Reputation: 11
NGINX - Prevent directory traversal attack
I am configuring my web server by my self first time.
- Ubuntu, NGINX, PHP, SASS etc. installed with latest updates
- Created own user account so i don't have to use root everywhere
- Checked that i don't have unneeded ports open
- Created own folders to every domain
- Every domain runs on own sock on PHP5-fpm pool, with own username
My folder structure is like this:
/var/www/sites/exampledomain1/public/
/var/www/sites/exampledomain2/public/
/var/www/sites/exampledomain2/public/
I made "test.txt" files to every public folder and to /var/, /var/www/. Then i made simple php file that tries to include test.txt files from different places, and i also tried to include /etc/passwd. And it was my "pleasure" to notice that i could include all files in my public PHP file, even /etc/passwd file.
I created "domain" users and put those only to www-data group. Everything but www/.. is untouched so /var/passwd etc is root:root.
/var/www/ 755 www-data:www-data
/var/www/sites/ 755 www-data:www-data
/var/www/sites/exampledomain1/ 711 exampledomain1:www-data
/var/www/sites/exampledomain2/ 711 exampledomain2:www-data
/var/www/sites/exampledomain3/ 711 exampledomain3:www-data
/var/www/sites/exampledomain1/public 711 exampledomain1:www-data
/var/www/sites/exampledomain2/public 711 exampledomain2:www-data
/var/www/sites/exampledomain3/public 711 exampledomain3:www-data
At the moment all index.php files are with 701. Owner can read, write and execute, user on same group cant do anything, and public can execute.
My goal is that you cannot include anything from other folders. So if one of my domain has exploit and hacked/cracker can run own code, so it cant include any files from other domains OR from deeper.
Upvotes: 1
Views: 4732
Answers (2)
Reputation: 21
I would highly recommend PHP-FPM and chrooting. It is fully isolated in ways Apache/suexec could never be and each site has it's own user and it's own chroot. It's what large ISP/hosting companies use for a reason.
The best part is that PHP-FPM is a breeze with NginX, too.
Upvotes: 1
Reputation: 1566
To create absolutely isolated environments, you should
a) use Apache backend + suexec + mod_php, because php-fpm does not supports "suexec" as fully as Apache does
b) create not only individual users but also individual groups per your domains
c) configure a couple of name-base virtual hosts, one per domain serviced (hope, you've done already), and set the individual username as suexec parameter
In this case you cat setup 0700 rights to your domain DocumentRoots, and filesystem permissions will definitely separate your domains\users each from other.
Upvotes: 3
Related Questions
- Preventing Directory Traversal in PHP but allowing paths
- Nginx: Deny access of a directory and files inside it
- NGINX deny directory access except one php file
- Deny access to files and folders within web root without using .htaccess
- Deny access to a PHP file (Nginx)
- NGINX not protecting directory
- is it possible to protect a directory using nginx confs + a php authentication?
- Prevent PHP from accessing the parent directory
- php directory traversal issue
- Directory deny in PHP?