Apache Event MPM, PHP-FPM, mod_proxy_fcgi - Security Q's

[Morgin]

Hi all,

I've been screwing around with moving from Apache prefork w/ mod_php to event w/ proxy_fcgi and php7-fpm.

My server is running ubuntu 16.04LTS.

Couple issues I could use some advice with:

1. http://www.geoffstratton.com/ubuntu-1604-web-server-apache-php-and-mysql this guide suggests that "if you install Apache and PHP-FPM simultaneously, Apache will be configured to use Event as its multi-processing module". I've found this to be true on a clean install, however, the server I want to upgrade already has apache 2.4 installed with prefork and mod_php. Is there a clean way to switch over? The only guide I can find is https://www.digitalocean.com/community/questions/lamp-on-ubuntu-14-04-with-apache-event-mpm but its for php5 and ubuntu 14.04. Not sure if anything has changed - anyone done this who can give me a few pointers on whether this guide should largely still work? Otherwise, I assume it might just be easier to blow away the server and start from scratch with a DB backup.
    
2. A variety of guides I was following (the one posted above, as well as https://www.howtoforge.com/tutorial/apache-with-php-fpm-on-ubuntu-16-04/ and some others) all recommend a method of actually having apache use fastCGI by including "ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/run/php/php7.0-fpm.sock|fcgi://localhost/var/www/html/" in your virtualhost (revised to match proper directory of course). However, I note a few other people flag security and other practical issues with that approach as noted https://ma.ttias.be/apache-2-4-proxypass-for-php-taking-precedence-over-filesfilesmatch-in-htaccess/ and https://wiki.apache.org/httpd/PHP-FPM (caveats section at the bottom). Basically, it's dumb to pass blanket PHP request to php-fpm that haven't been scrubbed is what I take from the cautions.
   
   This site https://serversforhackers.com/video/apache-and-php-fpm suggests doing it as follows in a VHOST (again, references php5 vs php7, and I can;t find anything more recent):

<FilesMatch \.php$> 
# 2.4.10+ can proxy to unix socket
SetHandler "proxy:unix:/var/run/php5-fpm.sock|fcgi://localhost/"
# Else we can just use a tcp socket: 
# SetHandler "proxy:fcgi://127.0.0.1:9000" 
</FilesMatch> 

Which seems maybe better, subject to the below?

@Makoto has an excellent blurb in respect of php-fpm processing in the nginx guide, which I note reads as follows:

Quote

"Rewrite" rules and named location blocks

Quite often, when looking up guides or examples for Nginx PHP configurations online, you'll see examples that simply pass every request ending with .php to FastCGI/PHP-FPM and be done with it.

Don't do this, it is really a bad way to configure your server. Most prominently because it opens the potential for a serious security vulnerability, and while modern releases of PHP-FPM protect against this vulnerability by default, it only exists as a protection for misconfigured web servers. You shouldn't rely on it.

By taking full advantage of Nginx's named location blocks and try_files processing, we are able to provide a clean and elegant configuration layout that is both secure and fast. In order to really understand how everything here works in detail, you'll need to dig into Nginx's documentation and familiarize yourself with how the location and try_files configuration directives work.

My read of the Apache PHP-FPM guides is that they are largely guilty of the same thing (especially the recommendation to use ProxyPassMatch, which seems to offer no security against a malicious file upload, as an example.)

Does anyone have a comparable Apache config excerpt to do controlled passing of php requests to PHP-FPM?

[Morgin]

For anyone finding this in the future, I've also cross-posted http://serverfault.com/questions/840887/cgi-fix-pathinfo-apache-2-4-php7-php-fpm in case the answer ends up there

Since I want to use friendly URLs, I need to be able to utilize rewrite as well. I've found this post http://serverfault.com/questions/553899/forwarding-php-requests-via-proxypassmatch-as-a-handler-or-only-when-file-exist?rq=1 that suggests ways with apache 2.2 to do it. I am going to mess with this and see if I can come up with a solution myself as well.