Question
php-fpm security.limit_extension issue
- Posted March 16, 2015
- PHPLinux BasicsJoomlaServer OptimizationDebian
I run Nginx + php5-fpm with Ajenti on Debian. This is the issue error.log gives me on one of the websites:
2015/03/16 10:44:03 [error] 1487#0: *95 FastCGI sent in stderr: “Access to the script ‘/srv/test/index.php/author-login’ has been denied (see security.limit_extensions)” while reading response header from upstream, client: xxx.xxx.xxx.xxx, server: xxx.xx, request: “GET /index.php/author-login HTTP/1.1”, upstream: “fastcgi://unix:/var/run/ajenti-v-php-fcgi-test2-php-fcgi-0.sock:”, host: “xxx.xxx”, referrer: “xxx.xxx”
How can I repair security.limit_exceptions?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Just to add a simple fix for problems i was having. Mine was a small mistake in the nginx config that made PHP fpm try and deal with all the file (.js .jpg etc)
This was because i had
location / {
all i had to do is change this so fpm only dealt with php files
location ~ /.*\.php$ {
Just to add a simple fix for problems i was having. Mine was a small mistake in the nginx config that made PHP fpm try and deal with all the file (.js .jpg etc)
This was because i had
location / {
all i had to do is change this so fpm only dealt with php files
location ~ /.*\.php$ {
FPM’s security.limit_extension setting is used to limit the extensions of the main script it will be allowed to parse. It prevents malicious code from being executed. The default value is simply .php It can be configured in /etc/php5/fpm/pool.d/www.conf
Though your issue like is elsewhere. The first thing I would check is that the cgi.fix_pathinfo setting in your /etc/php5/fpm/php.ini file is set to:
cgi.fix_pathinfo=0
See our tutorial on setting up Nginx and PHP for more info.
FPM’s security.limit_extension setting is used to limit the extensions of the main script it will be allowed to parse. It prevents malicious code from being executed. The default value is simply .php It can be configured in /etc/php5/fpm/pool.d/www.conf
Though your issue like is elsewhere. The first thing I would check is that the cgi.fix_pathinfo setting in your /etc/php5/fpm/php.ini file is set to:
cgi.fix_pathinfo=0
See our tutorial on setting up Nginx and PHP for more info.
Using PHP-FPM
If If i set
cgi.fix_pathinfo=0
Then i get an access denied message from owncloud. And could not make it work by uncommenting
security.limit_extensions = .php .php3 .php4 .php5 .php7
So i had to go back to cgi.fix_pathinfo=1
This comment has been deleted
Hi, i’ve same problem… i’ve a server configured as other tutorial (Nginx as a Web Server and Reverse Proxy for Apache on One Ubuntu 14.04 Droplet) my joomla sites has “Access Denied” only for Frontend if php.ini-> cgi.fix_pathinfo=0 with cgi.fix_pathinfo=1 all working fine
what can i do ? thanks for help
This is a extremely insecure solution. The problem is to do with pathinfo, not the extensions. If you fix the pathinfo, then it will work.
Turning off the extensions limit will allow (if applicable) things like uploaded images that have PHP in to be executed.
This isn’t to say you should entirely rely on extensions limits, and not protect the upload path though.
If you uncomment the following line (in www.conf)(or append it to the config file for your php-fpm pool):
and just add the necessary extensions.
To allow all extensions just leave the space after it blank:
Then restart php-fpm and you should be good to go
Thanks for this @tomearl98. Fixed my issue!
Note, for Ubuntu users - the file is:
This comment has been deleted
looks like it is trying to append your request to index.php