htaccess folder protection + php7.0-fpm/fastcgi : .php files still accessible


I’ve setup a small droplet with php7.0-fpm/fastcgi, apache 2.4 on a Ubuntu 14.04. Everything runs smoothly, except one small detail :

The thing is I want to protect a folder via a classic .htaccess protection, nothing fancy.

But, if I go to “my-droplet-ip/my-protected-folder/my-file.php”, I still can access it, even with an htaccess configured.

If I go to “my-droplet-ip/my-protected-folder”, the login/pass prompt shows up like expected. Same normal behavior for “my-droplet-ip/my-protected-folder/a-file.(html/png/ini…)”

I’ve read many things, like the fact that fastcgi could “process” php files before htaccess, but I can’t really figure why/how.

Any idea?




Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.


Short story, don’t use :

ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://$1

to handle php files with FastCGI, because it seems that ProxyPassMatch directives are evaluated before the .htaccess.

Better use :

<FilesMatch \.php$>
    SetHandler "proxy:fcgi://"

More details over there.