We Keep Coding

Apache FallbackResource Configuration

I am trying to port a PHP application from Windows IIS to Linux (Debian) with Apache web server (v2.4). I successfully changed my Document Root to /code/wwwroot, and am using the config file /etc/apache2/sites-available/000-default.conf instead of .htaccess for my configuration (in the Apache 2.4 docs it says to use the config files in /etc/apache2/sites-available if you have access to server configuration files, which I do). This is what I am using for my configuration:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /code/wwwroot
<Directory /code/wwwroot>
Options Indexes FollowSymLinks
AllowOverride None
FallbackResource /start.php
</Directory>
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
This works almost exactly how I would expect. When files found in /code/wwwroot/ are requested, they are served. If the file/path requested does not exist, start.php is run and returned. For example, if my request is localhost/gadgasd.html, etc, it internally redirects to start.php. However, for files with .php extensions that do not exist in Document Root, I am getting 404's. For example, if the request is localhost/gadgasd.php, I get a 404 directly from Apache (I was hoping to handle 404's in my code rather than Apache). This behavior is strictly limited to files with .php extensions that do not exist in Document Root. I am very confused about this behavior. I have setup the correct packages for using php with apache (apt-get install -y php libapache2-mod-php) and the FallbackResource rule works for all other file extensions. What am I doing wrong? Thanks in advance!

This appears to be a bug in Apache and has an open issue tracker here. There is also a workaround provided.
EDIT: In case the link ever dies, the workaround is to use the old mod_rewrite approach as follows:
RewriteEngine On
RewriteCond /var/www/%{REQUEST_FILENAME} !-f
RewriteCond /var/www/%{REQUEST_FILENAME} !-d
RewriteRule (.*) start.php

The problem comes from the fact that the default mod_php configuration (/etc/apache2/mods-enabled/phpX.conf) doesn't appear to check if the file exists before passing the request to the PHP handler. This can easily be added by changing:
<FilesMatch ".+\.ph(ar|p|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
to
<FilesMatch ".+\.ph(ar|p|tml)$">
<If "-f %{REQUEST_FILENAME}">
SetHandler application/x-httpd-php
</If>
</FilesMatch>
<FilesMatch/> doesn't appear to check if the file exists like you might expect, this means all requests that end with .php, .phtml and .phar are blindly passed to the php handler.
It's worth noting that this might have a performance impact as Apache must have to check on disk if the file is there but I would speculate that the difference would be negligible in almost all cases.

Apache restrict file access to specific extensions, and allow directory index file to work also

I have been searching for a solution to this problem, but none of the suggestions seem to apply to my problem.
I have an apache webserver running with a few virtual sites, i manage them with webmin, and i am trying to secure the /var/www directory, which is the root of the site i am managing. What i would like is to have apache only serve php, html, jpg, css, js, gif and so on, common file types. That works fine, but my problem is that i have someone accessing the root directory http://example.com/ and apache is set up to use index.php in this case, with the the DirectoryIndex setting. This does not work, i get a 403 Forbidden error, if i put the full patch like http://example.com/index.php it works fine.
This is the apache config, for the site :
DocumentRoot "/var/www/"
<Directory "/var/www/">
allow from all
Options +Indexes
</Directory>
<FilesMatch "\.*$">
deny from all
</FilesMatch>
<FilesMatch "\.(png|jpg|gif|css|php|html|js)$">
allow from all
</FilesMatch>
DirectoryIndex index.php
How would i go about allowing access to the index.php that is reached when not actually putting it in the url ?

Try changing your files match patterns to:
<FilesMatch "\.(png|jpg|gif|css|php|html|js)$">
allow from all
</FilesMatch>
<FilesMatch "\.(?<!png|jpg|gif|css|php|html|js)$">
deny from all
</FilesMatch>

php file content is displayed insted of parsed

This must be a simple errror...
I have certain php files in a Drupal site. I can execute them from inside Drupal, but when I need to execute some of them when I submit a form, I get "You don't have permission...". I added a .htaccess file in teh specific directory with this content
<FilesMatch "test\.php$">
Satisfy Any
Allow from all
</FilesMatch>
Now I am able to access the file, but the browser display the content instead of parsing it.
What am I doing wrong?

