I use and need php_fpm7.0 on debian 9 (stretch) apache 2.4.25.
DocumentRoot is /var/www/html and works well. Php enabled, scripts executed etc… Now I also want to serve the same arborescence as a filesystem via apache dav_fs module.
To do this :
- /var/www/webdav is a symlink to /var/www/html so I can name the same directory with 2 different names in apache config file, and so create 2 distinct configurations based on access name
- I access webdav with
/webdavURL. Inside apache config,/webdavis an alias that points to /var/www/webdav. Now I only need to setup the<Directory /var/www/webdav>section and everything should be good.
So far, it almost works : I can get and put files, create directories, rename files etc… with webdav, but PHP files continue to be executed when I GET them via the webdav alias. So if I want to edit a .php file, I indeed get the result of the script in my editor, which is useless.
My setting so far :
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/html>
AllowOverride All
require all granted
Options Indexes FollowSymLinks MultiViews
</Directory>
Alias /webdav /var/www/webdav
<Directory /var/www/webdav>
SetHandler none
Options -ExecCGI -FollowSymLinks -Includes -Indexes -MultiViews
AddType text/plain php php3 php4 php5 php7 php8 pht phptml phps
AllowOverride None
DAV On
<ifmodule mod_dir.c>
DirectoryIndex disabled
</ifmodule>
<ifmodule mod_rewrite.c>
RewriteEngine Off
</ifmodule>
<Files ~ "^\.ht"> # need to be able to edit .htaccess files.
require all granted
</Files>
</Directory>
</VirtualHost>
What is the correct way to prevent php execution in /var/www/webdav directory ?
Edit and Solution
Since Debian uses SetHandler "proxy:unix:/run/php/php7.0-fpm.sock|fcgi://localhost" /etc/apache2/conf-available/php7.0-fpm.conf, I have to use SetHandler none. But in the <Directory> section, this is too late. it must be used in <Location>, this is interpreted early enough. I also included ProxyPass ! as @exussum suggests (should be placed in <Location> ?). It is useles in this precise case, but proxy is certainly unwanted here anyway.
Also note that I had to put the authentication/authorization in <Directory>. It worked in <Location>, but only the CLI cadaver client could access the webdav collection. When authentication/authorization is in <Directory>, the nautilus filemanager could access the files.
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/html>
AllowOverride All
require all granted
Options Indexes FollowSymLinks MultiViews
</Directory>
Alias /webdav /var/www/webdav
<Location /webdav>
<IfModule mod_proxy.c>
ProxyPass !
</IfModule>
SetHandler none
AddType text/plain php php3 php4 php5 php7 php8 pht phptml phps
</Location>
<Directory /var/www/webdav>
AuthName "Restricted Area"
AuthType Basic
AuthUserFile "/etc/apache2/user-password"
require valid-user
Options -ExecCGI -FollowSymLinks -Includes -Indexes -MultiViews
AllowOverride None
DAV On
<ifmodule mod_dir.c>
DirectoryIndex disabled
</ifmodule>
<ifmodule mod_rewrite.c>
RewriteEngine Off
</ifmodule>
<Files ~ "^\.ht"> # need to be able to edit .htaccess files.
require all granted
</Files>
</Directory>
</VirtualHost>
Best Answer
as your using fpm, You need to send the request to FPM at some point
Usually its like this
or similar. (see https://wiki.apache.org/httpd/PHP-FPM for other options)
You need the files to not hit this have your Directory block use
ProxyPass !to stop them being passed over