After updating php.ini via Plesk my htaccess file stopped working

Question

I need help remembering what I did to allow Plesk to use .htaccess. I recently changed the PHP upload file size on a domain and suddenly my .htaccess directives stopped working. That means I "fixed" something, probably in httpd.conf, and stupidly didn't propagate the fix to a not-automatically-overwritten-by-Plesk file. (yup, idiot....)

My .htaccess file has a series of entries like the one shown below. That's all it has in it. The purpose is to allow me to have example.com/command execute a file command as if it were command.php. I've been doing this for decades. If you'll forgive me, if your answer is anything along the lines of "don't do that...", please refrain. Thanks.

.htaccess

<Files support>
    SetHandler proxy:unix:///var/www/vhosts/system/example.com/php-fpm.sock|fcgi://127.0.0.1:9000
</Files>

I've tried posting those entries per Plesk's instructions into the Apache "additional directives" field (creating the vhosts.conf file, I did reconfigure so it was properly included) to no avail.

http.conf

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
#IF YOU REQUIRE TO APPLY CUSTOM MODIFICATIONS, PERFORM THEM IN THE FOLLOWING FILES:
#/var/www/vhosts/system/example.com/conf/vhost.conf
#/var/www/vhosts/system/example.com/conf/vhost_ssl.conf
<IfModule mod_ssl.c>

    <VirtualHost 216.55.178.166:7081 >
            ServerName "example.com:443"
            ServerAlias "www.example.com"
            ServerAlias "ipv4.example.com"
            ServerAdmin "me@me.org"
            UseCanonicalName Off

            DocumentRoot "/var/www/vhosts/example.com/web"
            CustomLog /var/www/vhosts/system/example.com/logs/access_ssl_log plesklog
            ErrorLog "/var/www/vhosts/system/example.com/logs/error_log"

            <IfModule mod_suexec.c>
                    SuexecUserGroup "me_phelps" "psacln"
            </IfModule>

            <IfModule mod_userdir.c>

                    UserDir "/var/www/vhosts/example.com/web_users/*"
            </IfModule>

            <IfModule mod_sysenv.c>
                    SetSysEnv PP_VHOST_ID "199da76e-b413-4968-8251-301b780838f1"
            </IfModule>

            ScriptAlias "/cgi-bin/" "/var/www/vhosts/example.com/web/cgi-bin/"

            Alias "/plesk-stat" "/var/www/vhosts/system/example.com/statistics"
            <Location  /plesk-stat/>
                    Options +Indexes
            </Location>
            <Location  /plesk-stat/logs/>
                    Require valid-user
            </Location>
            Alias /webstat /var/www/vhosts/system/example.com/statistics/webstat
            Alias /webstat-ssl /var/www/vhosts/system/example.com/statistics/webstat-ssl
            Alias /ftpstat /var/www/vhosts/system/example.com/statistics/ftpstat
            Alias /anon_ftpstat /var/www/vhosts/system/example.com/statistics/anon_ftpstat
            Alias /awstats-icon /var/www/html/awstats/icon

            SSLEngine on
            SSLVerifyClient none
            SSLCertificateFile /usr/local/psa/var/certificates/certW5TKkGV

            <Directory /var/www/vhosts/example.com/web>

                    <IfModule mod_fcgid.c>
                            <Files ~ (\.fcgi$)>
                                    SetHandler fcgid-script
                                    Options +ExecCGI
                            </Files>
                    </IfModule>
                    <IfModule mod_proxy_fcgi.c>
                            <Files ~ (\.php$)>
                                    SetHandler proxy:unix:///var/www/vhosts/system/example.com/php-fpm.sock|fcgi://127.0.0.1:9000
                            </Files>
                    </IfModule>

                    SSLRequireSSL

                    Options -Includes +ExecCGI
            </Directory>

            <Directory "/var/www/vhosts/system/example.com/statistics">
                    AuthType Basic
                    AuthName "Domain statistics"
                    AuthUserFile "/var/www/vhosts/system/example.com/pd/d..httpdocs@plesk-stat"
                    require valid-user
            </Directory>

            Alias /error_docs /var/www/vhosts/example.com/error_docs
            ErrorDocument 400 /error_docs/bad_request.html
            ErrorDocument 401 /error_docs/unauthorized.html
            ErrorDocument 403 /error_docs/forbidden.html
            ErrorDocument 404 /error_docs/not_found.html
            ErrorDocument 500 /error_docs/internal_server_error.html
            ErrorDocument 405 /error_docs/method_not_allowed.html
            ErrorDocument 406 /error_docs/not_acceptable.html
            ErrorDocument 407 /error_docs/proxy_authentication_required.html
            ErrorDocument 412 /error_docs/precondition_failed.html
            ErrorDocument 414 /error_docs/request_uri_too_long.html
            ErrorDocument 415 /error_docs/unsupported_media_type.html
            ErrorDocument 501 /error_docs/not_implemented.html
            ErrorDocument 502 /error_docs/bad_gateway.html
            ErrorDocument 503 /error_docs/maintenance.html

