For security reasons, i am trying to disable all PHP files except /public/index.php.
I have this nginx configuration, which is unfortunately not working :
root /var/www/html/public;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Referrer-Policy "same-origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
add_header Cross-Origin-Opener-Policy "same-origin";
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location ~ /\.(?!well-known).* {
deny all;
}
location ~ \.(html|htm|env)$ {
deny all;
}
location ~ \.(php|phar)$ {
location !~ ^/index\.php$ {
deny all;
}
}
This part is not working for me.
location ~ \.(php|phar)$ {
location !~ ^/index\.php$ {
deny all;
}
}
Document root is set to /public, and within that folder i also have this .htaccess :
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews -Indexes
</IfModule>
RewriteEngine On
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
What would be the best and safest way to do it?
