環境:nginx + php
問題:
配置的網站,訪問出現報錯:Access Denied (403)
常見解決方法:
1、文件權限問題
可能是文件權限問題,沒有讀權限。
或者selinux沒有關閉。
2、security.limit_extensions
查看nginx的錯誤日志error.log,發現有如下錯誤:
2016/07/07 10:20:13 [error] 17710#0: *2145 FastCGI sent in stderr: "Access to the script '/home/www/game/10313156.html' has been denied (see security.limi t_extensions)" while reading response header from......
從5.3.9開始,php官方加入了一個配置"security.limit_extensions",默認只允許執行擴展名為".php"的文件,造成了其他類型的文件不支持的問題。
官方說明 : ; Limits the extensions of the main script FPM will allow to parse. This can ; prevent configuration mistakes on the web server side. You should only limit ; FPM to .php extensions to prevent malicious users to use other extensions to ; exectute php code. ; Note: set an empty value to allow all extensions. ; Default Value: .php ;security.limit_extensions = .php .php3 .php4 .php5
修改php-fpm.conf:(加入需要的文件擴展名)
security.limit_extensions = .php .html .js .css .jpg .jpeg .gif .png .htm
3、cgi.fix_pathinfo
通過這種url訪問,顯示Acess denied 錯誤。
nginx錯誤日志:
2016/07/08 09:47:12 [error] 24297#0: *3348 FastCGI sent in stderr: "Access to the script '/home/www/home.php/game/qr' has been denied (see security.limit_extensions)" while reading response header......
修改php.ini :(cgi.fix_pathinfo 默認為1 )
cgi.fix_pathinfo = 1
官方說明 :
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's ; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok ; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting ; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting ; of zero causes PHP to behave as before. Default is 1. You should fix your scripts ; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. ; http://php.net/cgi.fix-pathinfo
其實cgi.fix_pathinfo = 1 會引發文件類型錯誤解析漏洞,建議是設置 cgi.fix_pathinfo = 0 。
關於漏洞危害的詳情,可參考:
http://www.cnblogs.com/batsing/p/nginx_bug1_attack.html
http://www.phpvim.net/web/php/security-risks-caused-by-fix-pathinfo.html
( 關於漏洞的理解:
當cgi.fix_pathinfo=1時,訪問路徑:/foo.jpg/file.php ,如果file.php文件不存在,則php解析器會試圖猜測你要執行哪個文件,沿着路徑往回找。如果foo.jpg存在, 並且包含php代碼,php解析器就會去執行foo.jpg 。
當cgi.fix_pathinfo=0時,PHP 解釋器僅嘗試給出的路徑,如果文件沒有找到就停止處理。
)
但將 cgi.fix_pathinfo = 0 ,可能會導致很多MVC框架(如ThinkPHP)無法正常運行。
4、
重啟php-fpm
訪問網頁,按ctrl + F5頻繁刷新的時候,會報 Access Denied錯誤。Access Denied是偶爾才會出現,不是一直403 。
nginx錯誤日志記錄:
2016/07/09 08:32:40 [error] 26954#0: *2127721 FastCGI sent in stderr: "PHP message: PHP Warning: Unknown: open_basedir restriction in effect. File(/home/www/touch/web/index.php) is not within the allowed path(s): (/home/wwwroot:/tmp/:/proc/) in Unknown on line 0 PHP message: PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0 Unable to open primary script: /home/www/touch/web/index.php (Permission denied)" while reading response header from upstream, client: 117.136.1.22, server: test.hjq.com, request: "GET /index.php?c=Zs&a=getcontent HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "test.hjq.com"
2、In your nginx config file set fastcgi_pass to your socket address (e.g. unix:/var/run/php-fpm/php-fpm.sock;) instead of your server address and port. 3、Check your SCRIPT_FILENAME fastcgi param and set it according to the location of your files. 4、In your nginx config file include fastcgi_split_path_info ^(.+\.php)(/.+)$; in the location block where all the other fastcgi params are defined.
原文鏈接:http://stackoverflow.com/questions/23390531/access-denied-403-for-php-files-with-nginx-php-fpm
http://www.laruence.com/2010/05/20/1495.html