I'm using OWASP core rule set 3.2.0 set up with ModSecurity 3.0.4 and ModSecurity-nginx.
If I have a rule exclusion like this, in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:
SecRule REQUEST_URI "@beginsWith /api.php" \
"id:1015,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveById=941160"
How do I also limit this exclusion to a specific hostname? For example, wiki.example.com.
I'm trying to execute a PHP file on my server at the url /~nik/t.php (actual file is at /home/nik/public_html/t.php). Here's
what my PHP settings look like:
location ~ ^/~(.+?)(/.*)\.php$ {
alias /home/$1/public_html;
# What should this regex be?
fastcgi_split_path_info ^/~nik/(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi.conf;
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
I keep getting a 404, and when I comment out the clause around return 404;, I'm able to see the error:
Unable to open primary script: /home/nik/public_html/~nik/t.php (No such file or directory)
Can you see what's wrong with my configuration, or point me to some docs on how to do this? It's unfortunate that an advanced knowledge of regexes is a requirement to configure nginx.
I'm using Ubuntu 14.10, nginx 1.6.2, php 5.5.12. I have a site set up like this:
server {
root /usr/share/nginx/www/oliviataussig;
index index.php;
server_name oliviataussig.com www.oliviataussig.com;
location / {
try_files $uri $uri/ /index.php =404;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi.conf;
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
}
When I go to the homepage (index.php), it works fine. However, when I click on any of the links on the page (this is a WordPress-like CMS) I want to fall back to /index.php, and it does that, but index.php gets downloaded instead of executed. How do I fix that?
I have a user's home alias set up like this:
location ~ ^/~(.+?)(/.*)?$ {
alias /home/$1/public_html$2;
include fastcgi_params;
}
I have a PHP application in one of the folders, and I want to rewrite to /~user/app/index.php when someone visits /~user/app/whatever. I would think this line would work:
try_files $uri $uri/ /home/$1/public_html$2/index.php;
But it doesn't, and nginx configuration is some of the most confusing stuff I've ever had to deal with. What am I missing here?
On a separate but related note, I really miss .htacess when I use nginx. I know people say it's insecure or whatever but it's really nice to keep directory-specific configuration out of this main file.
I hate configuring nginx. It's so complicated. How do I get PHP to work in my user dirs? Here's the relevant part of my nginx.conf:
location ~ ^/~(.+?)(/.*)?$ {
autoindex on;
autoindex_exact_size off;
alias /home/$1/public_html$2;
location ~ \.php {
include /etc/nginx/fastcgi.conf;
fastcgi_intercept_errors on;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
}
}
This gives me the error: FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream in the nginx error log.
Here's my /etc/nginx/fastcgi.conf:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
I'm assuming nginx isn't resolving the script name correctly. I hate having to tell nginx where to look in my filesystem, writing custom regexes for what should be built-in (or at least standardized and documented) functionality.