Lnamp the right to set the site file permissions in the context

There are three ways to control running permissions in a Lnamp environment.

First, only cancel the run permissions of the specified directory (such as the upload directory)

This way, can only say that there is better than nothing.

The second, only allows the specified files and directories to have running permissions suitable for a small number of web sites that need to run PHP programs, such as generating static CMS programs.

Third, the use of X permission bits to limit the setting slightly more complex.

In a Lnamp environment, the following code is typically used to pass PHP requests to Apache:

Location/{
Try_files $uri @apache;
}

Location @apache {
Internal
Proxy_pass http://127.0.0.1:8080;
Include proxy.conf;
}

Location ~. *\. (PHP|PHP5)? $ {
Proxy_pass http://127.0.0.1:8080;
Include proxy.conf;
}
However, this configuration does not require the PHP file to have x-bit permissions, only the Apache need R Read permission, you can run.
If you want to restrict run permissions through x digits, the configuration needs to be modified to:

Location ~. *\. (PHP|PHP5)? $ {
    if (!-x $request _filename) {
        return 403;
   }
    Proxy_pass http://127.0.0.1:8080;
    include proxy.conf;
}
But there are some problems, such as accessing the http://www.yundaiwei.com/, the URL does not appear. php suffix, the above configuration does not match such a request, you need to change the previous code.

Location @apache {
    if (!-f $request _filename/index.html) {
         set $flag "1";
   }
    if (!-f $request _filename/index.htm) {
        set $ Flag "${flag}2";
   }
    if (-F $request _filename/index.php) {
        set $flag "${flag}3";
   }
    if (!-x $request _filename/index.php) {
        set $ Flag "${flag}4";
   }
    if ($flag = "1234") {
        return 404
    }
    internal;
    Proxy_pass http://127.0.0.1:8080;
     include proxy.conf;
}

The 5 if statements above are all meant to determine whether index.php has execute permissions. And this configuration in advance is the default first page file order is: index.html index.htm index.php, if not, but also to modify.

It is also important to note that Nginx X determines whether the owner of the file has X permissions and does not relate to group or other x digits.

After this modification is complete, you can use the X bit to control the running permissions of PHP, of course, R and W permissions can also be set.
The following are all about the third way of setting.

Ordinary file rwx permissions are easy to understand, but the directory rwx permissions, most of the article did not make it clear, after my own repeated testing, the total assumption that the Apache running identity for the WWW, then I proposed the permission to set the program as follows:

All files belong to root and belong to www.

Chown-r root.www.
All files default permissions are 040, that is, Apache has Read permissions.

Find. -type f-exec chmod 040 {} \;
All directories have default permissions of 050, that is, Apache has access and column directory permissions.

Find. -type d-exec chmod 050 {} \;
Write permission to a directory that requires write permission

Find. -exec chmod 070 {} \;
(Go to the directory where you want to add permissions.) Some web site programs will be created in the new directory to set the permission code to be the same as the previous level, and the main group is www.www, which will cause the WWW user without any permissions, in such cases, you need to give the user permission bit also add Write permission, complete command for find. -exec chmod 770 {} \;)

# Add Execute permissions to individual PHP files

chmod u+x path/to/file.php
# Add execute permissions to the entire directory for PHP files

Find. -type f-name "*.php"-exec chmod u+x {} \;
(Go to the directory where you want to add permissions)

For example, after the Yundevi Web site after the above settings, the root directory permissions are like this:
How to set Web site file permissions correctly in Lnamp environment 1

If it's a slightly larger site, it's not easy to set up a strict run, and it takes a lot of time to find the directory where you need to write permissions and the programs that need to execute permissions.

Some common misunderstandings about Web site file permissions.
first, often in the forum to see such a scene, the landlord asked: what kind of security site settings?
Second floor: 755
Third floor: 644
Four floors: XXX
In the absence of a clear owner and group, and without distinguishing between files and directories, it is nonsense to talk about permission codes.
Second, the strict permission setting does not directly cause the website to be black, only if the website has the loophole and is exploited, can use the intruder to enlarge the control further.
Third, rwx permissions on the meaning of the file and the meaning of the document is different, if you want to strictly set permissions, can not be used chmod-r.