千万个美丽的未来,抵不上一个温暖的现在,每一个真实的现在,都是我们曾经幻想的未来!
Mar
13
具体配置文件参考:
fastcgi.conf
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param PATH_INFO $path_info;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
#fastcgi_param REDIRECT_STATUS 200;
nginx.conf
user nginx nginx;
worker_processes 16;
error_log logs/nginx_error.log crit;
pid logs/nginx.pid;
events {
worker_connections 65535;
}
http {
include mime.types;
default_type application/octet-stream;
log_format weblog '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log weblog;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_proxied any;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
include /usr/local/nginx/conf/test.conf;
}
test.conf
server
{
listen 80;
server_name www.test.com;
access_log logs/test.log;
root /home/wwwroot/ci;
index index.php index.html index.htm;
location / {
if (!-e $request_filename) {
rewrite ^/(.*)$ /index.php/$1 last;
}
}
location ~ \.php {
set $real_script_name $fastcgi_script_name;
set $path_info "";
if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)
set $real_script_name $1;
set $path_info $2;
}
fastcgi_param SCRIPT_FILENAME $document_root$real_script_name;
fastcgi_param SCRIPT_NAME $real_script_name;
fastcgi_param PATH_INFO $path_info;
include fastcgi.conf;
}
}
以上配置可以支持ThinkPHP,CI,ZF等等框架
下面是NGINX官方对于pathinfo提供的解决方法:
fastcgi_split_path_info
syntax: fastcgi_split_path_info regex
context: location
version: ≥ 0.7.31
This directive allows the setting of the SCRIPT_FILENAME (SCRIPT_NAME) and PATH_INFO variables of the CGI specification. The regex consists of two groups:
path to the script that will handle the request — corresponding to $fastcgi_script_name.
the value of the parameter to be given to the script — corresponding to the $fastcgi_path_info.
Here's an example. The script show.php receives as argument the string article/0001. The following configuration will handle path splitting properly:
location ~ ^.+\.php {
(...)
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME /path/to/php$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
(...)
}
Requesting /show.php/article/0001 sets SCRIPT_FILENAME to /path/to/php/show.php and PATH_INFO to /article/0001.
fastcgi.conf
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param PATH_INFO $path_info;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
#fastcgi_param REDIRECT_STATUS 200;
nginx.conf
user nginx nginx;
worker_processes 16;
error_log logs/nginx_error.log crit;
pid logs/nginx.pid;
events {
worker_connections 65535;
}
http {
include mime.types;
default_type application/octet-stream;
log_format weblog '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log weblog;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_proxied any;
gzip_comp_level 2;
gzip_types text/plain application/x-javascript text/css application/xml;
gzip_vary on;
include /usr/local/nginx/conf/test.conf;
}
test.conf
server
{
listen 80;
server_name www.test.com;
access_log logs/test.log;
root /home/wwwroot/ci;
index index.php index.html index.htm;
location / {
if (!-e $request_filename) {
rewrite ^/(.*)$ /index.php/$1 last;
}
}
location ~ \.php {
set $real_script_name $fastcgi_script_name;
set $path_info "";
if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)
set $real_script_name $1;
set $path_info $2;
}
fastcgi_param SCRIPT_FILENAME $document_root$real_script_name;
fastcgi_param SCRIPT_NAME $real_script_name;
fastcgi_param PATH_INFO $path_info;
include fastcgi.conf;
}
}
以上配置可以支持ThinkPHP,CI,ZF等等框架
下面是NGINX官方对于pathinfo提供的解决方法:
fastcgi_split_path_info
syntax: fastcgi_split_path_info regex
context: location
version: ≥ 0.7.31
This directive allows the setting of the SCRIPT_FILENAME (SCRIPT_NAME) and PATH_INFO variables of the CGI specification. The regex consists of two groups:
path to the script that will handle the request — corresponding to $fastcgi_script_name.
the value of the parameter to be given to the script — corresponding to the $fastcgi_path_info.
Here's an example. The script show.php receives as argument the string article/0001. The following configuration will handle path splitting properly:
location ~ ^.+\.php {
(...)
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME /path/to/php$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
(...)
}
Requesting /show.php/article/0001 sets SCRIPT_FILENAME to /path/to/php/show.php and PATH_INFO to /article/0001.
Sep
24
由于脚本编写时出错导致可能存在pathinfo漏洞,请所有lnmp用户检查一下php的pathinfo设置!!!
编辑/usr/local/webserver/php/etc/php.ini 文件,搜索 cgi.fix_pathinfo ,如果cgi.fix_pathinfo 该行为 ; cgi.fix_pathinfo=0 请修改为 cgi.fix_pathinfo=0
或直接执行:sed -i 's/; cgi.fix_pathinfo=0/cgi.fix_pathinfo=0/g' /usr/local/webserver/php/etc/php.ini
再执行:/usr/local/webserver/php/sbin/php-fpm restart 重启php-fpm
如果是cgi.fix_pathinfo=0则没问题,不需要修改。
请各位lnmp(linux+nginx+mysql+php)用户检查一下,防止pathinfo漏洞给网站或服务器带来安全隐患。
编辑/usr/local/webserver/php/etc/php.ini 文件,搜索 cgi.fix_pathinfo ,如果cgi.fix_pathinfo 该行为 ; cgi.fix_pathinfo=0 请修改为 cgi.fix_pathinfo=0
或直接执行:sed -i 's/; cgi.fix_pathinfo=0/cgi.fix_pathinfo=0/g' /usr/local/webserver/php/etc/php.ini
再执行:/usr/local/webserver/php/sbin/php-fpm restart 重启php-fpm
如果是cgi.fix_pathinfo=0则没问题,不需要修改。
请各位lnmp(linux+nginx+mysql+php)用户检查一下,防止pathinfo漏洞给网站或服务器带来安全隐患。