Join Log in
Score:2
Juan C. Roldán avatar Server

Apache with HTTP/2 and per-directory upload_max_filesize

cn flag
Juan C. Roldán

I just upgraded my apache2 server on Debian 9.13 Stretch to start using HTTP/2. As far as I'm concerned, that requires switching from mod_php to PHP-FPM.

The problem is that PHP-FPM does not obey certain apache directives from .htaccess. For instance, I've been using php_value upload_max_filesize 900M in the an .htaccess file at the upload directory, to increase the filesize and other related parameters like max_execution_time and post_max_size in a finer grain than using the global php.ini file.

These are some of the alternatives I already tried:

  1. Using PHP ini_set() method: post_max_size and upload_max_filesize are used before my script is started.
  2. Using .user.ini override files: less than ideal, since it would require restricting the upload of .ini files in every single place that allows to upload stuff (I can use a <Files> filter to disable read access, but not uploading).
  3. Renaming the .user.ini file to SOME_SCRAMBLED_TEST.ini and adding a Require all denied to such files: dangerous, since a single php scandir at the wrong place may reveal my secured-by-obscurity config.
  4. Changing it in the php.ini script: would take this as the last option; I prefer to have a rather high upload size than allowing users to upload a .user.ini file that screw my server.

Is there any other alternative to use HTTP/2 and have a secure server that allows uploads?

288
1 + 2
djdomi avatar
za flag
djdomi
use the apache config directly to limit it?
0
Reply
Juan C. Roldán avatar
cn flag
Juan C. Roldán
Hi @djdomi, thanks for your answer! Could you please ellaborate? Do you mean setting it up in the VirtualHost?
0
Reply
Score:0
Juan C. Roldán avatar Server
cn flag
Juan C. Roldán

After two days of work, I managed to have this running.

First, forbid the .user.ini dangerous default of reading it on every single directory:

# an empty user_ini filename disables its usage.
user_ini.filename =

Then, enable it only for the desired directory at the apache2.conf file located in /etc/apache2 (and disable reading those). We can do this by using SetEnv with a Directory filter:

<Directory /path/to/upload/directory>
        SetEnv PHP_VALUE "user_ini.filename = .user.ini"
        <Files ".user.ini">
                Require all denied
        </Files>
</Directory>

Then, at the /path/to/upload/directory, create a .user.ini file with your required configuration:

post_max_size = 2048M
upload_max_filesize = 2048M
max_execution_time = 10
max_input_time = 10

This way you can have a per-directory .user.ini without enabling it for the whole server.

0 + 2
djdomi avatar
za flag
djdomi
He was faster as me :)
0
Reply
Juan C. Roldán avatar
cn flag
Juan C. Roldán
@djdomi work pressure :) thanks for the hint!
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.