Seems like php is not enabled in that directory. Enable it by AddType
<FilesMatch "test\.php$">
Satisfy Any
Allow from all
AddType text/html .php .phps
</FilesMatch>

Thanks for all relplies.
It turned out that Drupal create a .htacces file in my directory with the following code after one of their security updates:
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
Options None
Options +SymLinksifOwnerMatch
</Files>
That was the cause of the problem.

browser downloads php file from apache web server

I have an apache web server. Let's say this server's domain is example.com.
When I access example.com, then the index.php file is correctly displayed in the browser.
However, when I access e.g. example.com/~user, then the index.php file of /home/user/public_html/index.php file is downloaded rather than displayed.
How do I fix this problem? I changed "expose_php = Off" in php.ini, but nothing has changed.

If you are on Debian/Ubuntu take a look at this file /etc/apache2/mods-available/php5.conf
mine looks like this and you can see I had to comment some line to get PHP working in the user dir
<IfModule mod_php5.c>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
SetHandler application/x-httpd-php-source
</FilesMatch>
# To re-enable php in user directories comment the following lines
# (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
# prevents .htaccess files from disabling it.
#<IfModule mod_userdir.c>
# <Directory /home/*/public_html>
# php_admin_value engine Off
# </Directory>
#</IfModule>
</IfModule>
Please note that after editing the file you would have to restart apache for the modifications to take effect, the command to restart apache on a debian based system is: /etc/init.d/apache2 restart

Hope this saves someone else the headache. I know this question is old, but it still comes up when searching for this problem.
I'm not sure if this works across all installations of apache2, but I am running apache2 on ubuntu and had the problem of my web browser downloading files instead of displaying the correct index file.
The problem lies in the file /etc/apache2/mods-enabled/dir.conf
The default document setting here was overriding what I had set in /etc/apache2/httpd.conf
So just open up /etc/apache2/mods-enabled/dir.conf and change the order of the files listed.
:)

I've had a similar experience - some php files working OK, but others seem to have the raw php code downloaded.
In my case, it was due to the broken files using the short tag format of <? and ?>. This is not recommended, and you may find the default php.ini has this support forced off. With support off, the php code is sent down to the browser as if it was HTML.
If you can't avoid short tags (as in my case - a whole legacy codebase using short tags), then you can set it to be allowed in php.ini:
short_open_tag = On

Disable PHP in directory (including all sub-directories) with .htaccess

I'm making a website which allows people to upload files, html pages, etc... Now I'm having a problem. I have a directory structure like this:
-/USERS
-/DEMO1
-/DEMO2
-/DEMO3
-/etc... (every user has his own direcory here)
-index.php
-control_panel.php
-.htaccess
Now I want to disable PHP, but enable Server-side includes in the direcories and subdirectories inside /USERS
Can this be done (and if so, how)?
I use WAMP server

Try to disable the engine option in your .htaccess file:
php_flag engine off

To disable all access to sub dirs (safest) use:
<Directory full-path-to/USERS>
Order Deny,Allow
Deny from All
</Directory>
If you want to block only PHP files from being served directly, then do:
1 - Make sure you know what file extensions the server recognizes as PHP (and dont' allow people to override in htaccess). One of my servers is set to:
# Example of existing recognized extenstions:
AddType application/x-httpd-php .php .phtml .php3
2 - Based on the extensions add a Regular Expression to FilesMatch (or LocationMatch)
<Directory full-path-to/USERS>
<FilesMatch "(?i)\.(php|php3?|phtml)$">
Order Deny,Allow
Deny from All
</FilesMatch>
</Directory>
Or use Location to match php files (I prefer the above files approach)
<LocationMatch "/USERS/.*(?i)\.(php3?|phtml)$">
Order Deny,Allow
Deny from All
</LocationMatch>

