• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
The Electric Toolbox Blog

The Electric Toolbox Blog

Linux, Apache, Nginx, MySQL, Javascript and PHP articles

  • Applications
  • FCKEditor
  • Apache
  • Windows
  • Contact Us
Home / Fix “access denied” error when parsing HTML as PHP with Nginx

Fix “access denied” error when parsing HTML as PHP with Nginx

If you are attempting to get files with a .html extension parsed as PHP with Nginx + php-fpm, you might get an “access denied” error in your browser, and the error message “Access to the script ‘…’ has been denied (see security.limit_extensions)” in your Nginx error log. This post shows how to allow html files to be parsed successfully as PHP with Nginx + php-fpm.

Nginx configuration block

Your Nginx configuration block will look something like this to parse HTM files as PHP:

server {
  ... configuration options ...
  location ~ .html$ {
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_param	QUERY_STRING		$query_string;
    fastcgi_param	REQUEST_METHOD		$request_method;
    fastcgi_param	CONTENT_TYPE		$content_type;
    fastcgi_param	CONTENT_LENGTH		$content_length;
    ... etc etc ...
  }
}

Error message

And yet when you access e.g. somefile.html you get “Access denied” in the browser.

You check the Nginx error log and see this:

2015/04/25 07:38:28 [error] 5942#0: *108814 FastCGI sent in stderr: “Access to the script ‘/path/to/somefile.html’ has been denied (see security.limit_extensions)” while reading response header from upstream, client: 192.168.1.54, server: www.example.com, request: “GET / HTTP/1.1”, upstream: “fastcgi://unix:/var/run/php5-fpm.sock:”, host: “www.example.com”

The fix needed is suggested in the error message: “see security.limit_extensions”

Set security.limit_extensions

On Debian 7 Wheezy, the configuration file to edit this setting is at /etc/php5/fpm/pool.d/www.conf; on other distributions it may be in a different place.

Then search for security.limit_extensions. It should look something like this in the file by default:

; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; exectute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5

If the security.limit_extensions has been set already, then add .html to it; if it hasn’t then add it in with all the extensions you need to allow, e.g.:

security.limit_extensions = .php .html

Is it safe to do this?

When enabling this myself, my first thought was “Is this safe” and “Can a regular HTML file suddenly be parsed as PHP” and then obviously “Will this cause security issues with any WordPress blogs installed on my server?”

As far as I can tell, it shouldn’t cause any issues, because you still have to allow .html files to be parsed through php-fpm in the Nginx config. If you haven’t done that, then they won’t.

If I am wrong, please add a comment below.

Check Out These Related posts:

  1. Install PHP without Apache on Debian
  2. 502 Bad Gateway error after upgrading Nginx and/or PHP
  3. PHP upload_max_filesize and nginx
  4. RFC 1321 – MD5 Message-Digest Algorithm

Filed Under: Nginx Web Server, PHP

Primary Sidebar

Categories

  • Apache
  • Applications
  • Article
  • Case Studies
  • Email Servers
  • FCKEditor
  • HTML And CSS
  • Javascript
  • Linux/Unix/BSD
  • Microsoft SQL Server
  • Miscellaneous Postings
  • MySql
  • Networking
  • Nginx Web Server
  • Offsite Articles
  • OSX
  • PHP
  • Quick Tips
  • RFC – Request for Comments
  • SilverStripe
  • VMWare
  • VPN
  • Windows
  • WordPress

Recent Posts

  • Vim Show Line Numbers
  • Add User To Group Linux
  • Chmod 777 Tutorial
  • How to Copy Directory Linux
  • Linux create user

Copyright © 2021. ElectricToolBox. All Rights Reserved.

  • Contact Us
  • Copyright Info
  • Privacy Policy
  • Sitemap