Posts tagged 'configuration'

PHP-FPM security limit extensions issue

published on February 03, 2017.
Heads-up! You're reading an old post and the information in it is quite probably outdated.

For the first time ever I saw this error:

2017/02/03 11:45:04 [error] 14656#0: *1 FastCGI sent in stderr: "Access to the script '/var/www/web' has been
denied (see security.limit_extensions)" while reading response header from upstream, client: 127.0.0.1, server:
proj.loc, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm/www.sock:", host: "proj.loc"

I mean… what? security.limit_extensions? I honestly never heard of this before.

The PHP manual describes it as:

Limits the extensions of the main script FPM will allow to parse. This can prevent configuration mistakes on the web server side. You should only limit FPM to .php extensions to prevent malicious users to use other extensions to execute php code. Default value: .php .phar

Basically to avoid executing what an application might consider as a non-PHP file as a PHP file.

OK, cool, but why am I getting this error?

The currently top answer on Google suggests setting the list of limited extensions to an empty string, to practically disable the security.limit_extensions configuration. That fixes the error, but I’m really not comfortable with setting a security related configuration to a blank value, especially when people smarter than me set that configuration to a sane default value.

There must be a better, proper way to fix this, and this does feel like I misconfigured something in the nginx/php-fpm stack.

Accessing a folder as a script?

The Access to the script '/var/www/web' has been denied part of the error messages also looks weird. Why would php-fpm try to access /var/www/web, which is a directory, as a script? Seems like it doesn’t see the actual PHP script, and that sounds awfully similar to that old, dreaded No input file specified error message.

And that one is, in most cases, caused by not including the fastcgi.conf params file in the location block in the nginx configuration files. I double checked the configuration file and yup, I missed to include the fastcgi params file:

server {
    # configuration for the server
    location ~ \.php$ {
        # configuration for php
        include fastcgi.conf; # << I missed this!
    }
}

I restarted nginx and everything works just fine, without touching the security.limit_extensions configuration.

Happy hackin’!

Configure Fedora's firewall for Vagrant

published on December 09, 2016.
Heads-up! You're reading an old post and the information in it is quite probably outdated.

This one’s been in my drafts for a long time, might as well publish it.

FirewallD, Fedora’s firewall, has a set of zones, which basically enables to configure trusted network connections inside these zones. You can read more about FirewallD on it’s wiki page.

Whenever I bring up a Vagrant box for the first time, Fedora’s firewall blocks the NFS shares, because the new Vagrant network interface does not belong to any zone. The usual symptom of this is that Vagrant gets stuck on the mounting NFS shares step.

I have a zone called FedoraWorkstation that I use for all the Vagrant boxes I have on my laptop. This zone has a list of services that are allowed:

robert@odin ~$ sudo firewall-cmd --zone FedoraWorkstation --list-services
dhcpv6-client rpc-bind nfs mountd ssh samba-client

You can use any other zone you like, but you need to have the rpc-bind, nfs and mountd services allowed for that zone.

After bringing up the Vagrant box, we need to figure out what’s the name of the new Vagrant interface and add it to the firewall zone. Vagrant interfaces follow the naming schema of vboxnetX where X is a number:

robert@odin ~$ ip link show | grep "state UP" | grep "vbox"
7: vboxnet3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000

From this we can see that the name of the interface is vboxnet3.

Let’s add it to the FedoraWorkstation zone and reload:

robert@odin ~$ sudo firewall-cmd --zone FedoraWorkstation --add-interface vboxnet3 --permanent
success
robert@odin ~$ sudo firewall-cmd --reload
success

Finally let’s make sure that the interface was indeed added:

robert@odin ~$ sudo firewall-cmd --zone FedoraWorkstation --list-interfaces
vboxnet3 vboxnet2 vboxnet0

And that’s it. Happy hackin’!

Robert Basic

Robert Basic

Software engineer, consultant, open source contributor.

Let's work together!

If you require outsourcing or consulting help on your projects, I'm available!

Robert Basic © 2008 — 2019
Get the feed