Clever Geek Handbook

Php-fpm - How to execute specific symbolic links as PHP scripts

I am running Apache 2.2 with FastCGI and php-fpm. I am trying to duplicate the following logic:

<FilesMatch "^(admin|api|app)?(_dev)?$">
    #ForceType application/x-httpd-php
    SetHandler php-fcgi
</FilesMatch>

Which allows me to link to admin.php as admin, so I can remove the .php extension. It seems the only way to do this with php-fpm is to set security.limit_extension

in the file www.conf

to empty, however, as the comments show, this is a pretty serious security hole as this php code can now be executed from any file regardless of its extension.

What would be the preferred way to accomplish the above while still maintaining some semblance of security?

+3


source to share


2 answers


@Mike, based on your updated answer, something similar to this file .htaccess

should be able to handle what you are trying to do:

# Enable the rewrite engine
RewriteEngine on
# Set the rewrite base path (i.e. if this .htaccess will be running at root context "/" or a subdir "/path")
RewriteBase /

# If the file exists, process as usual.
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule .* - [NC,L]

# If the dir exists, process as usual (if you don't need this, just comment/remove the next two lines).
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule .* - [NC,L]

# If (requested_file_name).html exists, rewrite to that file instead.
RewriteCond %{REQUEST_FILENAME}\.html -f
RewriteRule ^(.*)$ $1.html [QSA,L]

# If (requested file name).php exists, rewrite to that file instead.
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.html [QSA,L]

# If none of the above rules were triggered, fallback to index.php.
RewriteRule ^(.*)$ index.php [QSA,L]


With a little tweak, it will have to do the job without having to dive into the httpd.conf

and <VirtualHost>

and directives <FilesMatch>

. Hope this helps.

+1


source


It seems like the best solution at the moment is to add the known symlinks to the list (located in / etc / php -fpm.d / www.conf):

security.limit_extension php admin admin_dev api api_dev app app_dev

Not sure if the security.limit_extension directive can even accept a regular expression, it doesn't seem like that, so it's about as good as it gets. As the OP mentioned, you still have to support the filesmatch directive in your vhost config:

<FilesMatch "^(admin|api|app)?(_dev)?$">
    SetHandler php-fcgi
</FilesMatch>


- Update -

In the tftd comments, adding the current rewrite directive:

RewriteBase /

# we skip all files with .something
RewriteCond %{REQUEST_URI} \..+$
RewriteCond %{REQUEST_URI} !\.html$
RewriteRule .* - [L]

# we check if the .html version is here (caching)
RewriteRule ^$ index.html [QSA]
RewriteRule ^([^.]+)$ $1.html [QSA]
RewriteCond %{REQUEST_FILENAME} !-f

# no, so we redirect to our front web controller
RewriteRule ^(.*)$ index.php [QSA,L]
+2


source






More articles:


All Articles