I have a folder containing some PHP files served with php-fpm (fastcgi); inside tihs folder, I have a file which I want to be allowed for internal IPs and deny for external.
The problem I have is that with this configuration…
# PHP
location ~ ^\/some\/path\/(.*\.php)$ {
alias /some/path/;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
# Changes due to the alias declaration
fastcgi_param SCRIPT_FILENAME $document_root/$1;
fastcgi_param SCRIPT_NAME /$1;
}
# PHP: phpinfo() access restrictions
location = /some/path/phpinfo.php {
allow 10.0.0.0/24;
deny all;
}
…access to /some/path/phpinfo.php is managed correctly but the fastcgi rules are not applied (I download the phpinfo.php file); while with this configuration…
# PHP
location ~ ^\/some\/path\/(.*\.php)$ {
alias /some/path/;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
# Changes due to the alias declaration
fastcgi_param SCRIPT_FILENAME $document_root/$1;
fastcgi_param SCRIPT_NAME /$1;
}
# PHP: phpinfo() access restrictions
location ~ ^\/some\/path\/phpinfo\.php$ {
allow 10.0.0.0/24;
deny all;
}
…/some/path/phpinfo.php is interpreted correctly but access restrictions are not applied.
How can I fix the configuration in order that /some/path/phpinfo.php gets interpreted and access restrictions are applied?
Best Answer
nginx only applies one location block at the same level, so it's either going to apply the first one (with the FastCGI but no access control) or the second one (with access control by no FastCGI). To have them both applied you need to nest them like so: