I have a simple PHP script that outputs a dir listing in XML format. I use it to let a flash slideshow know what files are available to show.
I've just added the flash to a website that's powered by Django and the PHP file is now served up as it is, not parsed.
It's in the directory with the images under my media directory.
The server I use runs plesk so I do my config for each domain in a vhost.conf file (which gets included into the main appache conf I think)
It looks like this:
WSGIScriptAlias / /var/www/vhosts/<domain>/conf/django.wsgi
Alias /media/ /var/www/vhosts/<domain>/httpdocs/media/
I thought this meant that requests for anything under / are passed django to handle.
Except when they are for /media/... then they are served by apache as normal from the specified dir.
That works for the images, but does not parse the PHP file.
What should I do?
Maybe read this thread, and port your PHP script to Python:
os.walk() python: xml representation of a directory structure, recursion
So it turns out the problem was two things, making it hard to find.
Thanks Ignacio Vazquez-Abrams, I had my lines the wrong way around.
Once that was solved, PHP would not serve my file because it was in a dir that was symlinked from outside the allowed path(s). I resolved this by turning off open_basedir restrictions for this vhost. My new vhost.conf is below.
<Directory /var/www/vhosts/<domain>/httpdocs>
php_admin_flag engine on
php_admin_value open_basedir none
</Directory>
Alias /media/ /var/www/vhosts/<domain>/httpdocs/media/
WSGIScriptAlias / /var/www/vhosts/<domain>/conf/django.wsgi
If you have not configured Apache so that it knows that .php files under the '/media' directory should be processed by PHP somehow, they will not be. So, the mod_wsgi configuration is fine, the problem is likely your PHP configuration.
How are you configuring PHP? Are you using mod_php, or PHP via fastcgi? How is Apache configured so that it knows to treat .php files as PHP and for what directories has that configuration been applied to?
The WSGIScriptAlias directive there swallows up URLs meant for Alias. Swap the order.
Related
I already disabled
php_admin_flag engine Off
in /etc/apache2/mods-enabled/php.conf and still PHP files won't work. I've encountered similar problem with SWF files already and the cause was in mime-types. So I suspect that current problem may be related. Still, I don't know how to change mime-type for .php?
It appears it all was because of me trying to run .php files outside DocumentRoot directory, which is /var/www/html meaning it's protected and I would either run IDE (for development) in root mode or change DocumentRoot option.
I have an Apache server with PHP support. I also installed Python with mod_wsgi and with mysql-connector. Besides I installed Django. Now, I want to try to use PHP and Python simultaneously at the server side. The catch is, I worked with PHP for a couple of years and I see that it is becoming less and less popular, so I plan to port some of my PHP-code to Python-code, or just to try it, to see how they work together. So, I now have a site located at C:\Apache\htdocs and I created a first Django project at C:\WebPython\djsite. Inside djsite I have djsite folder and four files _init_.py, settings.py, urls.py and wsgi.py. In my site I want to address both to PHP handlers (or scripts) and to Python scripts, so, I guess, the problem is in how to config httpd.conf. I looked through many forum threads here at stackoverflow and outside, but still I can't make it work. Now, my httpd.conf looks like this:
...
ServerName localhost
<Directory "c:/Apache/htdocs">
Options Indexes FollowSymLinks
</Directory>
<IfModule dir_module>
DirectoryIndex index.html index.htm index.php
</IfModule>
...
You should see this question then:
PHP script inside Django template
It has a link to this:
http://animuchan.net/django_php/
Running PHP with Django would be a mess though.
Hello Like Every Body Else Said Its A terrible idea but Refer To Django Documentation adding this to http.conf on your apache2 and tweek
the wsgi.py file will work
WSGIScriptAlias / /path/to/mysite.com/mysite/wsgi.py
WSGIPythonPath /path/to/mysite.com<Directory /path/to/mysite.com/mysite>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
and change
If multiple Django sites are run in a single mod_wsgi process, all of them will use the settings of whichever one happens to run first. This can be solved by changing:
in wsgi.py, to:
os.environ["DJANGO_SETTINGS_MODULE"] = "{{ project_name }}.settings"
or by using mod_wsgi daemon mode and ensuring that each site runs in its own daemon process.
Fixing UnicodeEncodeError for file uploads
If you get a UnicodeEncodeError when uploading files with file names that contain non-ASCII characters, make sure Apache is configured to accept non-ASCII file names:
export LANG='en_US.UTF-8'
export LC_ALL='en_US.UTF-8'
A common location to put this configuration is /etc/apache2/envvars.
