Issue ssl client

biancasalvatore · Thursday at 11:57 PM

problem

Raul A. · Friday at 12:33 AM

You need to set the php settings in that location. Once that location is matched, the other location that handles PHP requests is no longer matched thus any PHP file in /secure will be treated like a plain txt file, exposing the php source rather the generated output.
You could enable Proxy Mode and set PHP requests to ve handled by Apache. Then in the /secure location proxy the requests to the Apache port.

biancasalvatore · Friday at 1:07 AM

secure is path, not is file

now:
location /secure/ {
fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
fastcgi_param SSL_CLIENT_DN $ssl_client_s_dn;
}

more sample for me?

for test con smartcard

PHP 8.3.20 - phpinfo()

Raul A. · 2025-05-12T06:55:42-0700

Hi,

The Nginx Virtual Host looks like this:

Code:

server {
        listen x.x.x.x:443 ssl;
        http2 on;

        server_name example.net;
        server_name www.example.net;
        server_name ipv4.example.net;

        ssl_certificate             /usr/local/psa/var/certificates/***;
        ssl_certificate_key         /usr/local/psa/var/certificates/***;

        client_max_body_size 134217728;

        # mailconfig
        location ~* ^/autodiscover/autodiscover\.xml$ {
                try_files $uri @mad;
        }
        location ~* ^(/\.well-known/autoconfig)?/mail/config\-v1\.1\.xml$ {
                try_files $uri @mad;
        }

        location  ~* ^/email\.mobileconfig$ {
                try_files $uri @mad;
        }

        location @mad {
                rewrite ^(.*)$ /mailconfig/ break;

                proxy_pass                          http://127.0.0.1:8880;
                proxy_set_header X-Host             $host;
                proxy_set_header X-Request-URI      $request_uri;
        }
        # mailconfig

        access_log "/var/www/vhosts/system/example.net/logs/proxy_access_ssl_log";
        error_log "/var/www/vhosts/system/example.net/logs/proxy_error_log";

        root "/var/www/vhosts/example.net/httpdocs";

        #extension performance-booster begin
        # Additional directives added by Plesk Optimization Settings

        # Additional directives added by Plesk Optimization Settings
        #extension performance-booster end

        #extension sslit begin

        #extension sslit end

        #extension letsencrypt begin
        location ^~ /.well-known/acme-challenge/ {
                root /var/www/vhosts/default/htdocs;

                types { }
                default_type text/plain;

                satisfy any;
                auth_basic off;
                allow all;

                location ~ ^/\.well-known/acme-challenge.*/\. {
                        deny all;
                }
        }
        #extension letsencrypt end

        location ~ /\.ht {
                deny all;
        }

        location ~ ^/(plesk-stat|awstats-icon|webstat|webstat-ssl|ftpstat|anon_ftpstat) {
                auth_basic "Domain statistics";
                auth_basic_user_file "/var/www/vhosts/system/example.net/pd/d..httpdocs@plesk-stat";
                autoindex on;

                location ~ ^/plesk-stat(.*) {
                        alias /var/www/vhosts/system/example.net/statistics/$1;
                }

                location ~ ^/awstats-icon(.*) {
                        alias /usr/share/awstats/wwwroot/icon/$1;
                }

                location ~ ^/(.*) {
                        alias /var/www/vhosts/system/example.net/statistics/$1;
                }
        }

        location ~ ^/~(.+?)(/.*?\.php)(/.*)?$ {
                fastcgi_read_timeout 120;
                alias /var/www/vhosts/example.net/web_users/$1/$2;
                fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
                try_files $uri $fastcgi_script_name =404;
                fastcgi_param PATH_INFO $fastcgi_path_info;
                fastcgi_pass "unix:/var/www/vhosts/system/example.net/php-fpm.sock";
                include /etc/nginx/fastcgi.conf;

        }

        location ~ \.php(/.*)?$ {
                fastcgi_read_timeout 120;
                fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
                try_files $uri $fastcgi_script_name =404;
                fastcgi_param PATH_INFO $fastcgi_path_info;
                fastcgi_pass "unix:/var/www/vhosts/system/example.net/php-fpm.sock";
                include /etc/nginx/fastcgi.conf;

        }

        index "index.php" "index.html" "index.cgi" "index.pl" "index.xhtml" "index.htm" "index.shtml";

        disable_symlinks if_not_owner "from=/var/www/vhosts/example.net";

        add_header X-Powered-By PleskLin;

        include "/var/www/vhosts/system/example.net/conf/vhost_nginx.conf";
}

The Additional Nginx Directives are saved in "/var/www/vhosts/system/example.net/conf/vhost_nginx.conf";

Here is a nice explanation of how the location directives are ordered when Nginx tries to find the requested page: https://stackoverflow.com/questions/5238377/nginx-location-priority

The following block in Additional Nginx Directives will add the environment variables you are looking for:

Code:

location /secure {

    location ~ \.php(/.*)?$ {

        fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
        fastcgi_param SSL_CLIENT_DN $ssl_client_s_dn;

        fastcgi_read_timeout 120;
        fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
        try_files $uri $fastcgi_script_name =404;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_pass "unix:/var/www/vhosts/system/example.net/php-fpm.sock";
        include /etc/nginx/fastcgi.conf;

    }

}

Issue ssl client

biancasalvatore

New Pleskian

Raul A.

Regular Pleskian

biancasalvatore

New Pleskian

Raul A.

Regular Pleskian

Similar threads