4

I am running Apache 2.2 with FastCGI and php-fpm. I am trying to duplicate the following logic:

<FilesMatch "^(admin|api|app)?(_dev)?$">
    #ForceType application/x-httpd-php
    SetHandler php-fcgi
</FilesMatch>

Which allows me to symlink admin.php as admin, so I can remove the .php extension. It seems the only way to do this with php-fpm is to set the security.limit_extension of the www.conf file to empty, however, as the comments indicate, this is a pretty big security hole, in that php code can now be executed from within any file, regardless of extension.

What would be the preferred way to accomplish the above, but still maintain some semblance of security?

Improve this question

2 Answers 2

Reset to default
2

Looks like the best solution so far is to manually add the known symlinks to the list (located in /etc/php-fpm.d/www.conf):

security.limit_extension php admin admin_dev api api_dev app app_dev

Not sure if security.limit_extension directive can even take a regex, doesn't look like it, so this is about as good as it gets. As mentioned in the OP, you will still have to maintain the filesmatch directive in the vhost config as well:

<FilesMatch "^(admin|api|app)?(_dev)?$">
    SetHandler php-fcgi
</FilesMatch>

-- Update --

Per the comments by tftd, adding current rewrite directive:

RewriteBase /

# we skip all files with .something
RewriteCond %{REQUEST_URI} \..+$
RewriteCond %{REQUEST_URI} !\.html$
RewriteRule .* - [L]

# we check if the .html version is here (caching)
RewriteRule ^$ index.html [QSA]
RewriteRule ^([^.]+)$ $1.html [QSA]
RewriteCond %{REQUEST_FILENAME} !-f

# no, so we redirect to our front web controller
RewriteRule ^(.*)$ index.php [QSA,L]
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Just out of curiosity - why don't you simply use mod_rewrite instead of FilesMatch?
@tftd: I'm open to suggestions, I'm not sure how mod_rewrite would be written so that it would serve a symlink as if it were php code?
Well, from what I understand, you're probably trying to do MVC/SEO links - i.e. /admin/something would silently redirect the request to /admin.php?page=something in the background as if that was the original request. If that's the case, you might find this link useful: garajau.com.br/blog/2013/12/…
@tftd: Thanks for the info, however I am still on httpd v2.2. Also I am not trying to convert /admin.php?page=something, I am trying to just remove the .php extension so either /admin.php and /admin will work. It's based of SF framework which has certain rewrite rules in place, and the FilesMatch directive was the only way to get it to work.
I see, well in that case, you can do it by using something similar to this rewrite: RewriteCond %{REQUEST_FILENAME} !-f (new line) RewriteRule ^(.*)$ $1.php [L]. This will rewrite all requests of non-existing files to end with .php. Example: /test will be rewritten as /test.php. If you want specific files to be rewrited, change the RewriteRule to: RewriteRule ^(admin|api|app)$ $1.php.
|
1

@Mike, based on your updated answer, something similar to this .htaccess file should be able to handle what you're trying to do:

# Enable the rewrite engine
RewriteEngine on
# Set the rewrite base path (i.e. if this .htaccess will be running at root context "/" or a subdir "/path")
RewriteBase /

# If the file exists, process as usual.
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule .* - [NC,L]

# If the dir exists, process as usual (if you don't need this, just comment/remove the next two lines).
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule .* - [NC,L]

# If (requested_file_name).html exists, rewrite to that file instead.
RewriteCond %{REQUEST_FILENAME}\.html -f
RewriteRule ^(.*)$ $1.html [QSA,L]

# If (requested file name).php exists, rewrite to that file instead.
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.html [QSA,L]

# If none of the above rules were triggered, fallback to index.php.
RewriteRule ^(.*)$ index.php [QSA,L]

With a bit of tweaking this should be able to do the job without the need of having to dive into httpd.conf and the <VirtualHost> nor <FilesMatch> directives. Hope this helps.

Improve this answer

3 Comments

Thx dude, I'll give it a shot. I tried to implement the rewrite rules but had no success, granted the ones I tried weren't like the ones you proposed, so maybe yours will work.
Yeah, I know what you mean... I myself have spent countless hours debugging and figuring out why a rewrite rule isn't working properly..
Going to go ahead and select your answer, as I believe this will work, just don't have time to try it out right now.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.