Server Bug Fix: Access denied trying for PHP fpm status page

Original Source Link

I’m running PHP 7.3 FPM and nginx. In my pool config I have

pm.status_path = /fpmstatus

I have nginx config in place to call out to php for that URL. But when I access that path I get an Access Denied.

The logs say:

Access to the script ‘/var/www/mysite.com/fpmstatus’ has been denied (see security.limit_extensions)

As I understand, what’s happening is that PHP is refusing to “run the script” called fpmstatus because it doesn’t end in .php.

But I’m confused because I believe it was previously working, and because the comments in the config file for setting the status path suggest not including .php in the name. I don’t want to turn off security.limit_extensions. And surely with the /fpmstatus path being internal, it should be excempt from these extensions?

EDIT

I tried setting the status path to /fpmstatus.php but this just gives a “No input file specified.” error. Seems like fpm is not responding to the configured status page?

The nginx config that applies is:

location = /fpmstatus.php {
    access_log off;
    allow 127.0.0.1;
    deny all;
  fastcgi_param  SCRIPT_FILENAME    $document_root/fpmstatus.php;
  fastcgi_param  QUERY_STRING       $query_string;
  fastcgi_param  REQUEST_METHOD     $request_method;
  fastcgi_param  CONTENT_TYPE       $content_type;
  fastcgi_param  CONTENT_LENGTH     $content_length;

  fastcgi_param  SCRIPT_NAME        $document_root/fpmstatus.php;
  fastcgi_param  PATH_INFO          $fastcgi_path_info;
  fastcgi_param  REQUEST_URI        $request_uri;
  fastcgi_param  DOCUMENT_URI       $document_uri;
  fastcgi_param  DOCUMENT_ROOT      $document_root;
  fastcgi_param  SERVER_PROTOCOL    $server_protocol;
  fastcgi_param  REQUEST_SCHEME     $scheme;
  fastcgi_param  HTTPS              $https if_not_empty;

  fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
  fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

  fastcgi_param  REMOTE_ADDR        $remote_addr;
  fastcgi_param  REMOTE_PORT        $remote_port;
  fastcgi_param  SERVER_ADDR        $server_addr;
  fastcgi_param  SERVER_PORT        $server_port;
  fastcgi_param  SERVER_NAME        $server_name;

  # PHP only, required if PHP was built with --enable-force-cgi-redirect
  fastcgi_param  REDIRECT_STATUS    200;

    fastcgi_pass myupstream;
  }

I can get it working if I set cgi.fix_pathinfo=1 in /etc/php/7.3/fpm/php.ini but is there a way to get it working with that set to 0?

Tagged : /

Leave a Reply

Your email address will not be published. Required fields are marked *