Opened 4 years ago

Closed 4 years ago

#956 closed defect (invalid)

Location problems

Reported by: stackoverflow.com/users/6244576/westchef Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.9.x
Keywords: Cc:
uname -a: Linux daemon 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.9.3 (Ubuntu)
built with OpenSSL 1.0.2d 9 Jul 2015
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_secure_link_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-threads --add-module=/build/nginx-fcyDbp/nginx-1.9.3/debian/modules/headers-more-nginx-module --add-module=/build/nginx-fcyDbp/nginx-1.9.3/debian/modules/nginx-auth-pam --add-module=/build/nginx-fcyDbp/nginx-1.9.3/debian/modules/nginx-cache-purge --add-module=/build/nginx-fcyDbp/nginx-1.9.3/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-fcyDbp/nginx-1.9.3/debian/modules/nginx-development-kit --add-module=/build/nginx-fcyDbp/nginx-1.9.3/debian/modules/nginx-echo --add-module=/build/nginx-fcyDbp/nginx-1.9.3/debian/modules/ngx-fancyindex --add-module=/build/nginx-fcyDbp/nginx-1.9.3/debian/modules/nginx-http-push --add-module=/build/nginx-fcyDbp/nginx-1.9.3/debian/modules/nginx-lua --add-module=/build/nginx-fcyDbp/nginx-1.9.3/debian/modules/nginx-upload-progress --add-module=/build/nginx-fcyDbp/nginx-1.9.3/debian/modules/nginx-upstream-fair --add-module=/build/nginx-fcyDbp/nginx-1.9.3/debian/modules/ngx_http_substitutions_filter_module

Description

For example i wanna deny access to /site/ so i have configuration like this:

server {

	listen 80;
	root /usr/share/nginx/example.com;
	index index.html index.php;

	server_name example.com;
	
	location /site {
		deny all;
	}

	location ~ \.php$ {
		try_files $uri =404;
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		include fastcgi_params;
		fastcgi_pass unix:/var/run/php5-fpm.sock;
		fastcgi_index index.php;
		fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
	}

}

the location /site won't work on these cases where i do file php requests. for example http://example.com/site/index.php i'm able to bypass this check because of the php block because of this i have changed it to

	location ~^/site {
		deny all;
	}

This works until, if i want allow access from my ip-address

	location ~^/site {
		allow 1.2.3.4;
		deny all;
	}

This will trigger to download php files if you have access to /site, i belive this is bug with location /site as it doesn't get checked i'm sorry if it's just inproper configuration. Using nginx 1.9.3 which ubuntu repositories provides.

Change History (1)

comment:1 by Valentin V. Bartenev, 4 years ago

Resolution: invalid
Status: newclosed

You have a wrong idea about how the location directive works. Please, check the documentation:
http://nginx.org/r/location
http://nginx.org/en/docs/http/request_processing.html

A quote from it:

The search of regular expressions terminates on the first match, and the corresponding configuration is used. If no match with a regular expression is found then the configuration of the prefix location remembered earlier is used.

There was also a good talk at nginx.conf 2014: http://www.youtube.com/watch?v=YWRYbLKsS0I

Note: See TracTickets for help on using tickets.