How to use Nginx to restrict access to everyfiles to 127.0.0.1, except the php files in /

Server NGINX
1

HI,

I want to configure our nginx to be a little more paranoid concerning
file
access.

Right now, i am using rules like :

location /includes {
allow 127.0.0.1;
deny all;
}

… but i need to repeat this kind of rules for every folders, and then
restrict access to the php files inside. So our rules file is too long,
complicated and getting very messy. Also, this doesn’t protect the php
files, only the folders. so i need to add more and more rules, always.

The php files a visitor require to be able to reach directly are in /
(like
index.php, login.php, etc…)

I would like to restrict every other files to 127.0.0.1, and then add
some
rules to allow all traffic only where required.

But i cannot figure out how i can achieve this with nginx. I’m pretty
sure
there is a single rule that can do this. :smiley:

Any help will be very appreciated, and may help may others i am sure to
be
more secure

Thank you,

Carl

Posted at Nginx Forum:

2

Hello!

On Wed, Nov 12, 2014 at 05:26:27AM -0500, carlg wrote:

}
rules to allow all traffic only where required.

But i cannot figure out how i can achieve this with nginx. I’m pretty sure
there is a single rule that can do this. :smiley:

Any help will be very appreciated, and may help may others i am sure to be
more secure

Most secure approach would be to explicitly allow access to
certain files by using access rules at server (or even http)
level, like this:

server {
    ...

    allow 127.0.0.2;
    deny all;

    location = /file_to_be_allowed {
        allow all;
        ...
    }

    ...
}

Note that you have configure all required processing, not just
access rules. That is, for php files you’ll have to configure
fastcgi_pass/whatever as appropriate.


Maxim D.
http://nginx.org/

3

Hi,

It works, but i am still able to access the php files inside the
restricted
directories. I tried with :

location /myfolder/(.+).php$ {
deny all;
}

But this doesn’t work!

Also, i cannot make this method work nice with our clean url’s. We are
using :

location / {
#try_files $uri $uri/ /index.php;
#try_files $uri/ $uri /index.php?$query_string;
include /etc/nginx/naxsi.rules;
try_files $uri $uri.html $uri/ @extensionless-php;

}

location @extensionless-php {
rewrite ^(.*)$ $1.php last;
allow all;
}

thank you in advance for your help,

Carl

Posted at Nginx Forum:

4

Hello!

On Thu, Nov 13, 2014 at 03:33:03AM -0500, carlg wrote:

Hi,

It works, but i am still able to access the php files inside the restricted
directories. I tried with :

location /myfolder/(.+).php$ {
deny all;
}

But this doesn’t work!

If you followed what I suggested, you should not be able to access
anything unless it’s explicitly allowed. I suspect you’ve added
something like “location ~ .php$ { allow all; …}” - and this is
what causes your problems. Remove it, and start again with
exact match locations, as previously suggested.

Also, i cannot make this method work nice with our clean url’s. We are
using :

By introducing various rewriting in nginx configuration you make
your life harder. That’s your deliberate choice. Igor recently
gave a talk about this, see here:


Maxim D.
http://nginx.org/

5

Here is what i found to achieve this :

i denied access to every php files :

location ~ .php$ {
fastcgi_split_path_info ^(.+.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
allow 127.0.0.1;
deny all;
}

and then i create one rule per page (takes time with some scripts, but
it
worth it :slight_smile:

location ~* ^/myfile.php$ {
fastcgi_split_path_info ^(.+.php)(/.+)$;
try_files $uri $uri/ /index.php?q=$args;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
include /etc/nginx/naxsi.rules;
allow all;
}

Every tutorials i found on nginx tell us to allow / deny in location /.
…but ^(.+.php) is another location, not included in location /

If i follow most tutorials i am still able to reach the php files inside
the
location / even if i denied access to all of them. Doing this way works
great :slight_smile:

I hope this will help someone … …someday :slight_smile:
Cheers :slight_smile:

Posted at Nginx Forum:

6

I suggest you put the generic .php$ regex location into the / default
prefix location, like :
location / {
location .php$ {
[…]
}
}

This avoids having regex location at the first level, since they are
sensitive to order.

Why using regex locations for individual files? The following would be
more
efficient:
location /myfile.php {
[…]
}

I also suggest you move redundant directives to the upper level whenever
possible, this will help maintenance.

B. R.