

Apache ignores access control when using FastCGI - morphics
https://issues.apache.org/bugzilla/show_bug.cgi?id=56084

======
SwellJoe
That's not an accurate, or at least not a complete, statement. Apache ignores
file-based access control in this case, because Apache isn't handling the
files, your FastCGI server is. Access controls in a Location section work as
expected.

Perhaps it should be added to the FastCGI documentation in a very emphatic and
clear way? Maybe it should also default to no access without an explicit
declaration of what the user wants (though that would break people's
configurations, so would need to happen in a major revision).

------
fsniper
As it's pointed at the 3rd comment
[https://issues.apache.org/bugzilla/show_bug.cgi?id=56084#c3](https://issues.apache.org/bugzilla/show_bug.cgi?id=56084#c3)
This is just a mis-configuration not a bug.

    
    
      Hans 2014-01-29 04:31:41 UTC
    
      It's an Apache misconfiguration that's not pointed out very clearly.
    
      The following is the fix:
            <Location /fcgi-php-fpm>
                # here we prevent direct access to this Location url,
                # env=REDIRECT_STATUS will let us use this fcgi-bin url
                # only after an internal redirect (by Action upper)
                Order Deny,Allow
                Deny from all
                Allow from env=REDIRECT_STATUS
            </Location>
    
      It would be useful to point this out somewhere.
    
      The above restricts direct access, but not internal access via PHP-FPM sockets.

~~~
morphics
Absolutely, but it turns out to be a really common misconfiguration found in
default configs and tutorials. Definitely something to be aware of when
configuring FastCGI.

