Urgent security issue in NGINX/php-fpm

#22

I corrected the article now regarding SCRIPTFILENAME vs. SCRIPT_FILENAME and PATHINFO vs. PATH_INFO. Also I pinned it globally.

1 Like
#23

Oh - you can edit the first post? Could you please also add what Meiros posted?

The was another change in the nginx-config, which didn‘t make it in the initial post. It would be great, if you could add that as well, since many people might not notice the other change.

1 Like
#24

I actually didn’t want to mess with the official post, but I think you are right. If users already modify their config, it should be done right.

So @all please, check your config again, there has been a little change in the first post!

2 Likes
#25

i see two added lines:

set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;

Edit: Oh, Bernie_O already mentioned that in the post above. My bad

#26

@Schmu Please also update the official blog post. Having two different versions might be a bit confusing.
@jospoortvliet

1 Like
#27

@DecaTec

Sorry, I’m not an official and don’t have access to the blog.
I only jumped in to help forum users to directly pick the latest config changes. We have to wait for @system to do so.

1 Like
#28

Please remove the typo ^^

$try_files
->
try_files

3 Likes
#29

I’m running Nginx on a raspberry pi as a reverse proxy. And on another raspberry pi NextcloudPi. Would it effect me as well?

Asking because i don’t even have ’ rewrite ^ /index.php$request_uri ’ under location…

#30

same here, do i need to update the php version running nextcloud on snap? if yes then how do i do that?

#31

no

#32

Updated nginx to mainline, php to 7.3, and nextcloud to 17. Running on Ubuntu 19.10, and I added the nginx hardened config…

I got a whitescreen of death now, cannot access nextcloud.

#34

Is it related to this?

#35

Yep, that warning is real.

White screen went away, it seems OP needs to be updated.

#36

There’s one new line in the docs, which is not included in the op.

location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
    set $path_info $fastcgi_path_info;
    try_files $fastcgi_script_name =404;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_param HTTPS on;
    # Avoid sending the security headers twice
    fastcgi_param modHeadersAvailable true;
    # Enable pretty urls
    fastcgi_param front_controller_active true;
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
}

Added set $path_info $fastcgi_path_info;

If you edited or will edit, it’s good to look the example in the docs.

1 Like
#37

Dumb question:

I don´t have

location / {
                rewrite ^ /index.php$request_uri;
            }

But I have

location / {
  try_files                           $uri $uri/ index.php;
}

Is this part doing the same stuff, just with other words? If I just add the

 location / {
                rewrite ^ /index.php;
            }

section the “nginx configtest” fails. PHP by the way not updated yet cause latest Raspbian sources are not containing it yet :frowning:

#38

Similar to you I have:

location / {
rewrite ^ /index.php$uri;
}

Do I need to change this?

#39

Thank you, i had this error:

$ sudo nginx -t
nginx: [emerg] unknown directive "$try_files" in /etc/nginx/conf.d/nextcloud.conf:107
nginx: configuration file /etc/nginx/nginx.conf test failed
#40

For others searching for the correct (and updated) documentation:
https://docs.nextcloud.com/server/17/admin_manual/installation/nginx.html

The examples under docker repo are still not updated. So use the documentation to update the nginx configs.

#41

For those working with nginx as reverse proxy to a docker container, or any other configuration where local files at nginx proxy do not match to path at fastcgi server.
You would need to edit SCRIPT_FILENAME to match against the path inside the fastcgi server. An example in case of the official fpm docker container:
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;

#42

My config was a bit different, but also needed patching anyways.
I made a backup of the old config and just replaced everything with the new one.

Just needed to adjust server_name , root , ssl_certificate and ssl_certificate_key, as advised on the documentation. Quick and easy.

As many have mentioned, the patched PHP version was not available for me until yesterday. It is available now though (I am using Sury’s repos on Debian 9, with php 7.3).

Gotta thank Sury for how fast he made that available!

Cheers!
Gus