Nginx, the infamous "Input file not specified", solution included and possible explanation regarding the solution needed

Question

I'm very sorry for such a long title, not sure to put it elegantly

I was setting up my first nginx based on these 2 great tutorials:

setup http://fideloper.com/ubuntu-12-04-lemp-nginx-setup

security http://publications.jbfavre.org/web/php-fpm-apps-server-nginx.en

Then I ran into this infamous "No Input File Specified"

I managed to fix it but I still don't understand exactly what went wrong and I hope that you can help me to understand this issue.

vim /etc/nginx/sites-available/www.mysite.com

server {
        #listen   80; ## listen for ipv4; this line is default and implied
        #listen   [::]:80 default ipv6only=on; ## listen for ipv6

        root /var/www/vhosts/mysite.com/w/w/w/www/htdocs;
        index index.php index.html index.htm;

        # Make site accessible from http://www.mysite.com
        server_name www.mysite.com;

        access_log /var/www/vhosts/mysite.com/w/w/w/www/logs/access_mysite.log;
        error_log /var/www/vhosts/mysite.com/w/w/w/www/logs/error_mysite.log;
        # Specify a character set
        charset utf-8;

        # h5bp nginx configs
        include conf/h5bp.conf;
        #include /var/www/vhosts/mysite.com/w/w/w/www/config/nginx.conf

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to index.html
                try_files $uri $uri/ /index.html;
                #root /var/www/vhosts/mysite.com/w/w/w/www/htdocs/;
                # Uncomment to enable naxsi on this location
                # include /etc/nginx/naxsi.rules


        location /doc/ {
                alias /usr/share/doc/;
                autoindex on;
                allow 127.0.0.1;
                deny all;
        }

        # Don't log robots.txt or favicon.ico files
        location = /favicon.ico { log_not_found off; access_log off; }
        location = /robots.txt  { access_log off; log_not_found off; }

        # 404 errors handled by our application, for instance Symfony
        error_page 404 /app.php;

        location ~ \.php$ {
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

            # With php5-cgi alone:
            # fastcgi_pass 127.0.0.1:9000;
            # With php5-fpm:
            fastcgi_pass unix:/var/run/nginx/www.mysite.com.sock;
            fastcgi_index index.php;
            include fastcgi_params;

            # this specific line FIXED the no input file specified
            fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
        }

        # Deny access to .htaccess
        location ~ /\.ht {
            deny all;
        }

        # Only for nginx-naxsi : process denied requests
        #location /RequestDenied {
                # For example, return an error code
                #return 418;
        #}

        # redirect server error pages to the static page /50x.html
        #
        #error_page 500 502 503 504 /50x.html;
} 

vim /var/www/vhosts/mysite.com/w/w/w/www/config/fpm-pool.conf

[www.mysite.com]
    listen                 = /var/run/nginx/www.mysite.com.sock
    listen.backlog         = -1
    listen.allowed_clients = 127.0.0.1
    listen.owner           = www.mysite.com
    listen.group           = mysite.com
    listen.mode            = 0666

    user  = www.mysite.com
    group = mysite.com

    pm                   = dynamic
    pm.max_requests      = 0
    pm.max_children      = 2
    pm.start_servers     = 1
    pm.min_spare_servers = 1
    pm.max_spare_servers = 1

    pm.status_path       = /php_pool_wwww.mysite.com_status
    ping.path            = /www.mysite.com_ping
    ping.response        = www.mysite.com_pong

    request_terminate_timeout = 2
    request_slowlog_timeout   = 1
    slowlog                   = /var/www/vhosts/mysite.com/w/w/w/www/logs/php-slow.log

    ;rlimit_files = 1024
    ;rlimit_core = 0

    chroot = /var/www/vhosts/mysite.com/w/w/w/www/htdocs/
    ; Chdir to this directory at the start. This value must be an absolute path.
    ; Default Value: current directory or / when chroot
    ;chdir = /

    catch_workers_output = yes

    env[HOSTNAME] = $HOSTNAME
    env[TMP]      = /tmp
    env[TMPDIR]   = /tmp
    env[TEMP]     = /tmp


    ;   php_value/php_flag             - you can set classic ini defines which can
    ;                                    be overwritten from PHP call 'ini_set'.
    ;   php_admin_value/php_admin_flag - these directives won't be overwritten by
    ;                                     PHP call 'ini_set'
    php_flag[display_errors]            = on
    php_admin_value[error_log]          = /logs/php_err.log
    php_admin_flag[log_errors]          = on
    php_admin_value[memory_limit]       = 1M
    php_value[max_execution_time]       = 2

I'm sorry for the long post, just want to put as much details as possible. As you can see the line "fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;" helped to fix the issue. But why does it happen in the first place? I suspect it has something to do with chroot, I suspect that the absolute path to the php file was considered relative to the chroot somehow?

-----EDIT 1:

chroot = /var/www/vhosts/mysite.com/w/w/w/www/
; Chdir to this directory at the start. This value must be an absolute path.
; Default Value: current directory or / when chroot
chdir = /htdocs

I tried to see if I can move the chroot 1 dir up and use chdir to make it start loading from htdocs folder but then I get the no input file specified back.

PS: I have cgi.fix_pathinfo=1 btw, as suggested here to make it run with SF2

Answer 1

No Input File Specified This means you didn't pass the path of the php file that will be executed to php-fpm. Which is passed by SCRIPT_FILENAME param.

For security reasons, its good to have cgi.fix_pathinfo=0 . Symfony will work with it dont worry.

The php block is the important part.

location ~ \.php$ This means if a uri ends with ".php" it'll be passed to php. Now if there is a image and some attacker adds ".php" with it, with fix_pathinfo enabled it'll be passed to php handler and can execute arbitrary code in server. So i suggest you add cgi.fix_pathinfo=0 in php.ini and remove fastcgi_split_path_info ^(.+\.php)(/.+)$; from nginx.

The config i use for symfony2 is,

server {
    listen       80;
    server_name projectname.local;

    root /Users/sarim/Sites/php55/projectname/web;
    index app_dev.php index.html index.htm;

    location / {
    try_files $uri $uri/ /app_dev.php?$args;
    }

    location ~ ^/(app|app_dev|config)\.php(/|$) {
        fastcgi_pass   unix:/usr/local/var/run/php55.sock;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }

}

Here check the location / block. try_files $uri $uri/ makes sure static files are served. And then if its not a static file, pass to /app_dev.php.

Now check php location block, only app or app_dev or config.php can be accessed. No arbitrary file execution. Now the important fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; line. It should always be $document_root$fastcgi_script_name. This way php can find the file.