php-fpm - 如何将某些符号链接作为PHP脚本执行
[英]php-fpm - How to execute certain symlinks as PHP scripts
问题描述
I am running Apache 2.2 with FastCGI and php-fpm. 
我用FastCGI和php-fpm运行Apache 2.2。 I am trying to duplicate the following logic: 我试图复制以下逻辑:
<FilesMatch "^(admin|api|app)?(_dev)?$">
#ForceType application/x-httpd-php
SetHandler php-fcgi
</FilesMatch>
Which allows me to symlink admin.php as admin, so I can remove the .php extension. 这允许我将admin.php作为管理员进行符号链接,因此我可以删除.php扩展名。 It seems the only way to do this with php-fpm is to set the security.limit_extension of the www.conf file to empty, however, as the comments indicate, this is a pretty big security hole, in that php code can now be executed from within any file, regardless of extension. 似乎用php-fpm执行此操作的唯一方法是将www.conf文件的security.limit_extension设置为空,但是,正如评论所示,这是一个相当大的安全漏洞,因为php代码现在可以从任何文件中执行,无论扩展名如何。
What would be the preferred way to accomplish the above, but still maintain some semblance of security? 什么是实现上述目标的首选方法,但仍然保持一定的安全性?
2 个解决方案
解决方案1
2 2014-09-22 05:45:58
Looks like the best solution so far is to manually add the known symlinks to the list (located in /etc/php-fpm.d/www.conf): 到目前为止,看起来最好的解决方案是手动将已知的符号链接添加到列表中(位于/etc/php-fpm.d/www.conf中):
security.limit_extension php admin admin_dev api api_dev app app_dev
Not sure if security.limit_extension directive can even take a regex, doesn't look like it, so this is about as good as it gets. 不确定security.limit_extension指令是否甚至可以采用正则表达式,看起来不像它,所以这就像它得到的一样好。 As mentioned in the OP, you will still have to maintain the filesmatch directive in the vhost config as well: 如OP中所述,您仍然需要在vhost配置中维护filesmatch指令:
<FilesMatch "^(admin|api|app)?(_dev)?$">
SetHandler php-fcgi
</FilesMatch>
-- Update -- - 更新 -
Per the comments by tftd, adding current rewrite directive: 根据tftd的注释,添加当前重写指令:
RewriteBase /
# we skip all files with .something
RewriteCond %{REQUEST_URI} \..+$
RewriteCond %{REQUEST_URI} !\.html$
RewriteRule .* - [L]
# we check if the .html version is here (caching)
RewriteRule ^$ index.html [QSA]
RewriteRule ^([^.]+)$ $1.html [QSA]
RewriteCond %{REQUEST_FILENAME} !-f
# no, so we redirect to our front web controller
RewriteRule ^(.*)$ index.php [QSA,L]
解决方案2
1 已采纳 2014-09-29 15:57:21
@Mike, based on your updated answer, something similar to this .htaccess file should be able to handle what you're trying to do: @Mike,根据你更新的答案,类似于这个.htaccess文件应该能够处理你想要做的事情:
# Enable the rewrite engine
RewriteEngine on
# Set the rewrite base path (i.e. if this .htaccess will be running at root context "/" or a subdir "/path")
RewriteBase /
# If the file exists, process as usual.
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule .* - [NC,L]
# If the dir exists, process as usual (if you don't need this, just comment/remove the next two lines).
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule .* - [NC,L]
# If (requested_file_name).html exists, rewrite to that file instead.
RewriteCond %{REQUEST_FILENAME}\.html -f
RewriteRule ^(.*)$ $1.html [QSA,L]
# If (requested file name).php exists, rewrite to that file instead.
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.html [QSA,L]
# If none of the above rules were triggered, fallback to index.php.
RewriteRule ^(.*)$ index.php [QSA,L]
With a bit of tweaking this should be able to do the job without the need of having to dive into httpd.conf and the <VirtualHost> nor <FilesMatch> directives. 通过一些调整,这应该能够完成工作,而无需深入了解httpd.conf和<VirtualHost>以及<FilesMatch>指令。 Hope this helps. 希望这可以帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.