Nginx multiple conditions in if statement

Kevin asked:

Hopefully an easy one for you nginx gurus out there. I can’t find any relevant info on google or the docs, but I hope this is possible.

Essentially, using advice gained from others, we want to prevent PHP from running in our public upload directories. We’re accomplishing this like so:

if($uri !~ "^/vb_attach/") {
    fastcgi_pass 127.0.0.1:9005;
}

But on this website, we’ve got multiple upload directories. I know that nginx doesn’t support && or || in the conditional, so we tried this:

    if ($uri !~ "^/vb_attach/") {
            if($uri !~ "^/vb_album/") {
                    fastcgi_pass   127.0.0.1:9005;
            }
    }

but were told that the second if wasn’t allowed there. So how can we accomplish this? All we want to do is prevent PHP from executing in these upload directories, just in case someone is able to bypass the checks in the upload scripts.

My answer:


One best-practice way to do this is with location blocks which refuse requests for PHP files.

For example:

server {
  location /vb_attach {
    location ~ .php$ {return 403;}
  }

  location /vb_album {
    location ~ .php$ {return 403;}
  }

  location ~ .php {
    ...
  }
}

The nginx wiki has several alternatives for preventing this particular security issue which you may find useful in other circumstances as well.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.