I’m having trouble with PHP-FPM and Apache 2.4.1 mod_proxy_fcgi. As mod_proxy_fcgi cannot handle Unix Sockets, PHP-FPM has to listen on localhost. Thus, anyone who has access to the server could send requests to PHP-FPM. I wasn’t able to restrict PHP-FPM to my document root, so someone could just create a malicous PHP file, make sure my PHP process has access to it and send a special crafted request to the port on which PHP-FPM listens. (I already tried it out, it worked.)
I have the following in my apache config:
<VirtualHost *:80> ServerName example.org DocumentRoot /srv/vhosts/example.org/vhostdata/public/ <Directory /srv/vhosts/example.org/vhostdata/public/> Require all granted </Directory> <LocationMatch ^(.*\.php)$> ProxyPass fcgi://127.0.0.1:6001/srv/vhosts/example.org/vhostdata/public/ ProxyErrorOverride On </LocationMatch> </VirtualHost> How do I make PHP-FPM prepent the document root /srv/vhosts/example.org/vhostdata/public/ on every request it receives? I already played around with the chdir directive, but it does not suitable for my needs.
Unfortunately, using a chroot is not an option for me because I am running in a linux-vserver enviroment, where mknod has been disabled by the administrator for security reasons.
mod_fastcgihas always worked for me. Getting out of the linux-vserver would be a winning strategy, too.