Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The "PHP-FPM" page has been changed by thumbs: https://wiki.apache.org/httpd/PHP-FPM?action=diff&rev1=8&rev2=9 Comment: Clarify the simple recipes towards the end and fix links to non-existent wiki pages `</FilesMatch>` - === Example === + === This is too much text / I'm falling asleep reading this / Just tell me how to do it already === - Say you want to be able to conjure up the standard php info page listing all compiled-in and loaded extensions, and all runtime configuration options and script info. + ==== Very simple example ==== - We first create a file, info.php, by running the following: + If you're interested into the proof of concept and want to leave the tweaking for later, you can use the following recipe. It'll conjure up the standard php info page listing all compiled-in and loaded extensions, and all runtime configuration options and script info. - `echo "<?php phpinfo() ?>" > /var/www/info.php` + First, create a file, /var/www/info.php containing: - NOTE: you may need to do this as `root`, depending on the permissions set on /var/www. I assume /var/www is the documentroot of an existing vhost; this is the case on most major distributions. + `<?php phpinfo() ?>` + + The assumption is that /var/www is the '''[[http://httpd.apache.org/docs/current/mod/core.html#documentroot|DocumentRoot]]''' of an existing vhost. Inside this vhost, add the following line: `ProxyPassMatch ^/info$ fcgi://127.0.0.1:9000/var/www/info.php` - Reload apache with `apachectl graceful` and you can now call up the phpinfo page using http://your-vhost/info + Reload apache with `apachectl graceful` and you can now call up the phpinfo page using `http://example.com/info` This is a very simple example, mapping one unique URL to a single PHP file. + ==== A more flexible example ==== + - In case you want to proxy '''all''' `.php` files in your vhost to the fcgi server using their real php file locations, you can use a more flexible match: + To proxy '''all''' `.php` files in your vhost to the fcgi server using their real php file locations, you can use a more flexible match: `ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/var/www/$1` - Again, assuming `/var/www` is the documentroot of the vhost in question. + Again, assuming `/var/www` is the '''[[http://httpd.apache.org/docs/current/mod/core.html#documentroot|DocumentRoot]]''' of the vhost in question. - __Don't forget to restart apache after making any changes to a vhost or other configuration file. You can use apachectl restart or apachectl graceful.__ + Reload apache with `apachectl graceful` and you can now call up the phpinfo page using `http://example.com/yourscript.php` === Performance and Pitfalls === @@ -190, +194 @@ === Caveats === - One might be tempted to point out that a greedy ProxyPassMatch directive might allow some malicious content uploaded by a HTTP client to be served. + One might be tempted to point out that a greedy '''[[http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxypassmatch|ProxyPassMatch]]''' directive might allow some malicious content uploaded by a HTTP client to be served. This is by no means a comprehensive security document, but instead will point out a possible injection vector that could be generated from the directives in this document. @@ -200, +204 @@ Would lead php-fpm to process that file (/uploads/malicious.jpg), and without certain sanity check, possibly lead to a compromised server. - This, of course, is not recommended. Content uploaded using php should be saved safely outside the DocumentRoot, and the pathinfo should be scrutinized. + This, of course, is not recommended. Content uploaded using php should be saved safely outside the '''[[http://httpd.apache.org/docs/current/mod/core.html#documentroot|DocumentRoot]]''', and the pathinfo should be scrutinized. Additionally, php-fpm should check if the script being invoked is allowed. - If such restrictions cannot be implemented easily, then checks could be performed prior to proxying with a RewriteCond or FallbackResource to ensure that the URI is not altered by the HTTP client. + If such restrictions cannot be implemented easily, then checks could be performed prior to proxying with a '''[[http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritecond|RewriteCond]]''' or '''[[http://httpd.apache.org/docs/current/mod/mod_dir.html#fallbackresource|FallbackResource]]''' to ensure that the URI is not altered by the HTTP client. --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