If you're using mod_php, you could put (either in a .htaccess in /USERS or in your httpd.conf for the USERS directory)
RemoveHandler .php
or
RemoveType .php
(depending on whether PHP is enabled using AddHandler or AddType)
PHP files run from another directory will be still able to include files in /USERS (assuming that there is no open_basedir restriction), because this does not go through Apache. If a php file is accessed using apache it will be serverd as plain text.
Edit
Lance Rushing's solution of just denying access to the files is probably better

<Directory /your/directorypath/>
php_admin_value engine Off
</Directory>

This will display the source code instead of executing it:
<VirtualHost *>
ServerName sourcecode.testserver.me
DocumentRoot /var/www/example
AddType text/plain php
</VirtualHost>
I used it once to enable other co-worker to have read access to the source code from the local network (just a quick and dirty alternative).
WARNING !:
As Dan pointed it out sometime ago, this method should never be used in production. Please follow the accepted answer as it blocks any attempt to execute or display php files.
If you want users to share php files (and let others to display the source code), there are better ways to do it, like git, wiki, etc.
This method should be avoided! (you have been warned. Left it here for educational purposes)

None of those answers are working for me (either generating a 500 error or doing nothing). That is probably due to the fact that I'm working on a hosted server where I can't have access to Apache configuration.
But this worked for me :
RewriteRule ^.*\.php$ - [F,L]
This line will generate a 403 Forbidden error for any URL that ends with .php and ends up in this subdirectory.
#Oussama lead me to the right direction here, thanks to him.

If you use php-fpm, the php_admin_value will NOT work and gives an Internal Server Error.
Instead use this in your .htaccess. It disables the parser in that folder and all subfolders:
<FilesMatch ".+\.*$">
SetHandler !
</FilesMatch>

This might be overkill - but be careful doing anything which relies on the extension of PHP files being .php - what if someone comes along later and adds handlers for .php4 or even .html so they're handled by PHP. You might be better off serving files out of those directories from a different instance of Apache or something, which only serves static content.

On production I prefer to redirect the requests to .php files under the directories where PHP processing should be disabled to a home page or to 404 page. This won't reveal any source code (why search engines should index uploaded malicious code?) and will look more friendly for visitors and even for evil hackers trying to exploit the stuff.
Also it can be implemented in mostly in any context - vhost or .htaccess.
Something like this:
<DirectoryMatch "^${docroot}/(image|cache|upload)/">
<FilesMatch "\.php$">
# use one of the redirections
#RedirectMatch temp "(.*)" "http://${servername}/404/"
RedirectMatch temp "(.*)" "http://${servername}"
</FilesMatch>
</DirectoryMatch>
Adjust the directives as you need.

I use in Centos 6.10 for multiple folders in virtual host .conf definitioin file:
<DirectoryMatch ^/var/www/mysite/htdocs/(nophpexecutefolder1|nophpexecutefolder2)>
php_admin_value engine Off
</DirectoryMatch>
However, even though it doesn't parse php code the usual way it still outputs from a .php things such as variable declarations and text when doing echo e.g.
<?php
echo "<strong>PHP CODE EXECUTED!!";
$a=1;
$b=2;
echo $a+$b;
The above produces in web browser?
PHP CODE EXECUTED!!"; $a=1; $b=2; echo $a+$b;
This could potentially expose some code to users which isn't ideal.
Therefore, it's probably best to use the above in combination with the following in .htaccess:
<FilesMatch ".*.(php|php3|php4|php5|php6|php7|php8|phps|pl|py|pyc|pyo|jsp|asp|htm|html|shtml|phtml|sh|cgi)$">
Order Deny,Allow
Deny from all
#IPs to allow access to the above extensions in current folder
# Allow from XXX.XXX.XXX.XXX/32 XXX.XXX.XXX.XXX/32
</FilesMatch>
The above will prevent access to any of the above file extensions but will allow other extensions such as images, css etc. to be accessed the usual way. The error when accessing .php:
Forbidden
You don't have permission to access /nophpexecutefolder1/somefile.php on this server.

<Files *.php>
Order deny,Allow
Deny from all
</Files>