Nginx deny doesn't work for folder files

Question

I'm trying to restrict access to my site to allow only specific IPs and I've got the following problem: when I access www.example.com deny works perfectly, but when I try to access www.example.com/index.php it returns "Access denied" page AND php file is downloaded directly in browser without processing. I do want to deny access to all the files on the website for all IPs but mine. How should I do that?

Here's the config I have:

server {
listen 80;
server_name example.com; 
root /var/www/example;

location / {
    index index.html index.php; ## Allow a static html file to be shown first
    try_files $uri $uri/ @handler; ## If missing pass the URI to front handler
    expires 30d; ## Assume all files are cachable
 allow my.public.ip;
 deny all;
}

location @handler { ## Common front handler
    rewrite / /index.php;
}
location ~ .php/ { ## Forward paths like /js/index.php/x.js to relevant handler
    rewrite ^(.*.php)/ $1 last;
}

location ~ .php$ { ## Execute PHP scripts
    if (!-e $request_filename) { rewrite / /index.php last; } ## Catch 404s that try_files miss

    expires        off; ## Do not cache dynamic content
    fastcgi_pass   127.0.0.1:9001;
    fastcgi_param  HTTPS $fastcgi_https;
    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    include        fastcgi_params; ## See /etc/nginx/fastcgi_params
    }
}

score 1 · Answer 1 · answered Oct 16 '13 at 17:18

1

Your location @handler is completely unnecessary and redundant, and is probably the cause of the problem. This is already covered by your existing index and try_files directive. Remove the location entirely and fix try_files.

try_files $uri $uri/ /index.php;

answered Oct 16 '13 at 17:18

Michael Hampton

237,123
42
477
940

Thanks for suggestion, but it doesn't work - nothing's really changed. I guess the problem have something to do with nginx priority for regex match but I have no idea how to solve it. – Ubertone Oct 17 '13 at 15:42

score 0 · Accepted Answer · answered Oct 19 '13 at 19:43

OK, so I've found the solution. Nginx processes the most exact regex which in this case is the regex for php files. To make the config work all further locations must be defined within / location rule except for @handler (you cannot put under any rule - only as root)

server {
listen 80;
server_name example.com; 
root /var/www/example;

    location / {
    index index.html index.php; ## Allow a static html file to be shown first
    try_files $uri $uri/ @handler; ## If missing pass the URI to front handler
    expires 30d; ## Assume all files are cachable
    allow my.public.ip;
    deny all;

    location ~ .php/ { ## Forward paths like /js/index.php/x.js to relevant handler
        rewrite ^(.*.php)/ $1 last;
    }

    location ~ .php$ { ## Execute PHP scripts
        if (!-e $request_filename) { rewrite / /index.php last; } ## Catch 404s that try_files miss

        expires        off; ## Do not cache dynamic content
        fastcgi_pass   127.0.0.1:9001;
        fastcgi_param  HTTPS $fastcgi_https;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params; ## See /etc/nginx/fastcgi_params
        }
}

    location @handler { ## Common front handler
        rewrite / /index.php;
    }

}

Nginx deny doesn't work for folder files

2 Answers2