From 9efc384582b6397f52f6d8e637550c21f8b5be78 Mon Sep 17 00:00:00 2001 From: Fred Condo Date: Thu, 28 May 2015 17:00:33 -0700 Subject: [PATCH] Add defense against SS-2015-013 to nginx example --- .../01_Installation/How_To/Configure_Nginx.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/en/00_Getting_Started/01_Installation/How_To/Configure_Nginx.md b/docs/en/00_Getting_Started/01_Installation/How_To/Configure_Nginx.md index ff0b9c6cd..a8ae1cbd3 100644 --- a/docs/en/00_Getting_Started/01_Installation/How_To/Configure_Nginx.md +++ b/docs/en/00_Getting_Started/01_Installation/How_To/Configure_Nginx.md @@ -8,12 +8,14 @@ able to run PHP files via the FastCGI-wrapper from Nginx. Now you need to set up a virtual host in Nginx with configuration settings that are similar to those shown below. +
If you don't fully understand the configuration presented here, consult the [nginx documentation](http://nginx.org/en/docs/). Especially be aware of [accidental php-execution](https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/ "Don't trust the tutorials") when extending the configuration.
+ But enough of the disclaimer, on to the actual configuration — typically in `nginx.conf`: server { @@ -21,6 +23,11 @@ But enough of the disclaimer, on to the actual configuration — typically in `n root /path/to/ss/folder; server_name site.com www.site.com; + + # Defend against SS-2015-013 -- http://www.silverstripe.org/software/download/security-releases/ss-2015-013 + if ($http_x_forwarded_host) { + return 400; + } location / { try_files $uri /framework/main.php?url=$uri&$query_string;