If you are attempting to get files with a .html extension parsed as PHP with Nginx + php-fpm, you might get an “access denied” error in your browser, and the error message “Access to the script ‘…’ has been denied (see security.limit_extensions)” in your Nginx error log. This post shows how to allow html files to be parsed successfully as PHP with Nginx + php-fpm.
Nginx configuration block
Your Nginx configuration block will look something like this to parse HTM files as PHP:
server {
... configuration options ...
location ~ .html$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
... etc etc ...
}
}
Error message
And yet when you access e.g. somefile.html you get “Access denied” in the browser.
You check the Nginx error log and see this:
2015/04/25 07:38:28 [error] 5942#0: *108814 FastCGI sent in stderr: “Access to the script ‘/path/to/somefile.html’ has been denied (see security.limit_extensions)” while reading response header from upstream, client: 192.168.1.54, server: www.example.com, request: “GET / HTTP/1.1”, upstream: “fastcgi://unix:/var/run/php5-fpm.sock:”, host: “www.example.com”
The fix needed is suggested in the error message: “see security.limit_extensions”
Set security.limit_extensions
On Debian 7 Wheezy, the configuration file to edit this setting is at /etc/php5/fpm/pool.d/www.conf; on other distributions it may be in a different place.
Then search for security.limit_extensions. It should look something like this in the file by default:
; Limits the extensions of the main script FPM will allow to parse. This can ; prevent configuration mistakes on the web server side. You should only limit ; FPM to .php extensions to prevent malicious users to use other extensions to ; exectute php code. ; Note: set an empty value to allow all extensions. ; Default Value: .php ;security.limit_extensions = .php .php3 .php4 .php5
If the security.limit_extensions has been set already, then add .html to it; if it hasn’t then add it in with all the extensions you need to allow, e.g.:
security.limit_extensions = .php .html
Is it safe to do this?
When enabling this myself, my first thought was “Is this safe” and “Can a regular HTML file suddenly be parsed as PHP” and then obviously “Will this cause security issues with any WordPress blogs installed on my server?”
As far as I can tell, it shouldn’t cause any issues, because you still have to allow .html files to be parsed through php-fpm in the Nginx config. If you haven’t done that, then they won’t.
If I am wrong, please add a comment below.
