Deny access to some PHP files using nginx, php-fpm and let's encrypt

[Jjth01]

Hi,

While using a combination of Nginx, PHP-FPM and Let's Encrypt, I tried to deny access to PHP files within some folders using Froxlor's (0.9.39.5) per-vhost configuration.

Here is what I put within the per-vhost configuration field:

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
	deny all;
}

However, once the nginx configuration is re-generated, this is an extract the generated file:

location ~ ^(.+?\.php)(/.*)?$ {
	try_files /[hex_file_name].htm @php;
}

location @php {
	try_files $1 = 404;

	include /etc/nginx/fastcgi_params;
	fastcgi_split_path_info ^(.+\.php)(/.+)\$;
	fastcgi_param SCRIPT_FILENAME $document_root$1;
	fastcgi_param PATH_INFO $2;
	fastcgi_param HTTPS on;
	fastcgi_pass unix:/var/run/[removed_file_name].socket;
	fastcgi_index index.php;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
	deny all;
}

Per Nginx's location prioritization, regular expressions are matched in the order they are defined.

Indeed it works well to make Let's Encrypt certificate generation seemless but I can't seem to find an way to restrict access to:

https://mywebsite.com/config/config.php

or any other PHP files within the mentionned folders.

 

I couldn't find anyone that had the same problem, would you help me find out how I can make this work ?

Thanks,

Jean