尝试添加到行:
location ~ [^/]\.php(/|$) {
下面的指令(更改“your_directory”与您需要禁止php文件上传的文件夹):
location ~* /your_directory/.*\.php$ { return 503; }