Forbid access to PHP files

[BobbyEasland]

We have a node that has not only image files but also PHP. The node is a dedicated static file server (images, CSS, JS, etc) and need to forbid access to the PHP scripts.

We have tried the following:

• Removed all script handlers (server and VH levels) for PHP scripts
• Added false FCGI handlers (expected at least a 500 error)
• Added filter rule with status:403 using SecFilter
• Used FILES + deny in htaccess (ala Apache style)

These were tried in order and were not performed together. After each attempt the settings were reverted and server restarted.

No matter what was tried requests for PHP scripts always returned a 200 status and download prompt.

Does anyone have any ideas?

Bobby

 

[mistwang]

First, you need to clear your browser's cache.

The easiest and probably the most efficient way is to add a rewrite rule at vhost level to blocked, should avoid using FILES in htaccess when possible. "SecFilter" is more expensive than a rewrite rule.

 

[BobbyEasland]

We are using a base user account on the primary web node (internally called node1) which is pushed across the cluster with rsync at regular intervals via CRON. The image nodes are included in the nodes list. The result is that the same htaccess is used on all nodes including web. If I put a rewrite rule in the htaccess file locally it'll be overwritten at the next rsync. If I put it globabally it'll disable the entire cluster.

Is it possible to use both htaccess (filesystem) rewrite rules and also VH rewrite rules?

Bobby

 

[mistwang]

Yes, you can do both, VH rewrite rules is more efficient.

I think there is a better choice for your needs. On the image node, you can set "Enable Scripts/ExtApps" to "no", this option is stored in the server configuration file, so you can use different a value for your image node and content node and have your vhost configured exactly the same way.
You need to add the script handler configuration back.