Posted by RedRat on March 24, 2013 at 11:51am
First of all, excuse my English. I hope you can understand what I want to ask.
For a long time I have used this NginX config as a template for mine own, but I am very unsatisfied with it's security concerning PHP files. I mean, there are only some PHP files which a really needed for Drupal to work: index.php, update.php and cron.php (install.php used only once and I don't use any features of xmlrpc.php). So I want to rewrite my NginX config to grant access only for enlisted PHP files.
But I have some doubts about such approach. Also I suspect there are may be more PHP files in the core or modules that must be accessible from browser. Can you point me on such examples?
Comments
Perusio's config is very thorough.
https://github.com/perusio/drupal-with-nginx
Yes, I know about this
Yes, I know about this project and even tried to use it some years ago. But his config is way too thorough, if you know what I mean. ;-)
Anyway I will try to shrink it to reasonable set of features.
This might be worth checking out
From Aegir -
http://drupalcode.org/project/provision.git/blob/refs/heads/7.x-2.x:/htt...
There's also a simple one, but there doesn't seem to be much difference with a quick scroll (haven't looked close or diffed).
Pretty straightforward
Pretty straightforward config, I see already some things that I'll borrow from it. Thanks!
I will suggest studying and using [omega8cc] Nginx BOA Nginx
See:
1) https://github.com/omega8cc/nginx-for-drupal/tree/master/aegir/conf
and
2) https://github.com/omega8cc/provision/tree/master/http/Provision/Config/...
Stability within the BOA Nginx config's is excellence and maturity!
Just take some time to read the doc's and scripts on the 1st link.
--
Linux: Web Developer
Peter Bowey Computer Solutions
Australia: GMT+9:30
(¯`·..·[ Peter ]·..·´¯)
Piter, thanks for a links,
Piter, thanks for a links, I'll give it a shot!
If you use Drush to do cron
If you use Drush to do cron runs and database updates, than update.php and cron.php are not needed either - index.php is all that is necessary.
That being said, the smartest approach really is to not reinvent the wheel and just use perusio's tried and true config. It's already well-tuned for security out of the box.
The Boise Drupal Guy!
@RedRat why don't you just
@RedRat why don't you just pick out the bits from perusio's you need instead of wasting time trying to figure this out yourself. It's all there...
## Replicate the Apache <FilesMatch> directive of Drupal standard## .htaccess. Disable access to any code files. Return a 404 to curtail
## information disclosure. Hide also the text files.
location ~* ^(?:.+.(?:htaccess|make|txt|engine|inc|info|install|module|profile|po|sh|.sql|test|theme|tpl(?:.php)?|xtmpl)|code-style.pl|/Entries.|/Repository|/Root|/Tag|/Template)$ {
return 404;
}
its one, i'll let you find the rest ;)
bending technology to fit businesses.
Yes, it's exactly what I plan
Yes, it's exactly what I plan to do: "Anyway I will try to shrink it to reasonable set of features".
So pity that nobody corrected template config on the NginX wiki. :-\