From cbc14b3baea457cf2718b85f767d39ff3911ce91 Mon Sep 17 00:00:00 2001
From: Bruno Victal <mirai@makinata.eu>
Date: Wed, 5 Apr 2023 16:34:08 +0100
Subject: services: nginx: Harden php-location settings.

* gnu/services/web.scm (nginx-php-location): Only pass existing PHP files
to the back end.  Mitigate httpoxy vulnerability.
---
 gnu/services/web.scm | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'gnu/services')

diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index 45897d7d6f..818226a4f7 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -1144,6 +1144,14 @@ a webserver.")
    (uri "~ \\.php$")
    (body (list
           "fastcgi_split_path_info ^(.+\\.php)(/.+)$;"
+
+          ;; Include some upstream recommendations from
+          ;; https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi
+          ;; Mitigate https://httpoxy.org/ vulnerabilities
+          "fastcgi_param HTTP_PROXY \"\";"
+          ;; Only pass existing php files to the backend.
+          "if (!-f $document_root$fastcgi_script_name) { return 404; }"
+
           (string-append "fastcgi_pass unix:" socket ";")
           "fastcgi_index index.php;"
           (list "include " nginx-package "/share/nginx/conf/fastcgi.conf;")))))
-- 
cgit v1.2.3