httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [users@httpd] A very strange "minor" issue with PHP-FPM with Apache 2.4 (security, privacy related)
Date Sat, 21 Mar 2015 02:01:28 GMT
Dear Apache HTTP Server community,

A few months ago, I finally switched over my PHP from using mod_php to PHP-FPM. I have it
mostly working, except for one very annoying thing that I hope you can help me with.

For my test vhost, I have a config that has a lot of RewriteRules and ends with this:

RewriteRule ^/(.*\.php)$ fcgi://$1

This works. If I access:
then Apache does the rewriting and ends up sending a test.php to PHP-FPM, which parses it.

The only problem I have is that if I request a non-existent PHP file, such as:
then Apache still sends this request to PHP-FPM, which proceeds to display a plain "File not
found." message, telling anyone from the public who checks a made-up.php file on my domain
that I:

* Run PHP.
* Use PHP-FPM.

Obviously, I do not want to send over control to PHP-FPM if the final file requested doesn't
actually exist on the server. So I added this RewriteCond, hoping that it would solve exactly

RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^/(.*\.php)$ fcgi://$1

However, if I restart Apache HTTP Server (2.4) and load
then I will get a blank page. No output at all. No errors logged anywhere (no Apache error
log, no PHP-FPM log, no PHP log). Please note that only that RewriteCond was added, in an
attempt to make the "send this to PHP-FPM" not trigger unless the file requested (or determined
after all the normal RewriteConds) actually exists.

I'm very confused now. Why is it behaving like this? It doesn't add up to me. Please tell
me what's wrong.

PS: If you wonder why I don't use ProxyPassMatch or something (which the official PHP-FPM
guide tells you to use), it's because of "some sort or problems" that I cannot remember anymore.
I think it was related to the RewriteRules or something. The official guide on PHP-FPM with
Apache is very naive in my opinion. It assumes that you use no RewriteRules or anything, which
I consider crucial.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message