zx987
By:
zx987

php-fpm security.limit_extension issue

March 16, 2015 34.1k views
PHP Linux Basics Joomla Server Optimization Debian

I run Nginx + php5-fpm with Ajenti on Debian. This is the issue error.log gives me on one of the websites:

2015/03/16 10:44:03 [error] 1487#0: *95 FastCGI sent in stderr: "Access to the script '/srv/test/index.php/author-login' has been denied (see security.limit_extensions)" while reading response header from upstream, client: xxx.xxx.xxx.xxx, server: xxx.xx, request: "GET /index.php/author-login HTTP/1.1", upstream: "fastcgi://unix:/var/run/ajenti-v-php-fcgi-test2-php-fcgi-0.sock:", host: "xxx.xxx", referrer: "xxx.xxx"

How can I repair security.limit_exceptions?

4 comments
  • looks like it is trying to append your request to index.php

  • If you uncomment the following line (in www.conf)(or append it to the config file for your php-fpm pool):

    security.limit_extensions = .php .php3 .php4 .php5
    

    and just add the necessary extensions.

    To allow all extensions just leave the space after it blank:

    security.limit_extensions = 
    

    Then restart php-fpm and you should be good to go

  • Thanks for this @tomearl98. Fixed my issue!

    Note, for Ubuntu users - the file is:

    /etc/php5/fpm/php-fpm.conf
    
  • This is a extremely insecure solution. The problem is to do with pathinfo, not the extensions. If you fix the pathinfo, then it will work.

    Turning off the extensions limit will allow (if applicable) things like uploaded images that have PHP in to be executed.

    This isn't to say you should entirely rely on extensions limits, and not protect the upload path though.

5 Answers

FPM's security.limit_extension setting is used to limit the extensions of the main script it will be allowed to parse. It prevents malicious code from being executed. The default value is simply .php It can be configured in /etc/php5/fpm/pool.d/www.conf

Though your issue like is elsewhere. The first thing I would check is that the cgi.fix_pathinfo setting in your /etc/php5/fpm/php.ini file is set to:

cgi.fix_pathinfo=0

See our tutorial on setting up Nginx and PHP for more info.

by Justin Ellingwood
A LEMP stack (Linux, Nginx, MySQL, and PHP) is a powerful set of software that can be configured to serve dynamic sites and web apps from your server. In this guide, we will discuss how to install a LEMP stack on an Ubuntu 14.04 server.

Just to add a simple fix for problems i was having. Mine was a small mistake in the nginx config that made PHP fpm try and deal with all the file (.js .jpg etc)
This was because i had
location / {
all i had to do is change this so fpm only dealt with php files
location ~ /.*\.php$ {

Hi, i've same problem..
i've a server configured as other tutorial (Nginx as a Web Server and Reverse Proxy for Apache on One Ubuntu 14.04 Droplet)
my joomla sites has "Access Denied" only for Frontend if php.ini-> cgi.fixpathinfo=0
with cgi.fix
pathinfo=1 all working fine

what can i do ?
thanks for help

Using PHP-FPM

If If i set

cgi.fix_pathinfo=0

Then i get an access denied message from owncloud. And could not make it work by uncommenting

security.limit_extensions = .php .php3 .php4 .php5 .php7

So i had to go back to cgi.fix_pathinfo=1

Have another answer? Share your knowledge.