A safer nginx virtual host config for Symfony2 sites

As Symonfy redirects all PHP requests to app.php, it’s a safe solution to only use app.php as your nginx fastcgi_pass script. This way it’s simply impossible to run PHP code from other files (e.g. malware that tries to inject code into your site).

Your webroot would still point to Symonfy’s web directory.


server {
  listen 80;
  root /var/www/vhosts/example.org/htdocs/web;
  index index.php index.html;
  location / {
    try_files $uri @app;
  location @app {

    fastcgi_pass unix:/var/run/php5-fpm.sock;

    include fastcgi_params;

    fastcgi_param SCRIPT_FILENAME /var/www/vhosts/example.org/app/app.php;
    fastcgi_param SCRIPT_NAME /var/www/vhosts/example.org/app/app.php;



Unlike a common PHP setup for nginx, there is no location match for *.php files now.

This setup can also be applied to Drupal’s setup, as Drupal does the same thing with the index.php file in the document root.

This information was taken from Gerry Vandermaesen’s The Unofficial ‘Best’ Practises on Symfony development.

comments powered by Disqus