Hello,
After I installed CB 2.0 with PHP-FPM I saw that /var/www/html is handled by ProxyPassMatch, as stated here: http://wiki.apache.org/httpd/PHP-FPM - It's a very good, safe and fast solution to use FPM. That's why I modified custom virtualhost files and did the same thing for users aswell - and I also saw that DA 1.3 will have this feature by default (no more messing with fastcgi module). Well, that cool ... but there is a problem!
For example, we have a document-root path: /home/user/domains/test.org/public_html, in this path we have three files: 1.png (an simple image), 1 php (a simple php script <?php phpinfo(); ?>) and .htaccess with contents:
If we try to acces http://test.org/1.png we will have:
That's fine, it's what we want ... but if we try to access http://test.org/1.php we will receive the actual output of that php file (parsed data), so ... this could be a major security risk. I've searched on google in the last 4-5 hours ... didn't find anything. How can I make ProxyPassMatch to listen of .htaccess file ? If it's "require all denied" then don't do anything!
...
or we're stuck on fastcgi for this ?
Thanks!
After I installed CB 2.0 with PHP-FPM I saw that /var/www/html is handled by ProxyPassMatch, as stated here: http://wiki.apache.org/httpd/PHP-FPM - It's a very good, safe and fast solution to use FPM. That's why I modified custom virtualhost files and did the same thing for users aswell - and I also saw that DA 1.3 will have this feature by default (no more messing with fastcgi module). Well, that cool ... but there is a problem!
For example, we have a document-root path: /home/user/domains/test.org/public_html, in this path we have three files: 1.png (an simple image), 1 php (a simple php script <?php phpinfo(); ?>) and .htaccess with contents:
Code:
Require all denied
If we try to acces http://test.org/1.png we will have:
Forbidden
You don't have permission to access /1.png on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
That's fine, it's what we want ... but if we try to access http://test.org/1.php we will receive the actual output of that php file (parsed data), so ... this could be a major security risk. I've searched on google in the last 4-5 hours ... didn't find anything. How can I make ProxyPassMatch to listen of .htaccess file ? If it's "require all denied" then don't do anything!
...
or we're stuck on fastcgi for this ?
Thanks!