FAQ

Page Discussion History

MyBB

Here is a basic configuration file, which works great as of MyBB 1.6.3.

server {
    server_name quantifiedselfforum.com;
 
    access_log logs/qsforum.access;
    error_log logs/qsforum.error error;
 
    root /var/www/qsforum;
 
    location / {
        index index.php;
    }
 
    # Deny access to internal files.
    location ~ /(inc|uploads/avatars) {
        deny all;
    }
 
    # Pass the php scripts to fastcgi server
    location ~ \.php$ {
        fastcgi_pass unix:/tmp/php.socket;
        # Necessary for php.
        fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        # Unmodified fastcgi_params from nginx distribution.
        include fastcgi_params;
    }
 
}

There is a potential security flaw, e.g. if a user uploads an avatar images pic.gif with valid PHP-Code and calls it with /uploades/avatars/pic.gif/foo.php. The issue is discussed here. Because the link is ending with .php, nginx is passing it to the PHP interpreter. PHP can't find the file /uploades/avatars/pic.gif/foo.php, but it tries to be smart and executes /uploades/avatars/pic.gif as an PHP-script. To avoid this, you need to set cgi.fix_pathinfo=0 in your php.ini, which is set to cgi.fix_pathinfo=1 as default (unfortunately).

See PHPFcgiExample for details on creating the UNIX socket and this forum post on enabling human-understandable (aka SEO-friendly or human-readable) URLs using the Google SEO plugin.