htaccess folder protection + php7.0-fpm/fastcgi : .php files still accessible

February 14, 2016 2.4k views
Apache PHP Configuration Management Ubuntu


I've setup a small droplet with php7.0-fpm/fastcgi, apache 2.4 on a Ubuntu 14.04.
Everything runs smoothly, except one small detail :

The thing is I want to protect a folder via a classic .htaccess protection, nothing fancy.

But, if I go to "my-droplet-ip/my-protected-folder/my-file.php", I still can access it, even with an htaccess configured.

If I go to "my-droplet-ip/my-protected-folder", the login/pass prompt shows up like expected.
Same normal behavior for "my-droplet-ip/my-protected-folder/a-file.(html/png/ini...)"

I've read many things, like the fact that fastcgi could "process" php files before htaccess, but I can't really figure why/how.

Any idea?



1 Answer


Short story, don't use :

ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://$1

to handle php files with FastCGI, because it seems that ProxyPassMatch directives are evaluated before the .htaccess.

Better use :

<FilesMatch \.php$>
    SetHandler "proxy:fcgi://"

More details over there.

Have another answer? Share your knowledge.