            DirectoryIndex "index.html" "index.cgi" "index.pl" "index.php" "index.xhtml" "index.htm" "index.shtml"

            Include "/var/www/vhosts/system/example.com/conf/vhost_ssl.conf"

            <Directory /var/www/vhosts/example.com>
                    AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,SymLinksIfOwnerMatch,MultiViews,FollowSymLinks,ExecCGI,Includes,IncludesNOEXEC
            </Directory>

    </VirtualHost>

</IfModule>

<VirtualHost 216.55.178.166:7080 >
    ServerName "example.com:80"
    ServerAlias "www.example.com"
    ServerAlias "ipv4.example.com"
    ServerAdmin "me@me.org"
    UseCanonicalName Off

    DocumentRoot "/var/www/vhosts/example.com/web"
    CustomLog /var/www/vhosts/system/example.com/logs/access_log plesklog
    ErrorLog "/var/www/vhosts/system/example.com/logs/error_log"

    <IfModule mod_suexec.c>
            SuexecUserGroup "me_phelps" "psacln"
    </IfModule>

    <IfModule mod_userdir.c>

            UserDir "/var/www/vhosts/example.com/web_users/*"
    </IfModule>

    <IfModule mod_sysenv.c>
            SetSysEnv PP_VHOST_ID "199da76e-b413-4968-8251-301b780838f1"
    </IfModule>

    ScriptAlias "/cgi-bin/" "/var/www/vhosts/example.com/web/cgi-bin/"

    Redirect permanent /plesk-stat https://example.com/plesk-stat
    Redirect permanent /webstat https://example.com/webstat
    Redirect permanent /webstat-ssl https://example.com/webstat-ssl
    Redirect permanent /ftpstat https://example.com/ftpstat
    Redirect permanent /anon_ftpstat https://example.com/anon_ftpstat
    Redirect permanent /awstats-icon https://example.com/awstats-icon

    <IfModule mod_ssl.c>
            SSLEngine off
    </IfModule>

    <Directory /var/www/vhosts/example.com/web>

            <IfModule mod_fcgid.c>
                    <Files ~ (\.fcgi$)>
                            SetHandler fcgid-script
                            Options +ExecCGI
                    </Files>
            </IfModule>
            <IfModule mod_proxy_fcgi.c>
                    <Files ~ (\.php$)>
                            SetHandler proxy:unix:///var/www/vhosts/system/example.com/php-fpm.sock|fcgi://127.0.0.1:9000
                    </Files>
            </IfModule>

            Options -Includes +ExecCGI

    </Directory>

    <Directory "/var/www/vhosts/system/example.com/statistics">
            AuthType Basic
            AuthName "Domain statistics"
            AuthUserFile "/var/www/vhosts/system/example.com/pd/d..httpdocs@plesk-stat"
            require valid-user
    </Directory>

    Alias /error_docs /var/www/vhosts/example.com/error_docs
    ErrorDocument 400 /error_docs/bad_request.html
    ErrorDocument 401 /error_docs/unauthorized.html
    ErrorDocument 403 /error_docs/forbidden.html
    ErrorDocument 404 /error_docs/not_found.html
    ErrorDocument 500 /error_docs/internal_server_error.html
    ErrorDocument 405 /error_docs/method_not_allowed.html
    ErrorDocument 406 /error_docs/not_acceptable.html
    ErrorDocument 407 /error_docs/proxy_authentication_required.html
    ErrorDocument 412 /error_docs/precondition_failed.html
    ErrorDocument 414 /error_docs/request_uri_too_long.html
    ErrorDocument 415 /error_docs/unsupported_media_type.html
    ErrorDocument 501 /error_docs/not_implemented.html
    ErrorDocument 502 /error_docs/bad_gateway.html
    ErrorDocument 503 /error_docs/maintenance.html

    DirectoryIndex "index.html" "index.cgi" "index.pl" "index.php" "index.xhtml" "index.htm" "index.shtml"

    Include "/var/www/vhosts/system/example.com/conf/vhost.conf"

