8000 security #6008 Improved nginx config to not expose other php files (p… · symfony/symfony-docs@90a2922 · GitHub
[go: up one dir, main page]

Skip to content

Commit 90a2922

Browse files
committed
security #6008 Improved nginx config to not expose other php files (peterrehm)
This PR was submitted for the 2.8 branch but it was merged into the 2.3 branch instead (closes #6008). Discussion ---------- Improved nginx config to not expose other php files | Q | A | ------------- | --- | Doc fix? | yes | New docs? | no | Applies to | all | Fixed tickets | #6005 This should improve the security as all non defined php files will return a 404 error code instead of providing them as text which is a more sane solution. Commits ------- 6545884 Updated according to comments 31a13cb Improved nginx config to not expose other php files
2 parents cf3ee37 + 6545884 commit 90a2922

File tree

1 file changed

+13
-4
lines changed

1 file changed

+13
-4
lines changed

cookbook/configuration/web_server_configuration.rst

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -305,6 +305,12 @@ The **minimum configuration** to get your application running under Nginx is:
305305
# Remove the internal directive to allow URIs like this
306306
internal;
307307
}
308+
309+
# return 404 for all other php files not matching the front controller
310+
# this prevents access to other php files you don't want to be accessible.
311+
location ~ \.php$ {
312+
return 404;
313+
}
308314
309315
error_log /var/log/nginx/project_error.log;
310316
access_log /var/log/nginx/project_access.log;
@@ -318,14 +324,17 @@ The **minimum configuration** to get your application running under Nginx is:
318324
.. tip::
319325

320326
This executes **only** ``app.php``, ``app_dev.php`` and ``config.php`` in
321-
the web directory. All other files will be served as text. You **must**
322-
also make sure that if you *do* deploy ``app_dev.php`` or ``config.php``
323-
that these files are secured and not available to any outside user (the
324-
IP address checking code at the top of each file does this by default).
327+
the web directory. All other files ending in ".php" will be denied.
325328

326329
If you have other PHP files in your web directory that need to be executed,
327330
be sure to include them in the ``location`` block above.
328331

332+
.. caution::
333+
334+
After you deploy to production, make sure that you **cannot** access the ``app_dev.php``
335+
or ``config.php`` scripts (i.e. ``http://example.com/app_dev.php`` and ``http://example.com/config.php``).
336+
If you *can* access these, be sure to remove the ``DEV`` section from the above configuration.
337+
329338
For advanced Nginx configuration options, read the official `Nginx documentation`_.
330339

331340
.. _`Apache documentation`: http://httpd.apache.org/docs/

0 commit comments

Comments
 (0)
0