Secure config for Apache2.4 + PHP-FPM?



Very rusty with PHP and Apache so hopefully this will be an easy question. The Apache Wiki has a page on setting up PHP-FPM with Apache 2.4, but the specified ProxyPassMatch method of forwarding requests for .php files to the php-fpm module is insecure. Is there a standard/canonical setup that is secure?


It’s not insecure anymore. There’s a new config parameter for php-fpm (since 5.3.9),
security.limit_extensions, that defaults to ‘.php’ so php-fpm will only run files with these extensions. It won’t run the .jpg in that example.

Answered By – troseman

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More