Unable to add FCGIWrapper Directives since

Discussion in 'Installation/Configuration' started by matosconsulting, Oct 22, 2014.

  1. matosconsulting

    matosconsulting New Member

    I updated to today and suddenly started running in to all sorts of issues. One issue is that I am suddenly no longer able to add FCGIWrapper directives to a particular site's apache directive section via the control panel.

    I have a multi-tenant PHP application with a codebase that is shared across multiple sites/clients. Here are the details:

    • The application is installed in /var/www/sharedapp/
    • When a client of mine needs access to the app, I add an Apache directive that adds an Alias to that shared app folder, and configure FCGIWrapper to use that particular client's PHP.
    • This has worked perfectly fine up until
    • As of, if I try to add this configuration to a client, I get "Apache directive blocked by security settings".
    • I cannot find anything in the documentation about this. I did try setting the web security setting to Medium, but that doesn't seem to have helped.

    Here is an example directive that I add to client configs (under site->options->apache directives):

    # enable sharedapp for this domain. Ensure the "web" part of the path matches the Linux User this will be running under!
    # be sure to add this to open_basedir as well or you'll get "no input file specified" errors
    Alias /sharedapp "/var/www/sharedapp"
    <Directory /var/www/sharedapp>
    	<FilesMatch "\.php$">
    		SetHandler fcgid-script
            FCGIWrapper /var/www/php-fcgi-scripts/web1/.php-fcgi-starter .php
            Options +ExecCGI
            AllowOverride All
            Require all granted
    The error I get is:
    How can I disable this new security feature?
  2. matosconsulting

    matosconsulting New Member

    Of course, the moment I posted this I was able to find the solution. I guess I didn't dig deep enough into the docs.

    I found a diff from one of the latest updates and read through the code - and then I realized it was a setting in the security_settings.ini file.

    By adjusting the apache_directives_scan_enabled setting (or preferably creating an apache_directives.blacklist.custom with the settings you need) you can resolve this issue.

Share This Page