Apache and PHP-FPM security with mod_proxy_fcgi

Question

I use PHP-FPM in a shared hosting configuration. Each FPM pool runs as a different user. Apache runs as www-data. Apache connects via a socket using mod_proxy_fcgi. I allow users to use .htaccess files.

How do I prevent a user from connecting to the wrong FPM pool?

The vhost looks something like this:

<VirtualHost *:80>
        ServerName foo.com
        DocumentRoot /var/www/sites/foo.com/html
        <FilesMatch "\.php$">
                SetHandler "proxy:unix:/var/run/foo-com-fpm.sock|fcgi://localhost"
        </FilesMatch>
</VirtualHost>

But, the foo-com user can easily override that handler from his .htaccess:

<FilesMatch "\.php$">
        SetHandler "proxy:unix:/var/run/bar-com-fpm.sock|fcgi://localhost"
</FilesMatch>

This would allow him to run PHP scripts as a different user. How can I prevent that, without disallowing FileInfo overrides?

Answer 1

AllowOverrideList allows to further restrict .htaccess directives to the specified list.

Quote from the docs:

When this directive is set to None and AllowOverride is set to None, then .htaccessfiles are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem.

Example:

AllowOverride None
AllowOverrideList Redirect RedirectMatch

In the example above, only the Redirect and RedirectMatch directives are allowed. All others will cause an internal server error.

Example:

AllowOverride AuthConfig
AllowOverrideList CookieTracking CookieName

In the example above, AllowOverride grants permission to the AuthConfig directive grouping and AllowOverrideList grants permission to only two directives from the FileInfo directive grouping. All others will cause an internal server error.