services: nginx: Harden php-location settings.

* gnu/services/web.scm (nginx-php-location): Only pass existing PHP files to the back end. Mitigate httpoxy vulnerability.
2025-01-12 14:16:55 -05:00 · 2023-04-05 16:34:08 +01:00 · 2023-04-05 16:34:08 +01:00 · cbc14b3bae
commit cbc14b3bae
parent 849f31d574
1 changed files with 8 additions and 0 deletions
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@ -1144,6 +1144,14 @@ (define* (nginx-php-location
   (uri "~ \\.php$")
   (body (list
          "fastcgi_split_path_info ^(.+\\.php)(/.+)$;"
+
+          ;; Include some upstream recommendations from
+          ;; https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi
+          ;; Mitigate https://httpoxy.org/ vulnerabilities
+          "fastcgi_param HTTP_PROXY \"\";"
+          ;; Only pass existing php files to the backend.
+          "if (!-f $document_root$fastcgi_script_name) { return 404; }"
+
          (string-append "fastcgi_pass unix:" socket ";")
          "fastcgi_index index.php;"
          (list "include " nginx-package "/share/nginx/conf/fastcgi.conf;")))))