1

I recently set up a new webhosting server at work on a Debian Stretch system using Apache 2.4 and PHP7 via proxy_fcgi and php-fpm.

It worked fine in the testing stages, but the first customer is using a Moodle website which makes extensive use of so-called 'slash arguments' (IE, requests to, say, index.php/these/are/parameters/ ).

Following the instructions on moodle's website I tried setting AcceptPathInfo to On, and even tried disabling security_limit_extensions in PHP, but so far nothing seems to be working.

Relevant configs are pasted below. I'm pretty positive I missed something simple somewhere, but I've run out of ideas where to look.

(Note: Regular php works fine; slash arguments do not. When setting cgi.fix_pathinfo to 0 asking for https://www.domain.nl/lib/javascript.php/foo/bar results in "No input file specified"; setting it to 1 results in "No valid Javascript files found" which at least suggests that the script is called but the arguments aren't passed correctly into the proxy...)

Apache:

<VirtualHost *:443>
    ServerName www.domain.nl
    ServerAlias domain.nl new.domain.nl

    DocumentRoot /home/webclients/www.domain.nl/public_html/
    Alias /cgi-bin/ /home/webclients/www.domain.nl/cgi-bin/
    CustomLog /var/log/apache2/www.domain.nl/access.log combined
    ErrorLog /home/webclients/www.domain.nl/logs/error.log
    TransferLog /home/webclients/www.domain.nl/logs/access.log

    ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php-fpm/domain.sock|fcgi://localhost/home/webclients/www.domain.nl/public_html
    SSLOptions +StdEnvVars

    <IfModule mod_suexec.c>
        SuExecUserGroup domain webclients
    </IfModule>

    <Directory /home/webclients/www.domain.nl/public_html/>
        AllowOverride All
        AcceptPathInfo On
        Require all granted
    </Directory>

    SSLEngine on
    #       LogLevel info
    SSLCertificateFile /etc/ssl/certs/www.domain.nl.pem
    SSLCertificateKeyFile /etc/ssl/private/www.domain.nl.key
    SSLCACertificateFile /etc/ssl/intermediate/intermediate-rapidssl-rsacag1.pem
    # Enable HSTS
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"



</VirtualHost>
# vim:syntax=apache

php-fpm pool file:

[domain]

prefix=/

include=/etc/php/7.0/fpm/pool.d/defaults

php_admin_value[error_log] = /home/webclients/www.domain.nl/logs/php-error.log
php_admin_value[cgi.fix_pathinfo] = 0
security.limit_extensions = 
Shadur
  • 1,297
  • 1
  • 10
  • 20

1 Answers1

0

Found it.

After diving into the code itself to generate better debug info, the problem turned out to be that mod_proxy_fcgi does not by default pass the PATH_INFO server variable along to the client.

A way to fix this is using SetEnvIf:

SetEnvIf REQUEST_URI "^/(.*\.php(/.*)?)$" proxy-fcgi-pathinfo
ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php-fpm/domain.sock|fcgi://localhost/home/webclients/www.domain.nl/public_html

Stuff is now passing through correctly and the site appears to work.

Shadur
  • 1,297
  • 1
  • 10
  • 20