Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to set php_flag per-directory using php-fpm?

Tags:

php

php-ini

My problem

I want to turn off the php engine in a specific folder, where users can upload files, but I can't seem to figure it out.

PHP Version: 5.5.26

PHP mode: php-fpm (FastCGI Process Manager)

Apache version: 2.2.29

(Server: Synology DS212j - DSM 5.2)

Anything else you need to know?


What I've tried so far:

Disable from .htaccess-file

This is not supported by php-fpm (and some other modes), it gives a 500 error, logging:

Invalid command 'php_value', perhaps mis-spelled or defined by a module not included in the server configuration.

Per-directory php.ini

I've tried per-directory php.ini-files (putting an additional php.ini-file in the avatars directory), but didn't get that working. PHP never loaded the file. Not sure what I did wrong, I tried naming it both php.ini and .user.ini, neither worked.

Main php.ini section

I also tried using a section in the main php.ini file,

[path=/path/to/secure/dir]
engine = off
max_execution_time = 300

When I did that and ran phpinfo() in a file in the secure dir the max_execution_time was set to 300 (so the file has been reloaded), but the engine was still running (I assume, since the phpinfo() was shown).

php-fpm pools

I've also read about php-fpm pools, but it seems to me that you can only specify pools by domain/vhost, am I wrong?

Edit vhost

I tried disabling it from the vhosts-file (is that what it's called?), in a <Directory /path/to/secure/dir> section as suggested here, but that wasn't supported either.


Extra info

I'm building an application based on Paniques's HUGE. In the .htaccess-file in the upload directory the php engine is turned off (for security reasons), using php_flag engine off.

like image 893
Punchlinern Avatar asked Jul 24 '15 18:07

Punchlinern

2 Answers

Try this .htaccess file:

<Files "*.php">
  SetHandler none
  SetHandler default-handler
  Options -ExecCGI
  RemoveHandler .php
</Files>
<IfModule mod_php5.c>
  php_flag engine off
</IfModule>

Should work both with php-fpm and mod_php.

like image 74
Christopher K. Avatar answered Oct 26 '22 09:10

Christopher K.

You can also do something like this inside any of your httpd.conf files:

<Directory "/path/to/secure/dir">
<Files "*.*">
SetHandler !
</Files>
</Directory>

HTT Hardrain, I got this technique from his answer here: Apache: Disable php in a directory

like image 20
Nick Avatar answered Oct 26 '22 07:10

Nick
Sign in to Comment

Related questions

How to set timeout for Laravel artisan
Tunneling through ngrok strips wordpress site of styles and theme
undefined index for database field
How to inspect a closure in php?
Partially hiding an email address with PHP regex [duplicate]
How to replace one left character from a string?
jQuery to read non-empty and visible text fields
Combine accessor and mutator logic to add custom attributes to a model
missing a temporary folder wordpress upload
MySQL LOAD DATA INFILE "not found (Errcode: 13 - Permission denied)"
Dropzone.js and symfony formbuilder
PHP Define var = one or other (aka: $var=($a||$b);)
Php/OOP How to avoid instances of the same class to access private properties/methods from other objects
Isn't this switch statement a nonsense?
AWS Beanstalk: Exponential backoff for SQS?
Symfony DependencyInjection: How to represent Closure in YAML service definitions?
Smarty templates: How to change the order of blocks in child template?
PHP 5.6, MySQL, SSL and self-signed certificates
Virtual fields with Cakephp 3
when and where do we use session_id()

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!