Configure website directory permission settings in nginx

Source: Internet
Author: User
Tags chmod fpm php website

The principle of configuring permissions is to grant the minimum permission to the website to ensure its normal operation.
Nginx directory permission configuration:
1. The nginx process user is the default user wwwboy. (it is unknown that the nginx process user will have an impact on the server's permissions. It seems that you have not encountered the permission setting problem when configuring nginx)
2. Configure the php-fpm process user as wwwboy;
3. The website directory owner is set to ftpuser. Because you need to download (read) and upload (write) website files in FTP, ftpuser must have read and write permissions on the website directory.

Key point: the user used by the php-fpm sub-process cannot be the website file owner.
The benefit of setting the website file owner and the php-fpm process user to a different one is that the website file cannot be modified in the PHP program, which can reduce many losses even if the website is infected with Trojans. For example, the other party cannot mix backdoors in your normal code.
In the past, we always habitually set the cache directory permission to 777. Now that we have noticed security issues, we want to find out how to set the cache directory correctly and reasonably and securely.
In fact, if you have a clear understanding of the linux file permission allocation method, this doubt becomes clear:
Assume that the website cache directory is named cache and its owner is ftpuser. The cache file is written by the php-fpm process, which is equivalent to the file that wwwboy needs to write in the cache of the user's ftpuser Directory. This is not allowed! Therefore, you must assign the write permission to the cache directory to wwwboy. chmod o + w-R cache is enough. If ftpuser and wwwboy are in the same user group, chmod g + w-R cache is used. The cache directory does not require execution permissions, so the previous practice of setting 777 permissions is quite rough. However, when using a VM, you cannot grasp the various settings on the server. 777 is also the most convenient practice.
The cache Directory requires o + wx. The reason for adding x is that the permission is required to read the directory; otherwise, the file cannot be written. Unless the file to be generated and the script to write the file are in the same directory, you do not need to read the directory, and you do not need to execute the permission. Principle: (thank you @ lanisle)

On a directory, the execute permission (also called the "search bit") allows
You to access files in the directory and enter it, with the cd command,
Example. However, note that although the execute bit lets you enter
Directory, you're not allowed to list its contents, unless you also have
Read permissions to that directory.

Directory access permission settings

1. directory listing)

Nginx only requires one command to display the files in the directory in the form of a list so that 403 is not returned.

Autoindex on;

Autoindex can be placed in location, and only takes effect for the current location directory. You can also place it in the server command block to work for the entire site. Or put it in the http command block, it will take effect for all sites.

The following is a simple example:

The code is as follows: Copy code

Server {
Listen 80;
Server_name domain.com www.domain.com;
Access_log/var /...........................;
Root/var/www/html;
Location /{
Index. php index.html index.htm;
        }
Location/api {
Autoindex on;
        }
}

2. nginx prohibits access to a directory

Similar to Apache's Deny from all, nginx has the deny all command.

Disable access to the dirdeny directory and return 403 Forbidden. You can use the following configuration:

The code is as follows: Copy code

Location/dirdeny {
Deny all;
Return 403;
}

Autoindex_exact_size off; // display the file size in a user-friendly manner; otherwise, the file size is displayed in bytes.
Autoindex_localtime on; // display by server time; otherwise, the gmt time is used. The gmt time indicates the Greenwich Mean Time.
Autoindex_exact_size off;
The default value is on. The exact size of the file is displayed, in bytes.
After changing to off, the approximate size of the file is displayed. The unit is kB, MB, or GB.
Autoindex_localtime on;
The default value is off. The displayed file Time Is GMT.
After changing to on, the displayed File time is the file server time

The upload Directory has no execution permission.

The code is as follows: Copy code


Location ~ ^/Upload/. *. (php | php5) $
{
Deny all;
}

Set directory browsing

1. Open/usr/local/nginx/conf/nginx. conf, find the WebServer configuration, and add the following content:

The code is as follows: Copy code

Location/soft /{
Root/var/www/; the above directory of soft
Autoindex on;
Autoindex_exact_size off;
Autoindex_localtime on;
}

Logon permission authentication

1. Create a class htpasswd file

The code is as follows: Copy code

[Root @ localhost Soft] # wget-c http://jafee.net/Soft/InstallPack/htpasswd.sh

[Root @ localhost Soft] # bash htpasswd. sh

Prompt to enter the user name, password, and authentication file name. The script will automatically generate the authentication file. The default path is saved under/usr/local/nginx/conf, if your nginx directory is not here, you can modify htpasswd. sh to replace your nginx directory.

Here I am:/usr/local/nginx/conf/test. conf # write down this path

2. Add auth authentication configuration for Nginx

The code is as follows: Copy code

Location ^ ~ /Soft/
{
Auth_basic "MyPath Authorized ";
Auth_basic_user_file/usr/local/nginx/conf/test. conf; # write the file path returned by the preceding script here;
}

# "MyPath Authorized" is the prompt information, which can be modified by yourself.

3. After the configuration is modified, restart nginx and access http: // localhost/soft/. A prompt is displayed, indicating that the user name and password are entered. After successful authentication, the directory can be listed.

4. Note that the php file under the Directory will not be parsed after authentication, and you will be downloaded. If you want to enable php parsing, you can change the above configuration:

The code is as follows: Copy code

Location ^ ~ /Soft /{
Location ~ . *. (Php | php5 )? $ {
Fastcgi_pass unix:/tmp/php-cgi.sock;
Fastcgi_index index. php;
Fcinclude GI. conf;
}
Auth_basic "Authorized users only ";
Auth_basic_user_file/usr/local/nginx/conf/test. conf;
}

Sometimes, when Nginx reads the local directory, it will receive a 403 error and a permission error.

First, let's take a look at Nginx user management. When Nginx is started with a Linux service script, it is started through start-stop-domain and runs the daemon process with root permission.

Then, the daemon process reads the user configuration option in the/etc/nginx. conf file. The default user = nginx

That is, start worker process with nginx users. The error 403 is because the nginx user does not have the permission to access the user directory for my current development,/home/dean/work/resources.

The solution is to replace user = nginx with root and restart nginx.

You have also tried other methods, such as setting 777 permissions for the/home/dean/work/resources directory, or adding nginx users to the root group.

 

So when developing, use user = root configuration. In the product environment, the resouces directory can be placed in the nginx user directory, so the problem is not serious.

The above is a description and understanding of the security settings of nginx + php website directory permissions, and I hope to help you.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.