Please forgive me if this question has been answered before. The reason for the questions are at the bottom**
The Nginx "pitfalls" doc has a section on "Passing Uncontrolled Requests to PHP"
http://wiki.nginx.org/Pitfalls
It suggests a number of potential solutions, including adding this to the virtual domain.conf
location ~* \.php$ {
try_files $uri =404;
fastcgi_pass backend;
}
I've been reading this and trying to get my head around if it's just fastcgi that's vulnerable and PHP-FPM is immune.
The default Nginx domain.conf template I've been provided looks for my server (CentOS, PHP-FPM and nginx) like this gist.
https://gist.github.com/anonymous/7e437eaf735a364a1d96
This is the template used for all of the Magento optimized servers the host provision. They generally also configure the Virtual Hosts for you. If you're pig ignorant like me, you probably won't even think of changing stuff because it "just works".
Are they shipping solutions in an essentially insecure fashion, or am I just getting overly paranoid and should relax? Any advice welcome...
** I've somehow got dragged into transferring a number of PHP apps from a self-managed Dedicated server running Litespeed to a "Magento Optimized" Dedicated and Managed server provided by one of the larger hosting providers. They have a better than average reputation for service and support. The server runs CentOS, PHP-FPM and Nginx. I've been fighting what I think are a number of misconfiguration issues almost from the start and now I think there might be a security issue as well. The 'drip-drip' is shaking my confidence that they know what they are doing. I should point out I make no claims to be a System Admin, Linux Engineer or Security expert. I'm a reasonable web developer at best. This is way outside of my scope of competence, but I thought greater minds might have a view, even if it's just "get over it and move on".
Edit 1:
From phpinfo();
cgi.discard_path 0
cgi.fix_pathinfo 1
cgi.force_redirect 1
cgi.nph 0
cgi.redirect_status_env no value
cgi.rfc2616_headers 0
fastcgi.error_header no value
fastcgi.logging 1
fpm.config no-value