I have xsendfile module working and files are being served using X-Sendfile header. But somehow files from any folder gets served.
How do I rectrict it so that I can use X-sendfile headers only for specific folders?
I have tried setting XSendFilePath, even then files outside that folder also get sent if I use X-Sendfile header.
This is what I have in my virtualhost section
XSendFile on
XSendFilePath /home/domain/public_html/files
If I use php to send files from /home/domain/public_html/abc using X-Sendfile. It gets sent without any problem. I do not want this. I only want X-Sendfile to work for files within /home/domain/public_html/files.
Try with the XSendFilePath directive
XSendFilePath allow you to add additional paths to some kind of white list. All files within these paths are allowed to get served through mod_xsendfile.
It is imporant the the XSendFilePath directive is in a apache config file context that is relevant to the url you are using, e.g. not within a virtual host section which is not interpreted due your actual virtual host (in your url).
probably and in most configurations, XSendFilePath is used in the main section of apache config file, not in a specific context like virtual host, dolmain, etc.
does this help?
XSendFilePath /tmp
<VirtualHost *>
ServerName www.someserver.com
XSendFilePath /home/userxyz
</VirtualHost>
(first occurance of XSendFilePath -> works globally, second occurance does only work if your php script producting the XSendFile header is called from within domain www.someserver.com)
Related
Actually my project is in WordPress. I'm changing my server from windows to Linux.
After changing this I'm facing this error!
Why isn't my .htaccess supporting the Linux server?
If you're using Apache, you should configure it in order to allow .htaccess files to be executed.
To do so, you can
Create a virtual host, that configures specifically one site. Using a virtual host you can set a domain name, document root, server alias, etc. Also, you can set Allowoverride to All (or other). See AllowOverride
Set your configuration in /etc/apache2/apache2.conf (or /etc/apache2/httpd.conf in some versions). In these files, there is a <Directory "/var/www/" that points to your /var/www/ directory. Inside this Directory tag, you can set AllowOverride to All. Using this configuration, every site on your server will be allowed to use .htaccess.
I recommend to use the Virtual Host that allows a easier and cleaner configuration.
Checkout the comment in .htaccess file, if it starts with // then change it to #
For me this solved the problem, I wish for you too.
I have tried to run php in .html file and failed despite trying all solution suggested here. Someone suggested it maybe because Apache is not setup to accept .htaccess overrides. Maybe that is the reason. Now the question is how do I setup Apache?
To be able to use .htaccess files, the directive AllowOverride must be set for the directory into which you want to put .htaccess files. E.g.:
<Directory "/usr/local/httpd/htdocs">
AllowOverride All
</Directory>
This must be set in the core httpd.conf file of Apache. If you're on a shared host, you likely have no access to that (and that's correct, for security reasons).
My university has multiple servers which have the same data mirrored across them, so I can access for instance
foo.uni.edu/file.php
bar.uni.edu/file.php
The thing is, not all servers have PHP installed, so anyone could possibly download my php files if they made the connection through a server which didn't have PHP installed.
Is there a way, possibly with .htaccess to avoid this? As in, only allow opening PHP files if PHP server is installed?
If it's possible to store files outside of the document root, you could work around the problem by storing all sensitive data outside the docroot. You would then have your publicly accessible scripts use include to access those files.
So, if you upload to /username/public_html, and public_html is your document root (eg, foo.uni.edu/file.php is /username/public_html/file.php), then you would upload to /username/file.php instead and place another script in /username/public_html which merely contains something like include('../file.php');
This is good practice in any case, in case a configuration error on the server ever stops PHP from being parsed.
You could also try using IfModule and FilesMatch to deny access to PHP files if mod_php isn't enabled:
<IfModule !mod_php.c>
<FilesMatch "\.php$">
Order Deny,Allow
Deny from All
</FilesMatch>
</IfModule>
If this doesn't work, try !mod_php5.c instead.
I am working with a colleague to set up their local environment on a MAC in XAMPP, on windows my vhost looks like the one below.
When I access a URL like http://domain.local/cgi-bin/handler.php the web server processes the PHP correctly but on his we get a 500 server error and this message...
The server encountered an internal error and was unable to complete your request.
Error message:
Premature end of script headers:
We tried changing the name of the cgi-bin folder to something else as I noticed there was another alias in httpd.conf but this had no effect...so it seems to me like the issue is permissions related.
We believe the alias is setup ok as accessing http://domain.local/cgi-bin/filenothere.php which doesn't exist throws a 404 as expected, any .html/.pl files fail to execute.
The permissions that exist on the cgi-bin folder are...
rwxrwxrwx dave staff
and is owned by the user and group....
dave staff
Vhost
<VirtualHost *:80>
ServerAdmin webmaster#example.com
ServerName www.domain.local
ServerAlias domain.local
ServerAlias api.domain.local
# Indexes + Directory Root.
DirectoryIndex index.php
DocumentRoot E:/home/www/www.domain.co.uk/htdocs/
# CGI Directory
ScriptAlias /cgi-bin/ E:/home/www/www.domain.co.uk/cgi-bin/
<Location /cgi-bin>
Options +ExecCGI
</Location>
# Logfiles
ErrorLog E:/home/www/www.domain.co.uk/logs/error.log
CustomLog E:/home/www/www.domain.co.uk/logs/access.log combined
</VirtualHost>
Any idea what is causing this PHP file to not be executed?
