我正在尝试保护我的 Limesurvey 2.0.5 管理页面(在 Ubuntu 12.04、Nginx 1.19、PHP5.3.10、PHP-FPM 下运行)。
管理页面只能从特定子网访问,因此在我的配置中我使用了允许 172.16.1.0/24
服务器配置:
server {
listen 80;
set $host_path "/opt/limesurvey";
server_name www.example.tld
root $host_path;
charset utf-8;
try_files $uri /index.php?$args;
location ~ ^/(protected|framework|themes/\w+/views) {
deny all;
}
# admin page only for lan
location ^~ /admin/ {
allow 172.16.1.0/24;
deny all;
}
#avoid processing of calls to unexisting static files by yii
location ~ \.(js|css|png|jpg|gif|swf|ico|pdf|mov|fla|zip|rar)$ {
try_files $uri =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(.*)$;
try_files $uri index.php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
}
如果我从 LAN 之外的客户端进行连接:
2014/10/20 13:04:54 [error] 3794#0: *137 access forbidden by rule, client: 1.2.3.4, server: www.example.tld, request: "GET /admin HTTP/1.1", host: "2.3.4.5"
从内部连接:
2014/10/20 14:29:55 [error] 4165#0: *184 directory index of "/opt/limesurvey/admin/" is forbidden, client: 172.16.1.12, server: www.example.tld, request: "GET /admin/ HTTP/1.1", host: "2.3.4.5"
没有位置的访问日志 /admin {
172.16.1.10 - - [20/Oct/2014:14:32:22 +0200] "GET /admin/ HTTP/1.1" 302 5 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36"
172.16.1.10 - - [20/Oct/2014:14:32:22 +0200] "GET /admin/authentication/sa/login HTTP/1.1" 200 4017 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.101 Safari/537.36"
Limesurvey 调用 index.php 通过以下方式重新定位我的请求:
header( 'Location: ../index.php/admin' );
如果您需要更多信息,请询问
提前致谢!
答案1
Nginx 认为您正在尝试列出目录/opt/limesurvey/admin内容,因为您没有请求其中的任何文件,并且没有转发到 php 后备。
删除try_files服务器级别的指令。改为添加此位置:
location / {
try_files $uri /index.php?$args;
}
并将管理位置更改为:
location ^~ /admin/ {
allow 172.16.1.0/24;
deny all;
try_files $uri /index.php?$args;
}