See article at https://blog.simos.info/testing-cve-2019-11043-php-fpm-security-vulnerability-with-lxd-system-containers/

October 28, 2019 · View on GitHub

Location: /etc/nginx/sites-enabled/default

server { listen 80 default_server; root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.html index.php;

    server_name _;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }

    # pass PHP scripts to FastCGI server
    #
    location ~ [^/].php(/|$) {

include fastcgi.conf;

regex to split uritouri to fastcgi_script_name and $fastcgi_path

fastcgi_split_path_info ^(.+.php)(/.+)$;

Check that the PHP script exists before passing it

#try_files $fastcgi_script_name =404;

Bypass the fact that try_files resets $fastcgi_path_info

see: http://trac.nginx.org/nginx/ticket/321

set pathinfopath_info fastcgi_path_info; fastcgi_param PATH_INFO $path_info;

fastcgi_index index.php;

        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
   }

}