我有一个位置块,专门处理我网站的/api目录。
从一个目录运行fastcgi_param SCRIPT_FILENAME并让URI句柄指向api目录是否安全?如果没有,怎样才能更好地处理?
目前,/var/www/development$uri变为/var/www/development/api/...,并希望确保无法利用此功能,以便无法访问var/www/development目录。将其设置为/var/www/development/api$uri会错误地指向/var/www/development/api/api/...。
我目前设置的两个位置块如下......
location ^~ / {
root /var/www/development/app;
try_files $uri $uri/ =404;
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php7.1-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
}
location /api {
alias /var/www/development/api;
try_files $uri $uri/ =404;
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php7.1-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_param SCRIPT_FILENAME /var/www/development$uri; # IS THIS OK FROM A SECURITY STANDPOINT?
}
error_page 403 404 500 /error/api.json;
}
供参考,目录是......
/var/www/development < Base directory
/var/www/development/app < Handles http://example.com/*
/var/www/development/api < Handles http://example.com/api/*
/var/www/development/assets < PHP Composer, custom classes, etc
/var/www/development/static < Error pages, etc