aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBruno Victal <mirai@makinata.eu>2023-04-05 16:34:08 +0100
committerTobias Geerinckx-Rice <me@tobias.gr>2023-07-02 02:00:01 +0200
commitcbc14b3baea457cf2718b85f767d39ff3911ce91 (patch)
treea5786411853fe285876f6f90f8ed896e8123207f
parent849f31d5746f5633f9f2a768b76739afc257ae99 (diff)
downloadguix-cbc14b3baea457cf2718b85f767d39ff3911ce91.tar
guix-cbc14b3baea457cf2718b85f767d39ff3911ce91.tar.gz
services: nginx: Harden php-location settings.
* gnu/services/web.scm (nginx-php-location): Only pass existing PHP files to the back end. Mitigate httpoxy vulnerability.
-rw-r--r--gnu/services/web.scm8
1 files changed, 8 insertions, 0 deletions
diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index 45897d7d6f..818226a4f7 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -1144,6 +1144,14 @@ a webserver.")
(uri "~ \\.php$")
(body (list
"fastcgi_split_path_info ^(.+\\.php)(/.+)$;"
+
+ ;; Include some upstream recommendations from
+ ;; https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi
+ ;; Mitigate https://httpoxy.org/ vulnerabilities
+ "fastcgi_param HTTP_PROXY \"\";"
+ ;; Only pass existing php files to the backend.
+ "if (!-f $document_root$fastcgi_script_name) { return 404; }"
+
(string-append "fastcgi_pass unix:" socket ";")
"fastcgi_index index.php;"
(list "include " nginx-package "/share/nginx/conf/fastcgi.conf;")))))