When researching how to use php-fpm with mod_proxy, you get lots of code like this:
<FilesMatch \.php$>
# Apache 2.4.10+ can proxy to unix socket
SetHandler "proxy:unix:/var/run/php/php5.6-fpm.sock|fcgi://localhost/"
</FilesMatch>
I've also seen configurations where you use define to name a variable to use in AddHandler and SetHandler
Define php5-fpm "proxy:unix:/var/run/php-fpm/www.sock|fcgi://localhost"
AddHandler ${php5-fpm} .php
However, I've yet to find a way to make a new named handler, as opposed to a placeholder variable. I've yet to find a way to make a new handler named application/x-httpd-php
For example, we have a number of applications with .htaccess files with blocks like this:
<Files foo_php_file>
SetHandler application/x-httpd-php
</Files>
To change a file named foo_php_file to be run as a PHP script. Instead of having to change every one of these .htaccess files to use a ${php5-fpm} or ${php-fpm} define, I'd like to be able to create the application/x-httpd-php so the .htaccess files can be used as is.
Is there a way to make a new named handler like this, so an fpm fastcgi setup can be backwards compatible with old .htaccess files that expected mod_php?
Related
What can i do to stop Apache execute code in files that have .php prepended before extension ex: .php.txt , php.pdf , i do not know if this is related to webuzo admin panel n/or apache in general ?
Apache version 2.2.34
Opened thread on webuzo forum ,if anyone else has this issue , it might be related :
https://www.softaculous.com/board/index.php?tid=17642
This is reasonably standard behaviour - files can have multiple extensions on Apache. (As they can on other OS / filesystems.)
However, this behaviour can be avoided.
Whether files that end in .php.txt or .php.pdf are processed for PHP is dependent on how PHP is enabled on the server.
For example, if you simply use AddHandler then any file that contains a .php extension (like .php.txt) will be processed by the PHP handler:
AddHandler application/x-httpd-php .php
However, if you only call SetHandler on the specific file pattern, ie. when .php occurs at the end of the filename, then this behaviour can be avoided.
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
NB: This is not a copy/pastable solution - it really depends on how PHP is implemented on your Apache web server.
Depending on your requirements you could potentially block requests to files that contain a .php extension, but not at the end of the URL-path. For example:
<FilesMatch "\.php\.">
Order Allow,Deny
Deny from all
</FilesMatch>
NB: This is Apache 2.2 syntax (as stated in the question). If you are on Apache 2.4 then you'd use Require all denied instead of the Order and Deny directives in the last block.
I want my shared web server to process ".ncs" files just like ".php" files.
I know this can be easily done by adding an entry in Apache Handler. Ref: http://php.net/manual/en/security.hiding.php
But as I have mentioned that I am using shared hosting, any changes made by me on Apache Handler will not work. Those lists are just for reference. I opened a ticket in my website provider's support panel and they told me that I should use .htaccess file for that. But I am unable to understand that how I may use .htaccess file to process .ncs files just like .php files.
You need to use a AddType handler on the htaccess of the root of your server:
AddType application/x-httpd-php .ncs
BUT if you're running PHP as CGI, you need to use AddHandler too:
AddType application/x-httpd-php .ncs
AddHandler application/x-httpd-php .ncs
I am setting up a couple of PHP documents that include .cfg for configuration files, .tpl for template structure files, .dlf for document layout files, .dbh for database connections and so on.
Now they're called .tpl.php, .dlf.php etc. But do they need to have the .php extension as well?
If not are there any extensions I shouldn't be using? like .exe for executables.
