/etc/nginx/php.conf

1. # Route all requests for non-existent files to index.php
2. location ~* / {
3.         try_files $uri $uri/ ~* /index.php$is_args$args;
4. }
5.  
6. # Pass PHP scripts to php-fastcgi listening on port 9000
7. location ~ \.php$ {
8.  
9.         # Zero-day exploit defense.
10.        # http://forum.nginx.org/read.php?2,88845,page=3
11.        # Won't work properly (404 error) if the file is not stored on
12.        # this server,  which is entirely possible with php-fpm/php-fcgi.
13.        # Comment the 'try_files' line out if you set up php-fpm/php-fcgi
14.        # on another machine.  And then cross your fingers that you won't get hacked.
15.        try_files $uri =404;
16.  
17.         include fastcgi_params;
18.  
19.         # Keep these parameters for compatibility with old PHP scripts using them.
20.        fastcgi_param PATH_INFO $fastcgi_path_info;
21.         fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
22.         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
23.  
24.         # Some default config
25.        fastcgi_connect_timeout        20;
26.         fastcgi_send_timeout          180;
27.         fastcgi_read_timeout          180;
28.         fastcgi_buffer_size          128k;
29.         fastcgi_buffers            4 256k;
30.         fastcgi_busy_buffers_size    256k;
31.         fastcgi_temp_file_write_size 256k;
32.         fastcgi_intercept_errors    on;
33.         fastcgi_ignore_client_abort off;
34.         fastcgi_pass 127.0.0.1:9000;
35.  
36. }
37. # PHP search for file Exploit:
38. # The PHP regex location block fires instead of the try_files block. Therefore we need
39. # to add "try_files $uri =404;" to make sure that "/uploads/virusimage.jpg/hello.php"
40. # never executes the hidden php code inside virusimage.jpg because it can't find hello.php!
41. # The exploit also can be stopped by adding "cgi.fix_pathinfo = 0" in your php.ini file.