Hello guys,
I just noticed a problem with my Nginx installation: I enable the PHP FPM status page (url: /status). Then I add the location block on a default virtual host allowing only 127.0.0.1 to connect to this page.
Luckily I have tested my website : www.example.com/status because the status page shows up even from outside. It took me quite a while to figure out the problem, I think I may have found an explanation (at least, this is the only one I can think of):
If I remove the /status location block everywhere in my websites, the /status URL keeps working from outside. So the location block does nothing. I think there is a strong incompatibility between the FPM status feature and the Nginx try_files feature. I am using a try_files on example.com which sends the requests to PHP if the URI does not match a file nor a folder. So PHP receives the /status GET request and therefore replies with the status page !!
I think this is quite serious as the status page may contain some confidential information, especially with the ?full query string.
Has anyone seen this before? How can I prevent the status page to be seen outside the loopback address?
Thanks
Axel
I just noticed a problem with my Nginx installation: I enable the PHP FPM status page (url: /status). Then I add the location block on a default virtual host allowing only 127.0.0.1 to connect to this page.
Luckily I have tested my website : www.example.com/status because the status page shows up even from outside. It took me quite a while to figure out the problem, I think I may have found an explanation (at least, this is the only one I can think of):
If I remove the /status location block everywhere in my websites, the /status URL keeps working from outside. So the location block does nothing. I think there is a strong incompatibility between the FPM status feature and the Nginx try_files feature. I am using a try_files on example.com which sends the requests to PHP if the URI does not match a file nor a folder. So PHP receives the /status GET request and therefore replies with the status page !!
I think this is quite serious as the status page may contain some confidential information, especially with the ?full query string.
Has anyone seen this before? How can I prevent the status page to be seen outside the loopback address?
Thanks
Axel