How to disable php-fpm only for a subfolder?

Discussion in 'General' started by NdK, Jun 16, 2021.

  1. NdK

    NdK Member

    Hello all.
    I have a working site where I'd need to make a SMB share available in a subfolder.
    The export itself is not a problem and works even too well: users are able to create php files in their exported folders and these files gets interpreted by php-fpm.
    I tried adding a section like:
        # Do not execute PHP files in users directories
        <Directory "{DOCROOT_CLIENT}/users/">
            <ifModule mod_security2.c>
                SecRuleRemoveById 960015
                SecRuleRemoveById 960032
            <Files "*">
                SetHandler None
                SetHandler default-handler
                Options -ExecCGI
                RemoveHandler .php
            AllowOverride AuthConfig Indexes Limit Options
            Require all granted
            <FilesMatch "^\.ht">
                Require all denied
    to the "Options" tab (copied from the section that should disable php for webdav folders, and trying many variations for "Files" section), but the only "solution" that seems to work is having a "Require all denied" line (using Files "*.php" or a FilesMatch like the one in webdav section).
    I first tried {DOCROOT}/users/ for Directory, but it didn't match the requests. I also tried restarting php7.4-fpm process just to be sure.

    What am I doing wrong or missing? I'm quite sure that's something easy, but can't find it :(

  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    RemoveHanlder should do it, try putting it outside <Files>. Something like:
    <Directory "{DOCROOT_CLIENT}/users/">
      DirectoryIndex index.html
      <IfModule mod_mime.c>
        RemoveHandler .php .phtml .php3 .php4 .php5
        RemoveType .php .phtml .php3 .php4 .php5
        AddType text/plain .php
      <IfModule mod_php5.c>
        php_flag engine off
      ...other stuff...
    If that doesn't work, try using the exact FilesMatch which the SetHandler uses, '<FilesMatch "\.php[345]?$">' for the RemoveHandler (or SetHandler None); I don't know what match takes precedence offhand.
    Last edited: Jun 16, 2021
  3. NdK

    NdK Member

    Tks, but it still interprets php files.
    I tried your snippet, then tried removing ifmodule (making RemoveHandler a direct child of Directory). Same result.
    I tried putting a
    <FilesMatch "\.php[345]?$">
    Require all denied
    just before </Directory> to check (again) that I'm working on the correct path. Then tried changing DOCROOT_CLIENT to DOCROOT and it stopped blocking access to php files, as expected. So I think DOCROOT_CLIENT is the correct one for <Directory>.
    It seems that "RemoveHandler .php" (I'm testing with info.php) and "SetHandler None" gets ignored and the file gets passed to php-fpm anyway... I can't understand why.
  4. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    try this.

    <FilesMatch ".+\.*$">
       SetHandler !
    the page i found this on said to put it in .htaccess, but you should be able to include it within your directory section in the sites options.
  5. NdK

    NdK Member

    Tks, but it doesn't work.
    I already tried it (from stackexchange, IIRC), but rechecked just to be sure. I don't understand what's happening, and hate it!
  6. NdK

    NdK Member

    Sigh. 111 views and no result. :( Posting just to say I'm still looking for a solution.

Share This Page