You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Patrik Peng <pa...@hostpoint.ch> on 2022/10/06 11:49:23 UTC
[users@httpd] Apache PHP-FPM Integration with mod_proxy_fcgi and multiple Users
Hi there
I'm trying to create a multi user setup with Apache/2.4.54,
mod_proxy_fcgi and PHP-FPM on a FreeBSD machine.
I already got a working solution with php-fpm running and the following
config in the user's .htaccess:
---8<---
<If "%{REQUEST_FILENAME} =~ /\.php$/ && -f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:/var/run/php-fpm/user1-php81.sock|fcgi://user1"
</If>
---8<---
But now there's the issue, that user1 can edit his htaccess file to
something like this:
SetHandler "proxy:unix:/var/run/php-fpm/user2-php81.sock|fcgi://user2"
and run his PHP code with a different user. How can I prevent this?
* Denying the usage of "SetHandler/AddHandler" in .htaccess and moving
the above config into the virtualhost config would not be desired
as there are lots of pre existing user installations using these
directives in their installations.
* Changing the permissions on the fpm unix socket doesn't work as
apache always accesses it with its www user.
Maybe someone can help me further.
Regards,
Patrik
Re: [users@httpd] Apache PHP-FPM Integration with mod_proxy_fcgi and multiple Users
Posted by Daniel Ferradal <df...@apache.org>.
El vie, 7 oct 2022 a las 12:11, Patrik Peng
(<pa...@hostpoint.ch>) escribió:
>
> On 06.10.22 16:03, Frank Gingras wrote:
> > The only solution is to remove the FileInfo override, and merge all
> > the changes in your vhost. Users should not be allowed to override the
> > vhost configuration.
> >
> > Yes, that means they also cannot add their own mod_rewrite recipes,
> > but that is a good thing.
>
> Thanks for the quick responses.
>
> I'm sorry, I may be misunderstanding but doesn't that break all kinds of
> CMS applications?
> WordPress contains rewrite rules in it's default htaccess file or also a
> simple nextcloud installation contains e.g. "SetEnvIfNoCase" which both
> will stop working.
>
It may be tedious work but it does not break anything if you integrate
them in virtualhost. It pays off to do things right, although it may
take some more time.
--
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache PHP-FPM Integration with mod_proxy_fcgi and multiple Users
Posted by Patrik Peng <pa...@hostpoint.ch>.
On 06.10.22 16:03, Frank Gingras wrote:
> The only solution is to remove the FileInfo override, and merge all
> the changes in your vhost. Users should not be allowed to override the
> vhost configuration.
>
> Yes, that means they also cannot add their own mod_rewrite recipes,
> but that is a good thing.
Thanks for the quick responses.
I'm sorry, I may be misunderstanding but doesn't that break all kinds of
CMS applications?
WordPress contains rewrite rules in it's default htaccess file or also a
simple nextcloud installation contains e.g. "SetEnvIfNoCase" which both
will stop working.
Re: [users@httpd] Apache PHP-FPM Integration with mod_proxy_fcgi and multiple Users
Posted by Frank Gingras <th...@apache.org>.
The only solution is to remove the FileInfo override, and merge all the
changes in your vhost. Users should not be allowed to override the vhost
configuration.
Yes, that means they also cannot add their own mod_rewrite recipes, but
that is a good thing.
On Thu, 6 Oct 2022 at 09:07, William Edwards <we...@cyberfusion.nl>
wrote:
>
> Op 6 okt. 2022 om 13:50 heeft Patrik Peng <pa...@hostpoint.ch> het
> volgende geschreven:
>
>
>
> Hi there
>
> I'm trying to create a multi user setup with Apache/2.4.54, mod_proxy_fcgi
> and PHP-FPM on a FreeBSD machine.
> I already got a working solution with php-fpm running and the following
> config in the user's .htaccess:
>
> ---8<---
> <If "%{REQUEST_FILENAME} =~ /\.php$/ && -f %{REQUEST_FILENAME}">
> SetHandler "proxy:unix:/var/run/php-fpm/user1-php81.sock|fcgi://user1"
> </If>
> ---8<---
>
> But now there's the issue, that user1 can edit his htaccess file to
> something like this:
>
> SetHandler "proxy:unix:/var/run/php-fpm/user2-php81.sock|fcgi://user2"
>
> and run his PHP code with a different user. How can I prevent this?
>
> - Denying the usage of "SetHandler/AddHandler" in .htaccess and moving
> the above config into the virtualhost config would not be desired
> as there are lots of pre existing user installations using these
> directives in their installations.
>
> - Changing the permissions on the fpm unix socket doesn't work as
> apache always accesses it with its www user.
>
> Maybe someone can help me further.
>
>
> You already have the solution. What do you need help with? :D
>
> Regards,
> Patrik
>
>
Re: [users@httpd] Apache PHP-FPM Integration with mod_proxy_fcgi and multiple Users
Posted by William Edwards <we...@cyberfusion.nl>.
> Op 6 okt. 2022 om 13:50 heeft Patrik Peng <pa...@hostpoint.ch> het volgende geschreven:
>
>
> Hi there
>
> I'm trying to create a multi user setup with Apache/2.4.54, mod_proxy_fcgi and PHP-FPM on a FreeBSD machine.
> I already got a working solution with php-fpm running and the following config in the user's .htaccess:
>
> ---8<---
> <If "%{REQUEST_FILENAME} =~ /\.php$/ && -f %{REQUEST_FILENAME}">
> SetHandler "proxy:unix:/var/run/php-fpm/user1-php81.sock|fcgi://user1"
> </If>
> ---8<---
> But now there's the issue, that user1 can edit his htaccess file to something like this:
>
> SetHandler "proxy:unix:/var/run/php-fpm/user2-php81.sock|fcgi://user2"
> and run his PHP code with a different user. How can I prevent this?
>
> Denying the usage of "SetHandler/AddHandler" in .htaccess and moving the above config into the virtualhost config would not be desired
> as there are lots of pre existing user installations using these directives in their installations.
>
> Changing the permissions on the fpm unix socket doesn't work as apache always accesses it with its www user.
> Maybe someone can help me further.
>
You already have the solution. What do you need help with? :D
> Regards,
> Patrik
>