php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #74995 Control/set fastcgi parameters from pool config file.
Submitted: 2017-07-27 09:42 UTC Modified: -
From: email at davekok dot nl Assigned:
Status: Open Package: FPM related
PHP Version: Next Minor Version OS: all
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-07-27 09:42 UTC] email at davekok dot nl
Description:
------------
In the age of microservices, containers and front controllers, it would be useful to control/set fastcgi parameters not just in the webserver config but also in the pool config. Webservers will still need to push the basic stuff like the REQUEST_URI and other parameters. However for a pool that serves only one microservice which has one front controller, it would be useful to set the SCRIPT_FILENAME in the pool config. Both as a security feature, so if the webserver is compromised in anyway the microservice (assuming it is run else where) can not easily be fooled to do other stuff by changing the SCRIPT_FILENAME parameter. But also as a means to decouple webserver configuration as much as possible from the microservice configuration. The less the webserver needs to known about the microservices it proxies, the easier it is to config it.

And just in case it becomes a thing, prevent parameter injection by specifying which parameters fpm is allowed to load from the input. So if an attacker finds a way around the webserver or through the webserver the attack surface is as small as possible.

Expected result:
----------------
nginx:

upstream sales-service {
        server sales-service1.internal:7000 weight=5;
        server sales-service2.internal:7000 weight=5;
        server sales-service3.internal:7000 weight=5;
}

server {
        listen 443;
        server_name customer-portal.example;

        location ~ ^/api/sales-service(?<apiUri>/.*) {
                include snippets/standard-parameters.conf;
                fastcgi_param REQUEST_URI $apiUri;
                fastcgi_pass  sales-service;
        }
}


pool.d/sales-service.conf:

[sales-service]
chdir = /srv/$pool/web

# prevent any other script from being loaded
set fastcgi_param[SCRIPT_FILENAME] = app.php

# only start the script if the required parameters are present
require fastcgi_param[REQUEST_METHOD]
require fastcgi_param[REQUEST_URI]
require fastcgi_param[SERVER_NAME]
require fastcgi_param[SERVER_PORT]

# this will not ensure https off course, but will aid in
# case of misconfiguration
require fastcgi_param[HTTPS]

# allow these parameters any thing is ignored and not exposed to script
allow fastcgi_param[CONTENT_LENGTH]
allow fastcgi_param[CONTENT_TYPE]
allow fastcgi_param[REMOTE_ADDR]
allow fastcgi_param[REMOTE_PORT]
allow fastcgi_param[SERVER_ADDR]
...


Actual result:
--------------
nginx:

upstream sales-service {
        server sales-service1.internal:7000 weight=5;
        server sales-service2.internal:7000 weight=5;
        server sales-service3.internal:7000 weight=5;
}

server {
        listen 443;
        server_name customer-portal.example;

        location ~ ^/api/sales-service(?<apiUri>/.*) {
                include snippets/standard-parameters.conf;
                fastcgi_param REQUEST_URI $apiUri;
                fastcgi_param SCRIPT_FILENAME app.php;
                fastcgi_pass  sales-service;
        }
}


pool.d/sales-service.conf:

[sales-service]
chdir = /srv/$pool/web
...


Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Nov 13 15:01:28 2019 UTC