I have a an apache 2.4 configuration section that I use to handle the rare situation where a misconfigured apache box could serve php files as static plain text, and potentially give up credentials etc.
<IfModule !mod_php5.c>
<IfModule !mod_php7.c>
<Files "*.php">
Require all denied
</Files>
</IfModule>
</IfModule>
Those directives check for whether the php module is present, and if it doesn't find either of them, it won't serve the pages.
However in the current build of httpd 2.4 for centos-8, php-fpm is the default method of configuring a handler for php, and it doesn't load any module for php:
<IfModule !mod_php5.c>
<IfModule !mod_php7.c>
# Enable http authorization headers
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
<FilesMatch \.(php|phar)$>
SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
</FilesMatch>
</IfModule>
</IfModule>
Unfortunately, the proxy_fcgi module is auto loaded by httpd so it's not useful as an indication of php-fpm being configured (or not):
[root@web httpd]# rpm -q --whatprovides /usr/lib64/httpd/modules/mod_proxy_fcgi.so
httpd-2.4.37-39.module_el8.4.0+778+c970deab.x86_64
According to the doc there is a HANDLER
variable:
HANDLER The name of the handler creating the response
... which should return one of the in built handlers
default-handler: Send the file using the default_handler(), which is the handler used by default to handle static content. (core) send-as-is: Send file with HTTP headers as is. (mod_asis) cgi-script: Treat the file as a CGI script. (mod_cgi) imap-file: Parse as an imagemap rule file. (mod_imagemap) server-info: Get the server's configuration information. (mod_info) server-status: Get the server's status report. (mod_status) type-map: Parse as a type map file for content negotiation. (mod_negotiation)
However, my attempts at matching against it are not successful, e.g. this is not working:
<FilesMatch \.(php|phar)$>
<If "%{HANDLER} == 'default-handler'">
Require all denied
</If>
</FilesMatch>
Any suggestions appreciated.
Edit
I dumped the value of the variable %{HANDLER} with both php-fpm installed, and not like so:
<IfModule headers_module>
Header always set X-HANDLER "expr=%{HANDLER}"
</IfModule>
and it returned the following headers:
X-HANDLER: text/plain # no php-fpm
X-HANDLER: proxy:unix:/run/php-fpm/www.sock|fcgi://localhost # with php-fpm
so I updated the test to this:
<IfModule !mod_php5.c>
<IfModule !mod_php7.c>
<If "%{HANDLER} == 'text/plain'">
<Files "*.php">
Require all denied
</Files>
</If>
</IfModule>
</IfModule>
However, that is not working either