Merge branch 'master' into emacs-team

author: Liliana Marie Prikler <liliana.prikler@gmail.com> 2023-07-13 17:21:32 +0200
committer: Liliana Marie Prikler <liliana.prikler@gmail.com> 2023-07-13 17:21:32 +0200
commit: 15406013fe63f2ab238eec2d7a8adbc586806ac8 (patch)
tree: 8377d7c70a925f7c5ea4c04473c4eb547610b64b /gnu/services/web.scm
parent: a3ac317ab4a90f66ac65055fa26dee58ed2367b8 (diff)
parent: dd4c1992103a65b8fbdc80fe07a9fe9be822769a (diff)
download: guix-15406013fe63f2ab238eec2d7a8adbc586806ac8.tar.gz
guix-15406013fe63f2ab238eec2d7a8adbc586806ac8.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index 45897d7d6f..818226a4f7 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -1144,6 +1144,14 @@ a webserver.")
    (uri "~ \\.php$")
    (body (list
           "fastcgi_split_path_info ^(.+\\.php)(/.+)$;"
+
+          ;; Include some upstream recommendations from
+          ;; https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi
+          ;; Mitigate https://httpoxy.org/ vulnerabilities
+          "fastcgi_param HTTP_PROXY \"\";"
+          ;; Only pass existing php files to the backend.
+          "if (!-f $document_root$fastcgi_script_name) { return 404; }"
+
           (string-append "fastcgi_pass unix:" socket ";")
           "fastcgi_index index.php;"
           (list "include " nginx-package "/share/nginx/conf/fastcgi.conf;")))))
author	Liliana Marie Prikler <liliana.prikler@gmail.com>	2023-07-13 17:21:32 +0200
committer	Liliana Marie Prikler <liliana.prikler@gmail.com>	2023-07-13 17:21:32 +0200
commit	15406013fe63f2ab238eec2d7a8adbc586806ac8 (patch)
tree	8377d7c70a925f7c5ea4c04473c4eb547610b64b /gnu/services/web.scm
parent	a3ac317ab4a90f66ac65055fa26dee58ed2367b8 (diff)
parent	dd4c1992103a65b8fbdc80fe07a9fe9be822769a (diff)
download	guix-15406013fe63f2ab238eec2d7a8adbc586806ac8.tar.gz guix-15406013fe63f2ab238eec2d7a8adbc586806ac8.zip