From Hiding PHP on PHP.net:
Another tactic is to configure web servers such as apache to parse different filetypes through PHP, either with an .htaccess directive, or in the apache configuration file itself. You can then use misleading file extensions:
# Make PHP code look like unknown types
AddType application/x-httpd-php .bop .foo .133t
So you can add a .htaccess rule that would mean that your server treats .tpl, .dlf etc as if they were PHP files, like so:
AddType application/x-httpd-php .tpl .dlf .dbh
However, if you are just using include or require, it doesn't matter what extension you use:
include "inc/template.tpl";
require "inc/database.dbh";
require_once("inc/config.ext.php.url.tpl.cfg");
You can change server config to enterpret other file extensions as PHP
In Apache you can add to this:
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
if you include the files, then any extension will do:
in script.php:
include 'includes/foo.inc';
include 'inlcudes/bar.whatever';
will all work
I am creating a dummy handler for .php and .html files called helloworld. The handler contains this:
static int helloworld_handler(request_rec *r){
ap_rprintf(r, "hello world!");
return OK;
}
I have got this in apache2.conf:
<Directory /var/www/html>
AddHandler helloworld .php .html
</Directory>
The handler "helloworld" is working for .html files, but it is not working for .php files. I think it is mostly because the default php handler overrides the helloworld handler for .php files. How do I make "helloworld" handler work for .php files?
If there is any extra information required please ask.
You might want to try SetHandler instead
<FilesMatch \.php$>
SetHandler helloworld
</FilesMatch>
SetHandler will remove any previously set handler. To get the option for your handler to run first then run the default PHP handler when your handler returns DECLINE you need to set yours first, then add PHP
<FilesMatch \.html$>
SetHandler helloworld .html
</FilesMatch>
<FilesMatch \.php$>
SetHandler helloworld .php
AddHandler php5-script .php
</FilesMatch>
Note that this has the effect of clearing any handlers previously setup for .html files
You can only have one handler handle any file type per request. If you always want the PHP interpreter to run first and then your handler to run second you could consider AddOutputFilter directive.
Most phases are terminated by the first module that handles them; however, for logging, `fixups', and non-access authentication checking, all handlers always run (barring an error).
Apache API reference
AddOutputFilter docs
You need to restart your Apache server after adding handler.
Check also if extension will actually be interpreted by the server the way you want it to work. You can check that sort of info from system admin of your hosting provider. Many sysadmins disable some features to improve security.
I have an apache web server. Let's say this server's domain is example.com.
When I access example.com, then the index.php file is correctly displayed in the browser.
However, when I access e.g. example.com/~user, then the index.php file of /home/user/public_html/index.php file is downloaded rather than displayed.
How do I fix this problem? I changed "expose_php = Off" in php.ini, but nothing has changed.
If you are on Debian/Ubuntu take a look at this file /etc/apache2/mods-available/php5.conf
mine looks like this and you can see I had to comment some line to get PHP working in the user dir
<IfModule mod_php5.c>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
SetHandler application/x-httpd-php-source
</FilesMatch>
# To re-enable php in user directories comment the following lines
# (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
# prevents .htaccess files from disabling it.
#<IfModule mod_userdir.c>
# <Directory /home/*/public_html>
# php_admin_value engine Off
# </Directory>
#</IfModule>
</IfModule>
Please note that after editing the file you would have to restart apache for the modifications to take effect, the command to restart apache on a debian based system is: /etc/init.d/apache2 restart
Hope this saves someone else the headache. I know this question is old, but it still comes up when searching for this problem.
I'm not sure if this works across all installations of apache2, but I am running apache2 on ubuntu and had the problem of my web browser downloading files instead of displaying the correct index file.
The problem lies in the file /etc/apache2/mods-enabled/dir.conf
The default document setting here was overriding what I had set in /etc/apache2/httpd.conf
So just open up /etc/apache2/mods-enabled/dir.conf and change the order of the files listed.
:)
I've had a similar experience - some php files working OK, but others seem to have the raw php code downloaded.
In my case, it was due to the broken files using the short tag format of <? and ?>. This is not recommended, and you may find the default php.ini has this support forced off. With support off, the php code is sent down to the browser as if it was HTML.
If you can't avoid short tags (as in my case - a whole legacy codebase using short tags), then you can set it to be allowed in php.ini:
short_open_tag = On