Question

php-fpm security.limit_extension issue

Posted March 16, 2015 73.2k views
Linux Basics PHP Server Optimization Joomla Debian

I run Nginx + php5-fpm with Ajenti on Debian. This is the issue error.log gives me on one of the websites:

2015/03/16 10:44:03 [error] 1487#0: *95 FastCGI sent in stderr: “Access to the script ’/srv/test/index.php/author-login’ has been denied (see security.limit_extensions)” while reading response header from upstream, client: xxx.xxx.xxx.xxx, server: xxx.xx, request: “GET /index.php/author-login HTTP/1.1”, upstream: “fastcgi://unix:/var/run/ajenti-v-php-fcgi-test2-php-fcgi-0.sock:”, host: “xxx.xxx”, referrer: “xxx.xxx”

How can I repair security.limit_exceptions?

Add a comment
zx987
By:
zx987
Add a comment
4 comments
  • tealeisawesome October 10, 2015
    Reply Report

    looks like it is trying to append your request to index.php

  • tomearl98 December 2, 2015
    Reply Report

    If you uncomment the following line (in www.conf)(or append it to the config file for your php-fpm pool):

    security.limit_extensions = .php .php3 .php4 .php5

    and just add the necessary extensions.

    To allow all extensions just leave the space after it blank:

    security.limit_extensions =

    Then restart php-fpm and you should be good to go

  • digitalextremist February 27, 2016
    Reply Report

    Thanks for this @tomearl98. Fixed my issue!

    Note, for Ubuntu users - the file is:

    /etc/php5/fpm/php-fpm.conf
  • andy180264 October 9, 2016
    Reply Report

    This is a extremely insecure solution. The problem is to do with pathinfo, not the extensions. If you fix the pathinfo, then it will work.

    Turning off the extensions limit will allow (if applicable) things like uploaded images that have PHP in to be executed.

    This isn’t to say you should entirely rely on extensions limits, and not protect the upload path though.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

5 answers
asb March 17, 2015

FPM’s security.limit_extension setting is used to limit the extensions of the main script it will be allowed to parse. It prevents malicious code from being executed. The default value is simply .php It can be configured in /etc/php5/fpm/pool.d/www.conf

Though your issue like is elsewhere. The first thing I would check is that the cgi.fix_pathinfo setting in your /etc/php5/fpm/php.ini file is set to:

cgi.fix_pathinfo=0

See our tutorial on setting up Nginx and PHP for more info.

How To Install Linux, Nginx, MySQL, PHP (LEMP) stack on Ubuntu 14.04
by Justin Ellingwood
A LEMP stack (Linux, Nginx, MySQL, and PHP) is a powerful set of software that can be configured to serve dynamic sites and web apps from your server. In this guide, we will discuss how to install a LEMP stack on an Ubuntu 14.04 server.
Reply Report
rhodrimmd April 12, 2017

Just to add a simple fix for problems i was having. Mine was a small mistake in the nginx config that made PHP fpm try and deal with all the file (.js .jpg etc)
This was because i had
location / {
all i had to do is change this so fpm only dealt with php files
location ~ /.*\.php$ {

Reply Report
blondie63 June 14, 2015

Hi, i’ve same problem..
i’ve a server configured as other tutorial (Nginx as a Web Server and Reverse Proxy for Apache on One Ubuntu 14.04 Droplet)
my joomla sites has “Access Denied” only for Frontend if php.ini-> cgi.fixpathinfo=0
with cgi.fixpathinfo=1 all working fine

what can i do ?
thanks for help

Reply Report
digitalextremist February 27, 2016
[deleted]
Reply Report
luismuzquiz September 14, 2016

Using PHP-FPM

If If i set 

cgi.fix_pathinfo=0

Then i get an access denied message from owncloud. And could not make it work by uncommenting 

security.limit_extensions = .php .php3 .php4 .php5 .php7

So i had to go back to cgi.fix_pathinfo=1

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help