2

I've got Apache/PHP setup exactly like this: https://wiki.apache.org/httpd/PHP-FPM

It includes the ProxyPassMatch rule as mentioned:

ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/path/to/files/$1

This sends all requests with .php in it to a proxy, and ultimately serves the PHP just fine.
However, I've been trying to do some access control and the proxying seems to take precedence. My folder structure is like this:

/             <-- PHP files
/extra/       <-- PHP files
/css/
/img/

There should be access to the PHP files in the root directory, but I want to restrict access to the extra dir. I've added these lines to my main config:

<Directory "/extra">
    Order deny,allow
    Deny from all
</Directory>

But the PHP files are still executed... When I put a different kind of file in the folder, it is successfully blocked, so the directive works. I'm guessing the ProxyPassMatch rule is prohibiting it from working for PHP files.

I've tried a couple of things, like putting the ProxyPassMatch rule inside a <Directory> block (doesn't work, because you cannot use ProxyPassMatch inside such blocks) and substituting ProxyPassMatch for a RewriteRule with the [P] flag (similar to this: Apache 2.4 + PHP-FPM + ProxyPassMatch, but it didn't get proxied).

My question is almost exactly the same as this one: http://www.gossamer-threads.com/lists/apache/users/417758. However, it did not get a definitive answer.

What confuses me is you need to have the proxy-rule in place, but when you put it in, nothing else seems to matter (.htaccess also does not work anymore). Furthermore, this raises questions about security. Everything with .php in it remains untouched by my fancy access provisions and goes straight through to the system's internals. How can I combine PHP-FPM with proper security rules in Apache?

Community
  • 1
kasimir
  • 193
  • 1
  • 2
  • 9

3 Answers3

1

With ProxyPassMatch .htaccess files will be ignored completely. Something similar is probably happening with the ignored directives in the main configuration file.

Try using FilesMatch and SetHandler instead, as described in a 2015 answer to the question you already linked to, and this blog post.

Community
  • 1
Peter Nowee
  • 181
  • 6
0

Put this in front of your ProxyPassMatch

ProxyPass /extra !

If ProxyPass finds /extra is the current folder, ProxyPassMatch will not be used. Important is the ! at the end of the line.

See here for more information: ProxyPass

Marc Fauser
  • 29
  • 3
  • 1
    A bit more explanation would improve this answer. – Dave M Aug 31 '14 at 20:22
  • Interesting idea, the apache docs explain excluding files or directories like this. However, it does not seem to do anything (I've put it right in front of `ProxyPassMatch` and checked the syntax twice). Even so, if it would work, I think the files in `/extra` would never be proxied. That is not what I want, I only want to prohibit direct access. – kasimir Sep 12 '14 at 07:44
0

This is an old question, but it's on the first page when I search for a solution to access control for Apache when using ProxyPass and ProxyPassMatch. So it may help someone else who started here instead of Apache's docs.

The solution is to include a section below the Proxy declarations:

<Proxy "*">
  Require ip 192.168
  Require host example.com
</Proxy>

This is all per the mod_proxy documentation.

Sean Hogge
  • 101
  • 1