Score:1

configuring apache to not serve php files statically unless php-fpm is configured

ng flag
Tom

I have a an apache 2.4 configuration section that I use to handle the rare situation where a misconfigured apache box could serve php files as static plain text, and potentially give up credentials etc.

<IfModule !mod_php5.c>
  <IfModule !mod_php7.c>
    <Files "*.php">
        Require all denied
    </Files>
  </IfModule>
</IfModule>

Those directives check for whether the php module is present, and if it doesn't find either of them, it won't serve the pages.

However in the current build of httpd 2.4 for centos-8, php-fpm is the default method of configuring a handler for php, and it doesn't load any module for php:

<IfModule !mod_php5.c>
  <IfModule !mod_php7.c>
    # Enable http authorization headers
    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

    <FilesMatch \.(php|phar)$>
        SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
    </FilesMatch>
  </IfModule>
</IfModule>

Unfortunately, the proxy_fcgi module is auto loaded by httpd so it's not useful as an indication of php-fpm being configured (or not):

[root@web httpd]# rpm -q --whatprovides /usr/lib64/httpd/modules/mod_proxy_fcgi.so
httpd-2.4.37-39.module_el8.4.0+778+c970deab.x86_64

According to the doc there is a HANDLER variable:

HANDLER The name of the handler creating the response

... which should return one of the in built handlers

default-handler: Send the file using the default_handler(), which is the handler used by default to handle static content. (core)
send-as-is: Send file with HTTP headers as is. (mod_asis)
cgi-script: Treat the file as a CGI script. (mod_cgi)
imap-file: Parse as an imagemap rule file. (mod_imagemap)
server-info: Get the server's configuration information. (mod_info)
server-status: Get the server's status report. (mod_status)
type-map: Parse as a type map file for content negotiation. (mod_negotiation)

However, my attempts at matching against it are not successful, e.g. this is not working:

<FilesMatch \.(php|phar)$>
  <If "%{HANDLER} == 'default-handler'">
    Require all denied
  </If>
</FilesMatch>

Any suggestions appreciated.

Edit

I dumped the value of the variable %{HANDLER} with both php-fpm installed, and not like so:

<IfModule headers_module>
    Header  always set X-HANDLER "expr=%{HANDLER}"
</IfModule>

and it returned the following headers:

X-HANDLER: text/plain     # no php-fpm

X-HANDLER: proxy:unix:/run/php-fpm/www.sock|fcgi://localhost     # with php-fpm

so I updated the test to this:

<IfModule !mod_php5.c>
  <IfModule !mod_php7.c>
    <If "%{HANDLER} == 'text/plain'">
      <Files "*.php">
          Require all denied
      </Files>
    </If>
  </IfModule>
</IfModule>

However, that is not working either

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.