See the Files section of the Unicode reference guide for details.
See More At https://docs.djangoproject.com/en/dev/howto/deployment/wsgi/modwsgi/
I have a file sharing website in the making where I am allowing the visual and function part of pages work. This runs into a problem when I want to allow server side scripting like php pages to be uploaded. This php (etc.) page could easily back link and delete files which I obviously would not want. I have changed the permissions many times to test but this also stops my php files from uploading and renaming files to these folders. I do want to allow these file types but im not sure what I can do.
I was thinking I could do this through .htaccess but I wouldn't know how.
Any suggestions?
I'm not sure, but it sounds like you want to allow arbitrary file uploads (including .PHP scripts) but to prevent any of them from being executed on the server side.
I would recommend creating a file storage directory that is not web-accessible (e.g. put it outside your www-root or use a .htaccess file to limit direct access). Then have your PHP scripts upload to that directory. Create a download script and have download access to those files go through that script, so that e.g. PHP files cannot be invoked remotely.
If I understand correctly from reading comments:
You want users to be able to upload any file. Including code. Including .php, .asp etc.
You want the users to be able to execute this code, but to limit the code to a "sandbox" environment.
Seems to me you should write your files to a specific location, which has its own document root/vhost (http://exec.domain.tld).
On that vhost you could set security, ie:
AllowOverride None # disable rewriting and such
php value disable_functions dl,exec,passthru,system,shell_exec,popen # disable functions
And to top it off (!important) set basedir restrictions to the vhosts document root
<Directory /srv/www/exec.domain.tld/docroot>
php_admin_value open_basedir /srv/www/exec.domain.tld/docroot
</Directory>
I haven't actually set up this environment, but I feel this is your best starting point. And I do think it'll work, if you fix the typo's/parameter name errors i might have made :)
I think it's not about permission, but php execution.
You can turn off php engine on a directory using .htaccess file, like this:
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
My university has multiple servers which have the same data mirrored across them, so I can access for instance
foo.uni.edu/file.php
bar.uni.edu/file.php
The thing is, not all servers have PHP installed, so anyone could possibly download my php files if they made the connection through a server which didn't have PHP installed.
Is there a way, possibly with .htaccess to avoid this? As in, only allow opening PHP files if PHP server is installed?
If it's possible to store files outside of the document root, you could work around the problem by storing all sensitive data outside the docroot. You would then have your publicly accessible scripts use include to access those files.
So, if you upload to /username/public_html, and public_html is your document root (eg, foo.uni.edu/file.php is /username/public_html/file.php), then you would upload to /username/file.php instead and place another script in /username/public_html which merely contains something like include('../file.php');
This is good practice in any case, in case a configuration error on the server ever stops PHP from being parsed.
You could also try using IfModule and FilesMatch to deny access to PHP files if mod_php isn't enabled:
<IfModule !mod_php.c>
<FilesMatch "\.php$">
Order Deny,Allow
Deny from All
</FilesMatch>
</IfModule>
If this doesn't work, try !mod_php5.c instead.
Just very quick question about php.ini file. I created my own on my php.ini file and it works fine if I put it inside my 'public_html' directory. However the problem is it can obviously be viewed in browser through HTTP requests.
So, I am trying to move it outside my 'public_html' directory however it does not seem to work when outside my 'public_html'.
I know I could perhaps set in my .htaccess the following to avoid it being read:
<Files php.ini>
Order allow,deny
Deny from all
</Files>
However I do not want to do this as my php.ini can still get cached by Google if it's in the 'public_html' directory. Is there any suggestions to make it work outside my public_html?
I am running an Apache server. Thanks for any suggestions
You can use the PHPRC environment variable...see the documentation:
http://www.php.net/manual/en/configuration.file.php
It can't get cached by google if you block like that in .htaccess
Two suggestions:
Ensure that Apache can find your php.ini (PHPINIDIR /path/where/php.ini/is/located)
Ensure the file is readable by the webserver user.
How is it that you php.ini came to be in a web server accessible folder? It is the first time I hear of such a situation.
I thought hard on how you managed to do this, and the only answer I came up with is that you created a vhost in php folder. If that is the case, create another vhost out of the php.ini path, and remove the offending vhost. See this post for examples.