1

I have on my website an admin/ subdirectory, which I'd like to be in HTTPS, so I tried the following configuration, based on this one :

server {
    listen 80;

    server_name blob.tld;
    root /srv/www/blob;
    index index.php index.html index.htm;

    location /blog/admin/* {
        return 301 https://$server_name$request_uri;
    }

    location / {
        try_files $uri $uri/ $uri/index.php /index.html;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include fastcgi_params;
    }
}

server {
    listen 443 ssl;
    server_name blob.tld;

    root /srv/www/blob/;
    index index.php index.html index.htm;

    ssl_certificate /srv/www/blob.tld.pem;
    ssl_certificate_key /srv/www/blob.tld.key;

    ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers on;

    location /blog/admin {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        try_files $uri $uri/index.php /index.html;
    }

    location / {
        return 301 http://$server_name$request_uri;
    }
}

But then images in admin/style/ are not served.

I looked at the log files, that say :

/var/log/nginx/access.log:
127.0.0.1 - - [25/Apr/2014:15:06:27 +0200] "GET /blog/admin/style/lock.png HTTP/1.1" 403 46 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit (KHTML, like Gecko) Chrome/32.0"

/var/log/nginx/error.log:
2014/04/25 15:06:27 [error] 23629#0: *404 FastCGI sent in stderr: "Access to the script '/srv/www/blob/blog/admin/style/lock.png' has been denied (see security.limit_extensions)" while reading response header from upstream, client: 127.0.0.1, server: blob.tld, request: "GET /blog/admin/style/lock.png HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000"

Given the error.log file, I think the problem comes from the first location instruction in the HTTPS server (the difference with the HTTP one being ~ \.php$). So I tried to make the exact symetric (with \.php$ instructions in another location instruction) :

server {
    listen 443 ssl;
    [...]

    location /blog/admin/* {
        try_files $uri $uri/ $uri/index.php /index.html;
    }

    location / {
        return 301 http://$server_name$request_uri;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include fastcgi_params;
    }
}

But then… no HTTPS at all.

I still have the solution of letting images be served in HTTP, but that is kinda frustrating :

location  /blog/admin/style {
    return 301 http://$server_name$request_uri;
}

I have nginx 1.1.19 and php 5.3.10 with php-fpm.

Improve this question
2
  • Does this help? Otherwise my hunch is you have the execute bit set on all images. Commented May 1, 2014 at 22:46
  • Take a look at this Q&A from SO and see if it solves your issue: stackoverflow.com/questions/9022102/… Commented May 3, 2014 at 7:25

1 Answer 1

Reset to default
2
+50

Any reason why in the https section you send everything under /blog/admin to FastCGI? Why not make a rule specific to *.php like you have in the http section?

In other words, under http you have:

location ~ \.php$ {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;
    include fastcgi_params;
}

but under https, you have:

location /blog/admin {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;
    include fastcgi_params;
    try_files $uri $uri/index.php /index.html;
}

I think if you change /blog/admin to ~ /blog/admin/.*\.php$ your problem would be solved...

Improve this answer
3
  • This is what I tried in a second part ("So I tried to make the exact symetric..."), but as I said, I have then no HTTPS at all : everything goes to HTTP. Modified my question to be a little bit clearer. Commented Apr 27, 2014 at 9:10
  • You are kinda right. Is it possible to validate my answer and give you the bounty ? Commented May 4, 2014 at 17:13
  • @Baronsed: wouldn't it be cleverer to add your solution into the answer Rouben wrote up, since the only difference is that your solution implements this answer's suggestions? Commented May 4, 2014 at 23:39

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.