I am looking at the NGINX SSI module and I am wondering if there is a way to block the "file" option on SSI.
http://nginx.org/en/docs/http/ngx_http_ssi_module.html
So that someone does not do this
<!--# include file="/etc/passwd" -->
I wasn't able to find much on security in regards to include file, does anyone know anything about this?
First of all, the only way you can be completely certain that this won't happen is to run nginx as a non-root user (there are many other reasons to do so, and I'm sure you are doing so already).
Another thing to consider is that SSIs should generally be treated as privileged code, just as CGI scripts are. You should not generally allow them from untrusted users.
That said, the answer to your question is that nginx processes (source code) the SSI include directive by treating the file and uri options identically and passing them to ngx_http_subrequest. This is essentially the same as serving a file request for the given file, in particular in that the name is resolved relative to the root directive currently in effect. So there are still some security considerations, but in general it's much safer than it would be were the SSI parser to simply open and read the file on it's own.