Executing a suffixless file as a PHP script

Question

I'm trying to resurrect an old website without rewriting it (yet). The site depends on executing specific suffixless files (e.g., corporate) as PHP scripts. Originally (a long time ago), I used the following in a .htaccess file:

<Files corporate>
  SetHandler php-script
</Files>

Thus, http://my_site.com/corporate would execute the contents of corporate as a PHP script. It worked great, but that was a long time ago.

I'm trying to do this using Plesk version 18, PHP 7.1 operating Apache/Nginx (which doesn't use .htaccess) using a PHP FPM sock. What I expected would work was to add the following to the Apache directives in Plesk:

<Files "corporate">
  SetHandler proxy:unix:///run/plesk/php-fpm.sock|fcgi://127.0.0.1:9000
</Files>

It didn't work.

The file /run/plesk/php-fpm.sock exists, but it's a symbolic link that doesn't seem to point anywhere. (I humbly admit that I'm not well versed in how PHP FPM works.) I executed service plesk-php71-fpm status and was given the following:

Redirecting to /bin/systemctl status plesk-php71-fpm.service
● plesk-php71-fpm.service - The PHP 7.1.33 FastCGI Process Manager
   Loaded: loaded (/usr/lib/systemd/system/plesk-php71-fpm.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/plesk-php71-fpm.service.d
           └─limit_nofile.conf
   Active: active (running) since Tue 2021-07-13 07:36:31 MST; 6h ago
  Process: 13239 ExecReload=/bin/kill -USR2 $MAINPID (code=exited, status=0/SUCCESS)
 Main PID: 879 (php-fpm)
   Status: "Processes active: 0, idle: 1, Requests: 292, slow: 0, Traffic: 0req/sec"
   CGroup: /system.slice/plesk-php71-fpm.service
           ├─  879 php-fpm: master process (/opt/plesk/php/7.1/etc/php-fpm.conf)
           └─13243 php-fpm: pool plesk-php71-fpm.plesk-service.localdomain

Jul 13 12:30:28 216-55-178-166.phx.dedicated.codero.com sendmail[28593]: plesk sendmail[28593]: SKIP during call 'check-quota' handler
Jul 13 12:41:09 216-55-178-166.phx.dedicated.codero.com check-quota[30562]: Starting the check-quota filter...
Jul 13 12:41:09 216-55-178-166.phx.dedicated.codero.com sendmail[30561]: plesk sendmail[30561]: handlers_stderr: SKIP
Jul 13 12:41:09 216-55-178-166.phx.dedicated.codero.com sendmail[30561]: plesk sendmail[30561]: SKIP during call 'check-quota' handler
Jul 13 13:21:28 216-55-178-166.phx.dedicated.codero.com check-quota[5502]: Starting the check-quota filter...
Jul 13 13:21:28 216-55-178-166.phx.dedicated.codero.com sendmail[5501]: plesk sendmail[5501]: handlers_stderr: SKIP
Jul 13 13:21:28 216-55-178-166.phx.dedicated.codero.com sendmail[5501]: plesk sendmail[5501]: SKIP during call 'check-quota' handler
Jul 13 13:37:01 216-55-178-166.phx.dedicated.codero.com check-quota[9506]: Starting the check-quota filter...
Jul 13 13:37:01 216-55-178-166.phx.dedicated.codero.com sendmail[9505]: plesk sendmail[9505]: handlers_stderr: SKIP
Jul 13 13:37:01 216-55-178-166.phx.dedicated.codero.com sendmail[9505]: plesk sendmail[9505]: SKIP during call 'check-quota' handler

Which seems to indicate FPM is running fine.

The site's error_log file says [Tue Jul 13 13:54:44.985803 2021] [cgid:error] [pid 13876:tid 140420794103552] [client 174.45.172.27:49322] End of script output before headers: cgi_wrapper I can't find an explanation for what that means.

There's nothing in the FPM error files for the test site. My web browser simply reports an "internal server error." I'm currently using a test file for corporate that has these simple contents: <?php echo "This is a test."; ?>

Is there a way to configure Apache/Nginx to allow php-fpm to execute specific, suffixless files (e.g., corporate) as scripts?

nginx.conf

#user  nginx;
worker_processes  1;

#error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

#pid        /var/run/nginx.pid;

include /etc/nginx/modules.conf.d/*.conf;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    #tcp_nodelay        on;

    #gzip  on;
    #gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    server_tokens off;

    include /etc/nginx/conf.d/*.conf;
}

# override global parameters e.g. worker_rlimit_nofile
include /etc/nginx/*global_params;

nginx-rules

Timeout 600;
ProxyTimeout 600;
<IfModule mod_proxy_fcgi.c>
        <Directory /var/www/vhosts/my-site.com/web>
                <Files ~ .(?i:inc|html|htm)$>
                        SetHandler proxy:unix:///run/plesk/php-fpm.sock|fcgi://127.0.0.1:9000
                </Files>
                <Files "corporate">
                        SetHandler proxy:unix:///run/plesk/php-fpm.sock|fcgi://127.0.0.1:9000
                </Files>
                <Files ~ "(store|pchart\.png|returns)">
                        SetHandler proxy:unix:///run/plesk/php-fpm.sock|fcgi://127.0.0.1:9000
                </Files>
        </Directory>
</IfModule>

Answer 1

The techs at Plesk figured out what's going on

As I mentioned in my question, I am not an Nginx expert. It was my understanding that Nginx did not use the .htaccess file and, indeed, any changes I made to the file seemed to be ignored.

Right up until Plesk Obsidian V18, and while they didn't explain why this is happening, their solution does work. It should be noted that at this time I still don't know why the change from Plesk V17 to V18 caused this... only that it did. (For all I know something else was updated at the same time that caused this without it having anything to do with Plesk.)

As it turns out, the entry in the .htaccess file...

<Files corporate>
  SetHandler php-script
</Files>

...was still there. Its presence in the file created a conflicting rule condition that, for reasons I can't explain, caused useful error messages to not be printed.

Once that statement was commented out, the following error message appeared in the server error_log file:

[Tue Jul 13 20:36:02.986967 2021] [proxy_fcgi:error] [pid 5020:tid 140329181173504] [client 91.204.25.4:57246] AH01071: Got error 'Access to the script '/var/www/vhosts/my-site.com/web/corporate' has been denied (see security.limit_extensions)\n'

OK! I've never had to set security.limit_extensions before, which suggests that something about Apache or Nginx ignored the value when a file was explicitly defined using the <Files...></Files> directive. But, for whatever reason, that's not now the case. I had to clear the default value for the parameter in Plesk's PHP settings "Additional Directives" field:

[php-fpm-pool-settings]
security.limit_extensions =

And boom! Everything started working again.

As a final request (If someone could leave me a comment or direct me to more info), all I can find with a less-than-5-minute Google search concerning clearing the default value of security.limit_extensions is...

You should only limit FPM to .php extensions to prevent malicious users to use other extensions to execute php code. (Source)

What I can't find is any examples of how that would happen. Please note that I am the only person who logs onto this server (it's mine) other than Codero.com, who owns the hardware. I don't host sites for other people. Can anyone tell me if there's an actual risk to me using that parameter as shown?