Flux RSS des billets

DotMG's joblog

Work hard at whatever you do! (Ecc. 9. 10a)
Wikkawiki on nginx - the rewrite rules
Publié le 3 Fév 2013, 3:17 am dans cms, nginx

Yesterday I talked about installing WikkaWiki. I didn't mention it was about installing WikkaWiki on nginx. Wikkawiki is a CMS designed to function with Apache. Pretty URLS were achieved by using Apache's RewriteModule. Like for many other PHP CMS, URLs like http://example.com/wikka.php?wakka=HomePage are shortened like http://example.com/HomePage, so the Rewrite Engine translates /HomePage to /wikka.php?wakka=HomePage

Rewrite Rules can be translated into nginx statement configurations, and WikkaWiki Rewrite Rules are rather simple. The nginx rule is as simple as :

try_files $uri $uri/ @wikka;
location @wikka {
 rewrite (.*) /wikka.php?wakka=$1;
 fastcgi_pass 127.0.0.1:9000;
 fastcgi_index index.php;
 include /etc/nginx/fastcgi_params;
}

The try_files line is used to select rewriting only for non existent files. If file exists ($uri) or if we access a directory ($uri/), then they are served as is. In other words, resources like CSS, JS, Images, ... won't be redirected into wikka.php. However, if these conditions are not met (file doesn't exist), then location will fallback to @wikka, where rewriting happens.

The rewrite line is the actual rewriting rule. It's straightforward to understand. However, it is not sufficient because the try_files seems to short-circuit the execution of the page as PHP script, and without the fastcgi_pass, fastcgi_index and include below, the page just returns as an attachment to download. What you should do is to search in your nginx configuration how php files are executed. Search something like location ~ \.php$ { in your nginx configuration files, e.g. by grepping in /etc/nginx/. Copy everything inside the location php block into your location @wikka and restart nginx; that should do the trick. Don't forget to edit manually wikka.config.php and change rewrite_mode to '1'.

Another thing you must keep in mind is that with this trick, if the URI exists, it will not be rewritten. It is a slight difference with Apache where only some folders were specifically served without rewriting. If someone accesses http://example.com/wikka.config.php, this file will be executed. In Apache, it will be redirected to /wikka.php?wakka=wikka.config.php. In general, this is a non-issue, because with WikkaWiki, php files accessed directly don't do any harm, outputting a blank page in most cases. But it IS a security issue if you rely on RewriteEngine to forbid access to some sensitive directory. For example, if you allow visitors to upload files on your server, there is a risk that this file is served (or executed) by nginx.

3 Commentaires
Flux RSS des commentaires
Ian :
Does this security breach impact the wikka 1.3.3 release as well ?
4 Fév 2013, 6:21 pm · Lien permanent
Hi Ian, please note that I am talking about an hypothetical security issue which would affect Wikkawiki installed on webserver other than Apache, with permissions set to allow visitors to send files via the {{files}} action. Just because Wikkawiki was designed with Apache, security needs to be reconsidered on other type of server, especially there where the platforms have different behaviors.
4 Fév 2013, 7:43 pm · Lien permanent
Ian :
Ok thanks Mahefa, I do not plan to set it up elsewere than Apache :-)
5 Fév 2013, 8:20 am · Lien permanent
Les commentaires sont fermés pour ce billet.