我想拒绝外部(来自网络)访问一些与 MoxieManager 相关的 PHP 文件。
整个 MoxieManager 位于 www/moxiemanager 文件夹中,可以通过网络访问 www。
现在我尝试了这个
server {
listen 80;
root /site/www;
index index.php index.html index.htm;
client_max_body_size 32M;
# Make site accessible from http://localhost/
server_name site.dev;
# Restrictions
location /moxiemanager/data {
deny all;
return 404;
}
location /moxiemanager/classes/(.+)\.php$ {
deny all;
return 404;
}
location ~ /\.ht {
deny all;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.php;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
#error_page 404 /404.html;
# Parse allowed PHP scripts
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
try_files $uri =404;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
对 /moxiemanager/data 的限制运行正常 -> 我现在无法读取 /moxiemanager/data/storage/some_file.json。但即使有规则,也可以执行 /moxiemanager/classes/Autoloader.php 之类的脚本。
答案1
您只漏掉了一件事:正则表达式位置会覆盖非正则表达式位置。因此,正确的语句应该与您的语句类似,只是略有不同:
location ~* /moxiemanager/classes/(.+)\.php$ { deny all; return 404; }