UPDATE
Tried adding a header to say that the content is PHP to the start of the PHP file and this now simply outputs the PHP code.
It's as if any path specified in as an Alias is accessible but the server doesn't know how to execute the content, this is for HTML as well as PHP
I think you need a section for your cgi-bin.
The fact that your server can show you the script sources means the server has at least read permissions on /file/system/path/to/cgi-bin and IIRC that clashes with ScriptAlias b/c ScriptAlias expects /file/system/path/to/cgi-bin to be unaccessible for security reasons. I think your solution should look something along the lines of:
<Directory /file/system/path/to/cgi-bin>
Options ExecCGI
SetHandler cgi-script
</Directory
There is (very) rarely a need to run PHP scripts as CGIs given that the PHP module for Apache can execute them directly. Try adding this to your Apache config:
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
Afterwards simply place the PHP scripts into the document root for the site and see if they work. You'll want to remove the /cgi-bin/ part of the URL.
You say you're setting XAMMP on a Mac, but you have a drive letter (E:) prefixing your paths. OS X does not have drive letters like Windows, and this may also be causing (part of) your issue.
I don't know much about settings used. But I think you should go through following links. Might get some help.
http://www.sean-barton.co.uk/2009/02/setting-up-a-phpmysql-local-development-environment-on-a-mac-doing-it-properly/
http://docs.joomlabamboo.com/using-joomla/setting-up-a-quick-start-package-on-your-local-server-xampp-pc
http://www.adobe.com/devnet/dreamweaver/articles/setup_php.html
How to create Mac OS X dev environment for legacy PHP app?
Assuming that PHP is running in Safe Mode you may need to "open" your cgi-bin directory, as the execution of user (PHP) scripts is limited to the DocumentRoot and it's subfolders.
For all I know you could do that in two ways
1. Edit your php.ini
Locate the line containing open_basedir. If there's a comment at the beginning of the line - a semicolon - remove it. Then add your cgi-bin directory.
open_basedir = "E:\home\www\www.domain.co.uk\cgi-bin\"
If you need to open more than one directories you can use semicolon ; as a separator. On Linux based server, use a colon :
open_basedir = "E:\home\www\www.domain.co.uk\cgi-bin\;E:\home\www\www.domain.co.uk\another_dir\"
In cases like mine, where your server is hosted by third party, you'd need the second option (well sort of)
2. Edit your VirtualHost
Add the following to your VirtualHost, i.e. after DocumentRoot:
php_admin_value open_basedir "E:\home\www\www.domain.co.uk\cgi-bin\"
Same rules apply here for multiple directories and difference between Linux and Windows systems as above.
Hope that helps
Do you know whether PHP is running as a CGI program or as a webserver module? You should be able to find this out if you can get a phpinfo() page working (maybe from a regular folder inside the website root). If you're running as a webserver module then you should have a section near the top with a heading of Server API which says Apache 2.0 Handler (or equivalent).
From these pages:
https://bugs.php.net/bug.php?id=13316
http://php.net/manual/en/install.unix.commandline.php
http://gallery.menalto.com/node/8955
... it seems that it may be either due to PHP running as a CGI script, or else a conflict between PHP and another CGI handler.
One of the posters on the third linked page found that their similar-sounding end of script headers issue was resolved by removing / commenting out the Options +ExecCGI line in their .htconfig / vhosts file.
Might be worth having a read through the above links to see if your problem is related.
I have a simple PHP script that outputs a dir listing in XML format. I use it to let a flash slideshow know what files are available to show.
I've just added the flash to a website that's powered by Django and the PHP file is now served up as it is, not parsed.
It's in the directory with the images under my media directory.
The server I use runs plesk so I do my config for each domain in a vhost.conf file (which gets included into the main appache conf I think)
It looks like this:
WSGIScriptAlias / /var/www/vhosts/<domain>/conf/django.wsgi
Alias /media/ /var/www/vhosts/<domain>/httpdocs/media/
I thought this meant that requests for anything under / are passed django to handle.
Except when they are for /media/... then they are served by apache as normal from the specified dir.
That works for the images, but does not parse the PHP file.
What should I do?
Maybe read this thread, and port your PHP script to Python:
os.walk() python: xml representation of a directory structure, recursion
So it turns out the problem was two things, making it hard to find.
Thanks Ignacio Vazquez-Abrams, I had my lines the wrong way around.
Once that was solved, PHP would not serve my file because it was in a dir that was symlinked from outside the allowed path(s). I resolved this by turning off open_basedir restrictions for this vhost. My new vhost.conf is below.
<Directory /var/www/vhosts/<domain>/httpdocs>
php_admin_flag engine on
php_admin_value open_basedir none
</Directory>
Alias /media/ /var/www/vhosts/<domain>/httpdocs/media/
WSGIScriptAlias / /var/www/vhosts/<domain>/conf/django.wsgi
If you have not configured Apache so that it knows that .php files under the '/media' directory should be processed by PHP somehow, they will not be. So, the mod_wsgi configuration is fine, the problem is likely your PHP configuration.
How are you configuring PHP? Are you using mod_php, or PHP via fastcgi? How is Apache configured so that it knows to treat .php files as PHP and for what directories has that configuration been applied to?
The WSGIScriptAlias directive there swallows up URLs meant for Alias. Swap the order.