Apache with HTTP/2 and per-directory upload_max_filesize

Question

I just upgraded my apache2 server on Debian 9.13 Stretch to start using HTTP/2. As far as I'm concerned, that requires switching from mod_php to PHP-FPM.

The problem is that PHP-FPM does not obey certain apache directives from .htaccess. For instance, I've been using php_value upload_max_filesize 900M in the an .htaccess file at the upload directory, to increase the filesize and other related parameters like max_execution_time and post_max_size in a finer grain than using the global php.ini file.

These are some of the alternatives I already tried:

Using PHP ini_set() method: post_max_size and upload_max_filesize are used before my script is started.
Using .user.ini override files: less than ideal, since it would require restricting the upload of .ini files in every single place that allows to upload stuff (I can use a <Files> filter to disable read access, but not uploading).
Renaming the .user.ini file to SOME_SCRAMBLED_TEST.ini and adding a Require all denied to such files: dangerous, since a single php scandir at the wrong place may reveal my secured-by-obscurity config.
Changing it in the php.ini script: would take this as the last option; I prefer to have a rather high upload size than allowing users to upload a .user.ini file that screw my server.

Is there any other alternative to use HTTP/2 and have a secure server that allows uploads?

Hi @djdomi, thanks for your answer! Could you please ellaborate? Do you mean setting it up in the VirtualHost? — Carlos Roldán, Jul 09 '21 at 07:41

score 0 · Accepted Answer · answered Jul 09 '21 at 12:40

After two days of work, I managed to have this running.

First, forbid the .user.ini dangerous default of reading it on every single directory:

# an empty user_ini filename disables its usage.
user_ini.filename =

Then, enable it only for the desired directory at the apache2.conf file located in /etc/apache2 (and disable reading those). We can do this by using SetEnv with a Directory filter:

<Directory /path/to/upload/directory>
        SetEnv PHP_VALUE "user_ini.filename = .user.ini"
        <Files ".user.ini">
                Require all denied
        </Files>
</Directory>

Then, at the /path/to/upload/directory, create a .user.ini file with your required configuration:

post_max_size = 2048M
upload_max_filesize = 2048M
max_execution_time = 10
max_input_time = 10

This way you can have a per-directory .user.ini without enabling it for the whole server.

@djdomi work pressure :) thanks for the hint! – Carlos Roldán Jul 13 '21 at 08:15 — Carlos Roldán, Jul 13 '21 at 08:15

Apache with HTTP/2 and per-directory upload_max_filesize

1 Answers1