How to correctly restrict directory php execution permission configuration for Nginx multiple sites

Today, I saw a friend Upload directory on a server configured in this way:

[Root @ Centos62 ~] # Chomd-R-x upload

Scared me, and I said, "do you do this in general ?"

Friend: "Yes! The x execution permission has been revoked. You cannot execute any Trojans! "

0 × 01 what is wrong?

Analyze what is wrong. I searched for the engine: linux chmod folder.

The result is as follows: In linux, the x attribute of chmod is different for files and folders.

Here is a table for you to see.

From the above table (screenshot from a brother-connected linux video), we can conclude that the rwx attribute in the chmod command in linux is different for folders and directories. Here, the x attribute is for the directory. Can you enter the directory. So ...... If this is set,/upload/shell. php cannot run.

New skill get & radic;

But this is obviously not correct! Because it is prohibited to enter the Directory, images and other files in it are inaccessible and cannot be displayed. This is obviously the result we don't want. It's wrong to do this.

0 × 02 where should I find the vast search engine?

Of course, I must use a search engine. Search: nginx restricts php execution permissions

I found that the methods on the Internet are the same (because webmasters copy them, grass! Poor). You must copy the complete copy!

All TM is half-cut, and later I found the original version, which is an article by the VPS detective:

Click to go to the portal to view the original version

The setting of TMD is too vague for linux users who are not using linux every day.

As a result, the search engine began to collect, sort, and test various materials.

0 × 03 correct skills get & radic;

The following are the correct skills. Each step is tested by a real server.

Environment: lnmp 1.1 | php | The server contains three websites, which are described

Www.baidu.com | www.google.com | www.aliyun.com

Here we need to restrict the permissions of two different sites | different directory file names

Www.baidu.com/ups/
Www.google.com/ccav/

(Www.aliyun.com soy sauce here)

The correct method should be:

# First, we need to know where to set up the VPS detective article, just saying: nginx virtual host configuration

# But where is the nginx virtual host configuration? The search engine tells me that in/usr/local/nginx/conf/nginx. conf

# Of course, this is the default location. Only one site is available on your server and it is the default site.

# Here we use three sites So ......

# The correct position should be in
   
[Root @ Centos62 ~] # Cd/usr/local/nginx/conf/vhost

# Yes. Here, vhost is used.

Then you can run the ls or ll command to check whether there is any configuration file.
   
[Root @ Centos62 ~] # Ll

# After executing the ll command (press enter), you will receive the following message:

Total usage 12

-Rw-r -- 1 root 677 October 30 8:31 www.baidu.com. conf
-Rw-r -- 1 root 1501 October 30 8:57 www.google.com. conf
-Rw-r -- 1 root 828 October 30 8:16 wx.aliyun.com. conf

# I will demonstrate how to restrict the php execution permission of the www.baidu.com/ups folder without affecting other format files.

[Root @ CentOS62 vhost] # vim www.baidu.com. conf

# Use the vim editor to edit the Operation Commands in the file editor www.baidu.com. conf.

Server
        {
Listen 80;
# Listen [:]: 80;
Server_name www.baidu.com;
Index index.html index.htm index. php default.html default.htm default. php;
Root/home/www/www.baidu.com;
Include none. conf;
# Error_page 404/404 .html;
Location ~ [^/]. Php (/| $)
                        {
# Comment try_files $ uri = 404; to enable pathinfo
Try_files $ uri = 404;
Fastcgi_pass unix:/tmp/php-cgi.sock;
Fastcgi_index index. php;
Include fastcgi. conf;
# Include pathinfo. conf;
                        }
Location ~ . *. (Gif | jpg | jpeg | png | bmp | swf) $
                        {
Expires 30d;
                        }
Location ~ . *. (Js | css )? $
                        {
Expires 12 h;
                        }
Access_log/home/wwwlogs/www.baidu.com. log. log access;
        }

# Yes. The above is the content of the original www.baidu.com. conf file.

# We only need to add the restricted code above. The VPS detective didn't mention this.

# Insert the following code directly below root/home/www/www.baidu.com:

Location ~ /(Ups)/. *. (php | php5 )? $
                       {
Deny all;
                        }

# Restrict the php execution permission of the ups folder under the root directory

# If you want to limit more directories, you can (ups | upload | avatar)

# Insert the above code and save the file

# Execute the command immediately

[Root @ CentOS62 vhost] #/usr/local/nginx/sbin/nginx-t

# Then you will see the following results:

# If you see test is successful, it means nginx check that your configuration file is correct.

# Run the following command to enable this configuration:

[Root @ CentOS62 vhost] #/usr/local/nginx/sbin/nginx-s reload

# Press enter to run the task. If no error message is returned, the task is successful by default.

# The same is true for www.google.com/ccav.

0 × 04 summary

1. Find the file you want to modify

2. Edit it and insert code

3. Save the command [root @ CentOS62 vhost] #/usr/local/nginx/sbin/nginx-t to check whether the file is wrong

4. If yes, run the [root @ CentOS62 vhost] #/usr/local/nginx/sbin/nginx-s reload command to re-load the file.

5. Place the files in several formats under the Directory: php jpg png txt. Try to see if the access is successful. php returns the 403 error. Access other files normally. This is correct. Otherwise, it is still incorrect. Check if the code is wrong?

# Hurry up and find your Directory!

0 × 05 correct writing articles

# Correct Writing articles should be accurate to others

# Where to find the file, and what command to use and which line to insert

# Instead of telling you about the Nginx configuration file | insert it before the location of fastcgi

# It's too confusing for new users

# I would like to thank Detective VPS for his article. Otherwise, I don't know how to set it.