php-fpm security.limit_extension issue

March 16, 2015 51.3k views
PHP Linux Basics Joomla Server Optimization Debian
zx987
By:
zx987

I run Nginx + php5-fpm with Ajenti on Debian. This is the issue error.log gives me on one of the websites:

2015/03/16 10:44:03 [error] 1487#0: *95 FastCGI sent in stderr: "Access to the script '/srv/test/index.php/author-login' has been denied (see security.limit_extensions)" while reading response header from upstream, client: xxx.xxx.xxx.xxx, server: xxx.xx, request: "GET /index.php/author-login HTTP/1.1", upstream: "fastcgi://unix:/var/run/ajenti-v-php-fcgi-test2-php-fcgi-0.sock:", host: "xxx.xxx", referrer: "xxx.xxx"

How can I repair security.limit_exceptions?

4 comments
  • tealeisawesome October 10, 2015

    looks like it is trying to append your request to index.php

  • tomearl98 December 2, 2015

    If you uncomment the following line (in www.conf)(or append it to the config file for your php-fpm pool):

    security.limit_extensions = .php .php3 .php4 .php5

    and just add the necessary extensions.

    To allow all extensions just leave the space after it blank:

    security.limit_extensions =

    Then restart php-fpm and you should be good to go

  • digitalextremist February 27, 2016

    Thanks for this @tomearl98. Fixed my issue!

    Note, for Ubuntu users - the file is:

    /etc/php5/fpm/php-fpm.conf
  • andy180264 October 9, 2016

    This is a extremely insecure solution. The problem is to do with pathinfo, not the extensions. If you fix the pathinfo, then it will work.

    Turning off the extensions limit will allow (if applicable) things like uploaded images that have PHP in to be executed.

    This isn't to say you should entirely rely on extensions limits, and not protect the upload path though.

Log In to Comment
5 Answers
asb MOD March 17, 2015

FPM's security.limit_extension setting is used to limit the extensions of the main script it will be allowed to parse. It prevents malicious code from being executed. The default value is simply .php It can be configured in /etc/php5/fpm/pool.d/www.conf

Though your issue like is elsewhere. The first thing I would check is that the cgi.fix_pathinfo setting in your /etc/php5/fpm/php.ini file is set to:

cgi.fix_pathinfo=0

See our tutorial on setting up Nginx and PHP for more info.

How To Install Linux, Nginx, MySQL, PHP (LEMP) stack on Ubuntu 14.04
by Justin Ellingwood
A LEMP stack (Linux, Nginx, MySQL, and PHP) is a powerful set of software that can be configured to serve dynamic sites and web apps from your server. In this guide, we will discuss how to install a LEMP stack on an Ubuntu 14.04 server.
Reply
rhodrimmd April 12, 2017

Just to add a simple fix for problems i was having. Mine was a small mistake in the nginx config that made PHP fpm try and deal with all the file (.js .jpg etc)
This was because i had
location / {
all i had to do is change this so fpm only dealt with php files
location ~ /.*\.php$ {

Reply
blondie63 June 14, 2015

Hi, i've same problem..
i've a server configured as other tutorial (Nginx as a Web Server and Reverse Proxy for Apache on One Ubuntu 14.04 Droplet)
my joomla sites has "Access Denied" only for Frontend if php.ini-> cgi.fixpathinfo=0
with cgi.fixpathinfo=1 all working fine

what can i do ?
thanks for help

Reply
digitalextremist February 27, 2016
[deleted]
Reply
luismuzquiz September 14, 2016

Using PHP-FPM

If If i set 

cgi.fix_pathinfo=0

Then i get an access denied message from owncloud. And could not make it work by uncommenting 

security.limit_extensions = .php .php3 .php4 .php5 .php7

So i had to go back to cgi.fix_pathinfo=1

Reply
Have another answer? Share your knowledge.

Related Questions