TechEmpower.FrameworkBenchmarks/php-micromvc/README/sample.nginx.conf

# Basic server setup for domain "servername.tld"
server {
	listen 80;
	server_name servername.tld;
	root /home/user/www/$host/Public;
	index index.html index.php;

	# Directives to send expires headers and turn off 404 error logging.
	#location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
	#	expires 24h;
	#	log_not_found off;
	#}

	# Route all requests for non-existent files to index.php
	location / {
		try_files $uri $uri/ /index.php$is_args$args;
	}

	# Pass PHP scripts to php-fastcgi listening on port 9000
	location ~ \.php$ {

		# Zero-day exploit defense.
		# http://forum.nginx.org/read.php?2,88845,page=3
		# Won't work properly (404 error) if the file is not stored on
		# this server,  which is entirely possible with php-fpm/php-fcgi.
		# Comment the 'try_files' line out if you set up php-fpm/php-fcgi
		# on another machine.  And then cross your fingers that you won't get hacked.
		try_files $uri =404;

		include fastcgi_params;
		fastcgi_pass 127.0.0.1:9000;
	}
}

# PHP search for file Exploit:
# The PHP regex location block fires instead of the try_files block. Therefore we need
# to add "try_files $uri =404;" to make sure that "/uploads/virusimage.jpg/hello.php"
# never executes the hidden php code inside virusimage.jpg because it can't find hello.php!
# The exploit also can be stopped by adding "cgi.fix_pathinfo = 0" in your php.ini file.