nginx - deny all *.php requests except index.php for security reasons

security nginx configuration php drupal

Solution 1:

You can achieve this in a number of ways.

Integrating quite directly with what you have in your config file, you may wish to simply include a section such as the following; 

location ~ \.php$ {
try_files index.php @error;

fastcgi_pass ...;

fastcgi_param SCRIPT_FILENAME /path/to$fastcgi_script_name;

...
}

location @error {
[config of however you want to handle errors]
}

Which will check for the existence of the requested file before allowing its access/execution.

Further to the above however, I would actually personally recommend using fail2ban which will provide you more comprehensive security if configured correctly; you can configure it to monitor your access logs in real-time and ban IPs from accessing your server(s) by automatically creating new iptables rules on-the-fly, with ban times which you specify.

Personally I have my servers configured to use fail2ban with nginx as per this article (or at least based upon that - you may alter it as you wish).

Related

x2go passphrase prompt then authentication fail [closed]
Blacklisting and whitelisting SFTP requests
Django - after login, redirect user to his custom page --> mysite.com/username
Why do you use std::move when you have && in C++11? [duplicate]
Java: how to import a jar file from command line
How to qcut with non unique bin edges?
How to access JSON Object name/value?
Can someone post a well formed crossdomain.xml sample?
How to run a shell script when a file or directory changes?
Python urllib2 Basic Auth Problem
How to DEFLATE with a command line tool to extract a git object?
is there a 'block until condition becomes true' function in java?