Opened 12 years ago

Closed 12 years ago

#167 closed defect (invalid)

order of locations with regular expressions

Reported by: openid.yandex.ru/dyadyamax Owned by: somebody
Priority: major Milestone:
Component: nginx-core Version: 1.2.x
Keywords: location Cc:
uname -a:
nginx -V: built by gcc 4.3.2 (Debian 4.3.2-1.1)
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --with-http_ssl_module --with-http_gzip_static_module --with-openssl=/usr/src/openssl/openssl-1.0.1c

Description

steps:

  1. setup 2 rules:

~
location ~ /\. { deny all; }
location ~* \.(php|pl|py)$ { include php-fpm_proxy; }
~

  1. send request "http://my_host/.z/foo"
  2. send request "http://my_host/.z/index.php"

expect to happen: both request result = 403 forbidden

actually happens:

  1. = 403 forbidden
  2. result of executed script

But your help has: "Then regular expressions are checked, in the order of their appearance in a configuration file. A search of regular expressions terminates on the first match, and the corresponding configuration is used."
http://nginx.org/en/docs/http/ngx_http_core_module.html#location

Change History (5)

comment:1 by Maxim Dounin, 12 years ago

Works ok here. Could you please provide *full* config to reproduce the problem? I.e. minimal self-consistent nginx.conf needed, something like this:

events {}
http {
    server {
        listen 8080;
        location ~ /\. { deny all; }
        location ~* \.(php|pl|py)$ { return 200 "php"; }
    }
}

The above config correctly returns 403 for both "/.z/foo" and "/.z/index.php" requests here:

127.0.0.1 - - [17/May/2012:16:44:05 +0400] "GET /.z/foo HTTP/1.0" 403 168 "-" "-"
127.0.0.1 - - [17/May/2012:16:44:12 +0400] "GET /.z/index.php HTTP/1.0" 403 168 "-" "-"

comment:2 by openid.yandex.ru/dyadyamax, 12 years ago

here is all 'location's for my site:

location ~ /\. { include vhosts/subconf/allow_no_one;  }
location ^~ /tmp/!private/ { include vhosts/subconf/allow_no_one; }
location ^~ /!x-zone/ { include vhosts/subconf/allow_admins; }
location ^~ /pages/ { include vhosts/subconf/php-fpm_proxy;  }

location /direct/       { access_log off; }
location /tmp/public/   { access_log off; }


# deny from access to .ht*-files
location ~ /\.ht[a-z]+$ {
	access_log off;
	deny all;
}

# direct access to images, css, javascript and archives
location ~* /[^/]+\.(jpg|jpeg|gif|png|ico|css|bmp|swf|js|gz|zip|rar|txt|html|xml)$ {
	access_log off;
}

# direct access to scripts
location ~* \.(php|pl|py|jsp|sh|bash|c|cgi)$ {
	include vhosts/subconf/php-fpm_proxy;
}

location / {
	include vhosts/subconf/php-fpm_proxy;
}

comment:3 by Maxim Dounin, 12 years ago

Which requests do you use in actual testing? What's in logs for these requests? And again: it's really good idea to provide self-consistent config and logs produced with it, as show in my first reply.

comment:4 by openid.yandex.ru/dyadyamax, 12 years ago

You can close this ticket as bogus.
My mistake. On every change in config I did:

  1. nginx -t -c "new config"
  2. "kill -HUP", if previous was without errors.

First command, in my case, did not talk about any errors, but second did not reloaded config, because of errors... In result I always checked old config :/

comment:5 by Maxim Dounin, 12 years ago

Resolution: invalid
Status: newclosed

Ok, closing this as invalid.

Note: See TracTickets for help on using tickets.