Cannot get PHP with paths after the file name to work

Note: Got a message that this post was flagged as inappropriate and had to wait ten minutes to edit. For the life of me I have no idea what was inappropriate. Hope it gets through on this re-edit!

1. Caddy version (caddy version):

v2.5.1 h1:bAWwslD1jNeCzDa+jDCNwb8M3UJ2tPa8UZFFzPVmGKs=

2. How I run Caddy:

a. System environment:

Ubuntu 22.04 LTS
Linux 5.15.0-39-generic #42-Ubuntu SMP Thu Jun 9 23:42:32 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

PHP 8.1 fpm

b. Command:

Runs via systemd service. See service file below.

/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile

c. Service/unit/compose file:

Systemd caddy.service file.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=www-data
Group=www-data
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

Caddyfile:

{
        email monitor@my.site
        debug
}

(cloudflare-tls) {
        tls {
                dns cloudflare "<redacted>"
        }
}

import /etc/caddy/snippets/*.conf

import /etc/caddy/sites-enabled/*.conf

# Default site.
:80 {
        root * /srv/default
        file_server
}

# vim: ts=8 sw=8 noexpandtab

And sites-enabled/my.site.conf

my.site {
        import cloudflare-tls
        root * /srv/my.site
        file_server

        php_fastcgi unix//var/run/php/php8.1-fpm.sock
        @forbidden {
                path /.htaccess
                path /.hg
                path /.hg/*
                path /_private/*
                path /.ht*
                path /.user*
        }
        respond @forbidden 404
}

# vim: ts=8 sw=8 noexpandtab

No other config files.

3. The problem I’m having:

In short, URLs like https://my.site/foo.php and https://my.site/foo.php/ work fine, but https://my.site/foo.php/some/path returns a HTTP 403 (forbidden) response with the body of, “Access denied.”

I believe this response is being produced by the PHP 8.1 fpm service (see error log in section 4 below.)

The expectation is that PHP fpm would run the foo.php file with /some/path as the PATH_INFO value.

4. Error messages and/or full log output:

When attempting to access the URL above, the following error message is generated in the /var/log/php8.1-fpm.log file:

WARNING: [pool www] child 44554 said into stderr: "NOTICE: Access to the script '/srv/my.site/some/path' has been denied (see security.limit_extensions)"

Debug log output from Caddy is:

caddy[60184]: {"level":"debug","ts":1655903013.2011309,"logger":"http.handlers.rewrite","msg":"rewrote request","request":{"remote_ip":"127.0.0.1","remote_port":"58528","proto":"HTTP/2.0","method":"GET","host":"my.site","uri":"/foo.php/some/path","headers":{"User-Agent":["curl/7.81.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"my.site"}},"method":"GET","uri":"/foo.php"}
caddy[60184]: {"level":"debug","ts":1655903013.201183,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"/var/run/php/php8.1-fpm.sock","total_upstreams":1}
caddy[60184]: {"level":"debug","ts":1655903013.201319,"logger":"http.reverse_proxy.transport.fastcgi","msg":"roundtrip","request":{"remote_ip":"127.0.0.1","remote_port":"58528","proto":"HTTP/2.0","method":"GET","host":"my.site","uri":"/foo.php","headers":{"User-Agent":["curl/7.81.0"],"Accept":["*/*"],"X-Forwarded-For":["127.0.0.1"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["my.site"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"my.site"}},"dial":"/var/run/php/php8.1-fpm.sock","env":{"AUTH_TYPE":"","CONTENT_LENGTH":"","SCRIPT_FILENAME":"/srv/my.site/foo.php","SCRIPT_NAME":"/foo.php","SSL_CIPHER":"TLS_AES_128_GCM_SHA256","QUERY_STRING":"","REMOTE_USER":"","REQUEST_METHOD":"GET","HTTP_HOST":"my.site","HTTPS":"on","PATH_TRANSLATED":"/srv/my.site/some/path","REMOTE_ADDR":"127.0.0.1","SERVER_PROTOCOL":"HTTP/2.0","SERVER_SOFTWARE":"Caddy/v2.5.1","DOCUMENT_URI":"/foo.php","REQUEST_URI":"/foo.php/some/path","REMOTE_IDENT":"","SERVER_NAME":"my.site","GATEWAY_INTERFACE":"CGI/1.1","PATH_INFO":"/some/path","REMOTE_PORT":"58528","HTTP_ACCEPT":"*/*","HTTP_X_FORWARDED_HOST":"my.site","REMOTE_HOST":"127.0.0.1","SERVER_PORT":"443","SSL_PROTOCOL":"TLSv1.3","CONTENT_TYPE":"","DOCUMENT_ROOT":"/srv/my.site","HTTP_USER_AGENT":"curl/7.81.0","HTTP_X_FORWARDED_FOR":"127.0.0.1","HTTP_X_FORWARDED_PROTO":"https","REQUEST_SCHEME":"https"}}
caddy[60184]: {"level":"debug","ts":1655903013.2017865,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"unix//var/run/php/php8.1-fpm.sock","duration":0.000571739,"request":{"remote_ip":"127.0.0.1","remote_port":"58528","proto":"HTTP/2.0","method":"GET","host":"my.site","uri":"/foo.php","headers":{"X-Forwarded-For":["127.0.0.1"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["my.site"],"User-Agent":["curl/7.81.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"my.site"}},"headers":{"Status":["403 Forbidden"],"Content-Type":["text/html; charset=UTF-8"]},"status":403}

5. What I already tried:

I’ve been banging my head against this for a day and a bit. I’ve tried using the expanded form of the php_fastcgi directive with bits chopped out.

Tried changing the @phpFiles bit to

@phpFiles path_regexp \.php($|/)

Tried adding either:

@phpWithPaths path_regexp phpWithPathsRegex ^(.*\.php)/.+$
redir @phpWithPaths {re.phpWithPathsRegex.1} 308

or

@phpWithPaths path_regexp phpWithPathsRegex ^(.*\.php)/.+$
rewrite @phpWithPaths {re.phpWithPathsRegex.1}

But nothing seems to get it sorted.

6. Links to relevant resources: Cannot get PHP with paths after the file name to work Cannot get PHP with paths after the file name to work

Hey Evan, welcome to the forum.

The system automatically blocked your post initially because one of our rules is to not redact domain names, and my.site is a common redaction. We need the actual real configs in order to help you. But thanks for filling out the template so faithfully otherwise. Too many people skip it entirely.

The error says “see security.limit_extensions” – I don’t really know what that is, but did you try that? (Sorry, haven’t been a PHP guy for about 10 years)

That’s exactly what Caddy is doing though. See the debug logs:

Are you sure you have php-fpm correctly configured?

1 Like

Are you sure you have php-fpm correctly configured?

Well, it turns out I didn’t. I had the cgi.fix_pathinfo set to zero instead of the default one.

Looking back through the configuration scripts I suspect this was inherited from long ago when PHP was being run as an Apache module or something, and for whatever reason didn’t trip up Nginx (I probably configured Nginx around it).

Thanks for the pointer about SCRIPT_FILENAME. That made me think about SCRIPT_FILENAME and PATH_TRANSLATED and a web search zeroed in on my problem.

To be clear, the Caddy software is doing the correct thing, my install of PHP was misconfigured.

Thanks again.

2 Likes

Awesome, thanks for following up!