Apache + PHP-FPM + ProxyPassMatch (clean way)

Altegras

Verified User
Joined
Feb 22, 2013
Messages
11
Hello,

After I installed CB 2.0 with PHP-FPM I saw that /var/www/html is handled by ProxyPassMatch, as stated here: http://wiki.apache.org/httpd/PHP-FPM - It's a very good, safe and fast solution to use FPM. That's why I modified custom virtualhost files and did the same thing for users aswell - and I also saw that DA 1.3 will have this feature by default (no more messing with fastcgi module). Well, that cool ... but there is a problem!

For example, we have a document-root path: /home/user/domains/test.org/public_html, in this path we have three files: 1.png (an simple image), 1 php (a simple php script <?php phpinfo(); ?>) and .htaccess with contents:

Code:
Require all denied

If we try to acces http://test.org/1.png we will have:

Forbidden
You don't have permission to access /1.png on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

That's fine, it's what we want ... but if we try to access http://test.org/1.php we will receive the actual output of that php file (parsed data), so ... this could be a major security risk. I've searched on google in the last 4-5 hours ... didn't find anything. How can I make ProxyPassMatch to listen of .htaccess file ? If it's "require all denied" then don't do anything!

...

or we're stuck on fastcgi for this ?


Thanks!
 
What is this require all thing. I have never seen that in my life. What exactly are you trying to do? If your php is being displayed as code then you do not have something setup right. Do you have php enabled on the directadmin user? If not there is a configuration problem.

Try:

Code:
cd /usr/local/directadmin/custombuild
./build rewrite_confs

If you want to restrict access to files you can use mod_access

https://httpd.apache.org/docs/2.0/mod/mod_access.html
 
I said that he returns PARSED value, not plaintext php code ...
It executes php code, whatever I put in .htaccess!
 
Hello,

Thank you for the report. Please note that you are not using final versions of CB 2.0 or DA 1.33, so there may still be some bugs. I am checking your issue now and the only solution I found now is to use the following in virtual_host2*.conf templates (copy them to /usr/local/directadmin/data/templates/custom):
Code:
cd /usr/local/directadmin/data/templates/custom
cp -p ../virtual_host2*.conf ./

Then edit these files, find:
Code:
|*if HAVE_PHP1_FPM="1"|
        ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://socket=%2fusr%2flocal%2fphp|PHP1_RELEASE|%2fsockets%2f|USER|.sock|DOCROOT|/$1 timeout=300
|*endif|
|*if HAVE_PHP2_FPM="1"|
        ProxyPassMatch ^/(.*\.php|PHP2_RELEASE|(/.*)?)$ fcgi://socket=%2fusr%2flocal%2fphp|PHP2_RELEASE|%2fsockets%2f|USER|.sock|DOCROOT|/$1 timeout=300
|*endif

Replace with:
Code:
|*if HAVE_PHP1_FPM="1"|
        RewriteRule ^/(.*\.php(/.*)?)$ fcgi://socket=\%2fusr\%2flocal\%2fphp|PHP1_RELEASE|\%2fsockets\%2f|USER|.sock|DOCROOT|/$1 [P,E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
|*endif|
|*if HAVE_PHP2_FPM="1"|
        RewriteRule ^/(.*\.php|PHP2_RELEASE|(/.*)?)$ fcgi://socket=\%2fusr\%2flocal\%2fphp|PHP2_RELEASE|\%2fsockets\%2f|USER|.sock|DOCROOT|/$1 [P,E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
|*endif|

For filenames that have sub in them (subdomain virtualhost templates), use |DOCROOT|/|SUB| instead of just |DOCROOT|.

Now do "./build rewrite_confs" and that's it. I am still looking for another solution, but for now we don't have any other.
 
Dosen't helps for me.
Still File not found.
 
Last edited:
Back
Top