I have the following nginx.conf

problem

folder /legacy/app has some files that I don't want to be accessible,

I thought the following location redirects all requests to php:

location / { try_files $uri $uri/ /index.php?$query_string;}

but I can open files like site.com/php-fpm.conf for example which I want to avoid.

question

What would be the best solution to prevent opening such static files without having custom locations like

location ~ \.(md|conf)$ {deny all;}

nginx.conf

worker_processes 1;
daemon off;
worker_rlimit_nofile 8192;
pid /tmp/nginx.pid;

user nginx;

error_log stderr;

events {
    worker_connections 4096;
}

http {
    client_body_temp_path /tmp/client_body_temp_path;
    proxy_temp_path       /tmp/nginx-proxy-temp-path;
    fastcgi_temp_path     /tmp/fastcgi_temp_path;

    include .nginx/mime.types;
    include .nginx/proxy.conf;
    include .nginx/fastcgi.conf;
    index   index.php;

    log_format client_logs
        '$remote_addr - $remote_user [$time_local] $status '
        '"$request" $body_bytes_sent "$http_referer" '
        '"$http_user_agent" "$http_x_forwarded_for"';

    default_type application/octet-stream;

    tcp_nodelay                   on;
    sendfile                      on;
    tcp_nopush                    on;
    server_names_hash_bucket_size 128;
    keepalive_timeout             120;
    port_in_redirect              off; # Ensure that redirects don't include the internal container PORT - 8080
    gzip                          on;

    server {
        server_name  localhost;
        listen       8080;
        access_log   /dev/stdout client_logs;
        error_log    /dev/stderr;

        root /legacy/app;
        index index.php;

        error_page   500 502 503 504  /50x.html;

        # do not list us in search engines
        location = /robots.txt {
            add_header Content-Type text/plain;
            return 200 "User-agent: *\nDisallow: /\n";
            access_log off;
            log_not_found off;
        }

        location ~ ^/(images|javascript|js|css|fonts|static|assets)/ {
            root /legacy/app/;
            expires 30d;
            add_header Cache-Control public;
            access_log off;
        }

        location ~ \.php$ {
            root /legacy/app;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_read_timeout 600s;
            fastcgi_split_path_info ^(. \.php)(/. )$;
            fastcgi_index index.php;
            fastcgi_intercept_errors off;
            fastcgi_buffer_size 16k;
            fastcgi_buffers 4 16k;
        }

        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }

    }
    
}

CodePudding user response：

What try_files does is look for the file in the order you specify and the last argument is the fallback url.

So basically try_files $uri $uri/ /index.php?$query_string; looks for file $url and serves it if it exists. Then it looks for directory $url/ and serves it if it exists. If both the file and directory does not exist, it will fallback to the php file.

So if going by this approach you can try something like this:

location / {
    try_files _ /index.php?$query_string;
}

This will look for a file with name _ which should not exist in your document root and will issue an internal redirect to index.php.

You can also set status code like this:

location / {
    try_files _ =403;
}