    <Directory /var/www/vhosts/example.com>
            AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,SymLinksIfOwnerMatch,MultiViews,FollowSymLinks,ExecCGI,Includes,IncludesNOEXEC
    </Directory>

</VirtualHost>

I thought about changing AllowOverride to All, but using the vhost.conf file should have worked even with out it, shouldn't it? The vhost.conf file is a perfectly suitable solution for me, as would getting my beloved .htacess capabilities back (despite the performance hit). But for now, trying to execute example.com/support nets me an Access Prohibited error. When I look at my error files, I find...

example.com/logs/error_log

[proxy_fcgi:error] [pid 19834] [client 67.161.220.240:48094] AH01071: Got error 'Access to the script '/var/www/vhosts/example.com/web/support' has been denied (see security.limit_extensions)\n'

Note that I have tried setting security.limit_extensions = to blank, but that's not working, either. I understand the security limitations, but I work on my own server, so I'm willing to take the risk.

example.com/log/proxy_error_log (nginx)

[error] 27192#0: *115850 connect() failed (111: Connection refused) while connecting to upstream, client: 46.17.42.140, server: exammple.com, request: "POST /support/contact_us HTTP/1.1", upstream: "http://1.1.1.1:7080/support/contact_us", host: "example.com"

And, for the sake of being thorough, the nginx config file.

nginx.conf

#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

server {
    listen 216.55.178.166:443 ssl;

    server_name example.com;
    server_name www.example.com;
    server_name ipv4.example.com;

    ssl_certificate             /usr/local/psa/var/certificates/certW5TKkGV;
    ssl_certificate_key         /usr/local/psa/var/certificates/certW5TKkGV;

    client_max_body_size 128m;

    root "/var/www/vhosts/example.com/web";
    access_log "/var/www/vhosts/system/example.com/logs/proxy_access_ssl_log";
    error_log "/var/www/vhosts/system/example.com/logs/proxy_error_log";

    location / {
            proxy_pass https://216.55.178.166:7081;
            proxy_set_header Host             $host;
            proxy_set_header X-Real-IP        $remote_addr;
            proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header X-Accel-Internal /internal-nginx-static-location;
            access_log off;
    }

    location /internal-nginx-static-location/ {
            alias /var/www/vhosts/example.com/web/;
            internal;
    }

    location ~ ^/(plesk-stat|awstats-icon|webstat|webstat-ssl|ftpstat|anon_ftpstat) {
            proxy_pass https://216.55.178.166:7081;
            proxy_set_header Host             $host;
            proxy_set_header X-Real-IP        $remote_addr;
            proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header X-Accel-Internal /internal-nginx-static-location;
            access_log off;
    }

    add_header X-Powered-By PleskLin;

}

server {
    listen 216.55.178.166:80;

    server_name example.com;
    server_name www.example.com;
    server_name ipv4.example.com;

    client_max_body_size 128m;

    root "/var/www/vhosts/example.com/web";
    access_log "/var/www/vhosts/system/example.com/logs/proxy_access_log";
    error_log "/var/www/vhosts/system/example.com/logs/proxy_error_log";

    location / {
            proxy_pass http://216.55.178.166:7080;
            proxy_set_header Host             $host;
            proxy_set_header X-Real-IP        $remote_addr;
            proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header X-Accel-Internal /internal-nginx-static-location;
            access_log off;
    }

    location /internal-nginx-static-location/ {
            alias /var/www/vhosts/example.com/web/;
            internal;
    }

    location ~ ^/(plesk-stat|awstats-icon|webstat|webstat-ssl|ftpstat|anon_ftpstat) {
            proxy_pass http://216.55.178.166:7080;
            proxy_set_header Host             $host;
            proxy_set_header X-Real-IP        $remote_addr;
            proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header X-Accel-Internal /internal-nginx-static-location;
            access_log off;
    }

    add_header X-Powered-By PleskLin;

}

Answer 1

It is amazing how some things work and others don't in our complicated little world.

I did, indeed, need to add the following:

[php-fpm-pool-settings]
security.limit_extensions =

The problem was that Plesk's "addintional directives" field under "PHP settings" for the domain apparently does nothing. Well, maybe it does something, but whatever it does, it didn't work.

I had to manually create a /var/www/vhosts/system/example.com/conf/php.ini file and add the two lines above to it. Then, I had to "apply" empty changes (it doesn't matter if anything actually changed or not) via Plesk's "PHP settings" page so that all the configurations were put together properly and the correct services restarted...

and then it worked.

I spent two days tracking this ugly bugaboo all because Plesk's "additonal directives" field doesn't work as advertized.

Cheers, mates.