Access to the script ‘/path/to/script.php’ has been denied (see security.limit_extensions)

before let me list what I have tried:

  • This Answer on ServerFault
  • chmoded /Users/user/portal3 to 777 to see if executes
  • Created two pools one with root and another with current user
  • googled
  • entered ##php in freenode
  • and lot of other ideas.

i have a problem executing php code on a subdirectory inside my home directory. On Nginx i get this

2016/08/23 09:13:40 [error] 39170#0: *13 FastCGI sent in stderr: "Access to the script 
'/Users/user/portal3' has been denied (see security.limit_extensions)" while reading
response header from upstream, client: 127.0.0.1, server: localhost, request:
"GET /portal/v3/index.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9001", host: "localhost"

On php-fpm this shows

[23-Aug-2016 09:13:40] WARNING: [pool dev] child 8305 said into stderr: "NOTICE: Access to the script '/Users/user/portal3' has been denied (see security.limit_extensions)"

I have tried everything but I don’t have any success running php with Nginx / PHP-FPM on Mac

Ngnix adn PHP-FPM runs as root

PHP-FPM it’s configured with two pools:

  • [www]: run as root and works fine, execute php code but their www-root subdirectory is in /var/www
  • [dev] pool that runs as my current user on MacOS X, listen on port 9001, and is configured to run code in /Users/user/portal3.

php-fpm.ini

[dev]
user=user
group=staff
listen=127.0.0.1:9001
listen.mode = 0666
pm = ondemand
pm.max_children = 10
pm.process_idle_timeout = 10s
pm.status_path = /status_user
catch_workers_output = yes
security.limit_extensions = .php

default (on sites-available) Nginx

server {
    listen       80;
    server_name  localhost;
    ###root /var/www/;
    access_log   /usr/local/etc/nginx/logs/default.access.log  main;
    access_log   /usr/local/etc/nginx/logs/default.scripts.log  scripts;

    location /portal/v3 {
        alias /Users/user/portal3;
        location ~  ^/portal/v3/(.+.php)(/.*)$ {
            #alias /Users/user/portal3;
            index index.php;

            # Mitigate https://httpoxy.org/ vulnerabilities
            fastcgi_param HTTP_PROXY "";

            fastcgi_pass   127.0.0.1:9001;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME $document_root$2;#$fastcgi_script_name;
            include fastcgi_params;
        }

    }

    location = /info {
        allow   127.0.0.1;
        deny    all;
        rewrite (.*) /.info.php;
    }

    location / {
        root /var/www/;
        index        index.php index.html index.htm;
        include   /usr/local/etc/nginx/conf.d/php-fpm;
    }

    error_page  404     /404.html;
    error_page  403     /403.html;
}

i have installed everything using homebrew. Now i’m running out of ideas, i came here to get some help.

Answer

In your PHP-FPM config you have a directive called security.limit_extensions

Limits the extensions of the main script FPM will allow to parse. This can prevent configuration mistakes on the web server side. You should only limit FPM to .php extensions to prevent malicious users to use other extensions to execute php code. Default value: .php.

In your case, because your location block doesn’t contain an index directive, nginx doesn’t know to use index.php as the default index file when the path points to /Users/user/portal3. Instead it attempts to execute it as a PHP script, and PHP-FPM raises the security restriction that /Users/user/portal3 does not have a .php extension.

Your location block should look more like this…

location /portal/v3 {
    alias /Users/user/portal3;
    index index.php;
    location ~  ^/portal/v3/(.+.php)(/.*)$ {
        fastcgi_param HTTP_PROXY "";

        fastcgi_pass   127.0.0.1:9001;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$2;#$fastcgi_script_name;
        include fastcgi_params;
    }

}

Leave a Reply

Your email address will not be published. Required fields are marked *