Nginx configs and CKFinder connector

Events happening in the community are now at Drupal community events on www.drupal.org.
descender's picture
Posted by descender on March 11, 2011 at 2:11pm

Hi all,

I just want to alert everyone that a number of the stock/sample Nginx configs listed in this group have a problem with CKFinder, a file manager plugin for the CKEditor editor.

The gist of the problem is that the configs limit access to only a handful of PHP scripts from Drupal core such as index.php, update.php, etc. CKFinder happens to generate its interface through a certain connector.php. To solve this, you have to add access to connector.php:

# Needed for CKFinder to work
location = /sites/all/modules/ckeditor/ckfinder/core/connector/php/connector.php {
  include fastcgi-rules.conf;
}

Hope this helps.

Categories: , ,

Comments

It's not a bug, it's a feature

Posted by perusio on March 15, 2011 at 8:42pm
perusio's picture

Since you should not allow for arbitrary execution of PHP scripts. Either you choose a catch all insecure rule with, e.g., ~ \.php$, and set yourself up for being p0wned or you try to be as specific as possible and experience the minor inconvenience of adding the exact location for each new script manually to the config.

A feature that needs some explanation

Posted by pferrel on July 15, 2012 at 11:03pm
pferrel's picture

@perusio I use your config for my drupal site. Thanks for such a thorough job and such attention to security. It is far better than I would have come up with myself--being new to Nginx.

I have run into two things you could not have forseen, FCKeditor/Finder and using a semi-integrated version of PHP Lists. These both required me to allow PHP to run in other locations. This notion can blind-side Apache users.

It would be nice if you could include an example of how to do this safely and why it needs to be done in your sample config framework. Something we could clone to fit our specific needs.

What is the log saying regarding the 404?

Posted by perusio on July 16, 2012 at 7:47am
perusio's picture

I add a little note about the ad module. It needs to be improved. The correct way to do it is to rely on the log:

  1. What's the path that is indicated as a 404 for the PHP file you want to execute?

  2. Add an exact location with the path to that file.

Example:
The file not found is /siteroot/path/to/foo.php. Then you need to specify the path relative to the root defined by the root directive:

location = /path/to/foo.php {
     # fastcgi stuff like in the /index.php location
}

In a nutshell this is the procedure with no second guessing. It's not "pretty" but it works.

Nginx

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

Hot content this week

See all hot content.