douhuan6157
douhuan6157
2015-07-15 14:24

nginx“拒绝访问脚本'xxx / xxx / php'(请参阅security.limit_extensions)”

已采纳

I got this error. Obviously I want to use ckfinder for file upload.

Access to the script '/var/www/example.com/public/admin/scripts/vendor/ckfinder
/core/connector/php' has been denied (see security.limit_extensions) while reading 
response header from upstream, client: x.x.x.x, server: 
example.com, request: "GET /admin/scripts/vendor/ckfinder/core/
connector/php/connector.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", 
host: "example.com"

I already set security.limit_extensions to .php. I've looked at Access denied (403) for PHP files with Nginx + PHP-FPM and I tried most of them (except the fix_pathinfo) with no luck. Until I notice the script path in the error message, the GET request from connector.php is in the php/ directory. I think the problem is nginx sees this directory name as script and tries to run it, not sure.

This is my nginx server block.

server {
    listen 80;

    root /var/www/example.com/public;
    index index.html index.htm index.php app.php app_dev.php;

    # Make site accessible from ...
    server_name example.com;

    access_log /var/log/nginx/example.com-access.log;
    error_log  /var/log/nginx/example.com-error.log error;

    charset utf-8;

    location / {
        # try_files \$uri \$uri/ /app.php?\$query_string /index.php?\$query_string;
        try_files $uri $uri/ /index.php?\$query_string;
    }

    location = /favicon.ico { log_not_found off; access_log off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    location = /admin/scripts/vendor/ckfinder/core/connector/php/connector.php {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+.php)(/.+)$;
        # With php5-fpm:
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param LARA_ENV local; # Environment variable for Laravel
        fastcgi_param HTTPS off;
    }
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+.php)(/.+)$;
        # With php5-fpm:
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param LARA_ENV local; # Environment variable for Laravel
        fastcgi_param HTTPS off;
    }

    # Deny .htaccess file access
    location ~ /\.ht {
        deny all;
    }
}

My question is how to instruct nginx to know that php/ is a path, not a script?

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

1条回答

  • dt614037527 dt614037527 6年前

    You have error in fastcgi_split_path_info directive. Regular expression .+.php will match these strings: at least 1 character, then any character, then text "php".

    You need to escape the dot (\.), so it doesn't mean any character, but only the dot itself.

    So the correct syntax should be:

      fastcgi_split_path_info ^(.+\.php)(/.+)$;
    
    点赞 评论 复制链接分享