NGINX Configuration #6005
Comments
|
Well, some lines above we tell you that you should neither deploy |
|
I see the issue that most people checkout their repository and forget to remove those files. We could add some config redirecting app_*.php and config.php. |
|
Can we somehow simply trigger a 404 status code? This way we would also leak less information. |
|
Ill look into that, I would expect it should not be a big deal. |
|
Just provided an easy solution. |
|
I have also found the example Nginx configuration to be a liability for the reasons mentioned here. Any .php file that exists in web/ in production other than app.php will be served as a static file. I would suggest that this caveat is at least mentioned in the documentation. |
…eterrehm) This PR was submitted for the 2.8 branch but it was merged into the 2.3 branch instead (closes #6008). Discussion ---------- Improved nginx config to not expose other php files | Q | A | ------------- | --- | Doc fix? | yes | New docs? | no | Applies to | all | Fixed tickets | #6005 This should improve the security as all non defined php files will return a 404 error code instead of providing them as text which is a more sane solution. Commits ------- 6545884 Updated according to comments 31a13cb Improved nginx config to not expose other php files
If I understand the configuration correctly according to this document http://symfony.com/doc/current/cookbook/configuration/web_server_configuration.html#nginx
The server will not pass e.g. app_dev.php to php5-fpm but it will download the source instead. If that is confirmed shouldn't the recommended configuration for the prod environment be that no other php file can be executed and will be e.g. forwarded to app.php?
The text was updated successfully, but these errors were encountered: