I have a location block which handles the /api directory of my site exclusively.
Is it safe to run fastcgi_param SCRIPT_FILENAME from one directory down and let the URI handle pointing to the api directory? If not, how can this be handled better?
Currently, /var/www/development$uri becomes /var/www/development/api/... and want to ensure this cannot be exploited so that the var/www/development directory isn't be accessed. Setting it to /var/www/development/api$uri would incorrectly point to /var/www/development/api/api/....
The two locations blocks I currently have setup are as follows...
location ^~ / {
root /var/www/development/app;
try_files $uri $uri/ =404;
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php7.1-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
}
location /api {
alias /var/www/development/api;
try_files $uri $uri/ =404;
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php7.1-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_param SCRIPT_FILENAME /var/www/development$uri; # IS THIS OK FROM A SECURITY STANDPOINT?
}
error_page 403 404 500 /error/api.json;
}
for reference, the directories are...
/var/www/development < Base directory
/var/www/development/app < Handles http://example.com/*
/var/www/development/api < Handles http://example.com/api/*
/var/www/development/assets < PHP Composer, custom classes, etc
/var/www/development/static < Error pages, etc
