Cannot get PHP with paths after the file name to work

Note: Got a message that this post was flagged as inappropriate and had to wait ten minutes to edit. For the life of me I have no idea what was inappropriate. Hope it gets through on this re-edit!

1. Caddy version (caddy version):

v2.5.1 h1:bAWwslD1jNeCzDa+jDCNwb8M3UJ2tPa8UZFFzPVmGKs=

2. How I run Caddy:

a. System environment:

Ubuntu 22.04 LTS
Linux 5.15.0-39-generic #42-Ubuntu SMP Thu Jun 9 23:42:32 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

PHP 8.1 fpm

b. Command:

Runs via systemd service. See service file below.

/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile

c. Service/unit/compose file:

Systemd caddy.service file.


ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile


d. My complete Caddyfile or JSON config:



(cloudflare-tls) {
        tls {
                dns cloudflare "<redacted>"

import /etc/caddy/snippets/*.conf

import /etc/caddy/sites-enabled/*.conf

# Default site.
:80 {
        root * /srv/default

# vim: ts=8 sw=8 noexpandtab

And sites-enabled/ {
        import cloudflare-tls
        root * /srv/

        php_fastcgi unix//var/run/php/php8.1-fpm.sock
        @forbidden {
                path /.htaccess
                path /.hg
                path /.hg/*
                path /_private/*
                path /.ht*
                path /.user*
        respond @forbidden 404

# vim: ts=8 sw=8 noexpandtab

No other config files.

3. The problem I’m having:

In short, URLs like and work fine, but returns a HTTP 403 (forbidden) response with the body of, “Access denied.”

I believe this response is being produced by the PHP 8.1 fpm service (see error log in section 4 below.)

The expectation is that PHP fpm would run the foo.php file with /some/path as the PATH_INFO value.

4. Error messages and/or full log output:

When attempting to access the URL above, the following error message is generated in the /var/log/php8.1-fpm.log file:

WARNING: [pool www] child 44554 said into stderr: "NOTICE: Access to the script '/srv/' has been denied (see security.limit_extensions)"

Debug log output from Caddy is:

caddy[60184]: {"level":"debug","ts":1655903013.2011309,"logger":"http.handlers.rewrite","msg":"rewrote request","request":{"remote_ip":"","remote_port":"58528","proto":"HTTP/2.0","method":"GET","host":"","uri":"/foo.php/some/path","headers":{"User-Agent":["curl/7.81.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":""}},"method":"GET","uri":"/foo.php"}
caddy[60184]: {"level":"debug","ts":1655903013.201183,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"/var/run/php/php8.1-fpm.sock","total_upstreams":1}
caddy[60184]: {"level":"debug","ts":1655903013.201319,"logger":"http.reverse_proxy.transport.fastcgi","msg":"roundtrip","request":{"remote_ip":"","remote_port":"58528","proto":"HTTP/2.0","method":"GET","host":"","uri":"/foo.php","headers":{"User-Agent":["curl/7.81.0"],"Accept":["*/*"],"X-Forwarded-For":[""],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":[""]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":""}},"dial":"/var/run/php/php8.1-fpm.sock","env":{"AUTH_TYPE":"","CONTENT_LENGTH":"","SCRIPT_FILENAME":"/srv/","SCRIPT_NAME":"/foo.php","SSL_CIPHER":"TLS_AES_128_GCM_SHA256","QUERY_STRING":"","REMOTE_USER":"","REQUEST_METHOD":"GET","HTTP_HOST":"","HTTPS":"on","PATH_TRANSLATED":"/srv/","REMOTE_ADDR":"","SERVER_PROTOCOL":"HTTP/2.0","SERVER_SOFTWARE":"Caddy/v2.5.1","DOCUMENT_URI":"/foo.php","REQUEST_URI":"/foo.php/some/path","REMOTE_IDENT":"","SERVER_NAME":"","GATEWAY_INTERFACE":"CGI/1.1","PATH_INFO":"/some/path","REMOTE_PORT":"58528","HTTP_ACCEPT":"*/*","HTTP_X_FORWARDED_HOST":"","REMOTE_HOST":"","SERVER_PORT":"443","SSL_PROTOCOL":"TLSv1.3","CONTENT_TYPE":"","DOCUMENT_ROOT":"/srv/","HTTP_USER_AGENT":"curl/7.81.0","HTTP_X_FORWARDED_FOR":"","HTTP_X_FORWARDED_PROTO":"https","REQUEST_SCHEME":"https"}}
caddy[60184]: {"level":"debug","ts":1655903013.2017865,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"unix//var/run/php/php8.1-fpm.sock","duration":0.000571739,"request":{"remote_ip":"","remote_port":"58528","proto":"HTTP/2.0","method":"GET","host":"","uri":"/foo.php","headers":{"X-Forwarded-For":[""],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":[""],"User-Agent":["curl/7.81.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":""}},"headers":{"Status":["403 Forbidden"],"Content-Type":["text/html; charset=UTF-8"]},"status":403}

5. What I already tried:

I’ve been banging my head against this for a day and a bit. I’ve tried using the expanded form of the php_fastcgi directive with bits chopped out.

Tried changing the @phpFiles bit to

@phpFiles path_regexp \.php($|/)

Tried adding either:

@phpWithPaths path_regexp phpWithPathsRegex ^(.*\.php)/.+$
redir @phpWithPaths {re.phpWithPathsRegex.1} 308


@phpWithPaths path_regexp phpWithPathsRegex ^(.*\.php)/.+$
rewrite @phpWithPaths {re.phpWithPathsRegex.1}

But nothing seems to get it sorted.

6. Links to relevant resources: Cannot get PHP with paths after the file name to work Cannot get PHP with paths after the file name to work

Hey Evan, welcome to the forum.

The system automatically blocked your post initially because one of our rules is to not redact domain names, and is a common redaction. We need the actual real configs in order to help you. But thanks for filling out the template so faithfully otherwise. Too many people skip it entirely.

The error says “see security.limit_extensions” – I don’t really know what that is, but did you try that? (Sorry, haven’t been a PHP guy for about 10 years)

That’s exactly what Caddy is doing though. See the debug logs:

Are you sure you have php-fpm correctly configured?

1 Like

Are you sure you have php-fpm correctly configured?

Well, it turns out I didn’t. I had the cgi.fix_pathinfo set to zero instead of the default one.

Looking back through the configuration scripts I suspect this was inherited from long ago when PHP was being run as an Apache module or something, and for whatever reason didn’t trip up Nginx (I probably configured Nginx around it).

Thanks for the pointer about SCRIPT_FILENAME. That made me think about SCRIPT_FILENAME and PATH_TRANSLATED and a web search zeroed in on my problem.

To be clear, the Caddy software is doing the correct thing, my install of PHP was misconfigured.

Thanks again.


Awesome, thanks for following up!