From 63d00537ad095f5b7566ab8c0e75256425c343b3 Mon Sep 17 00:00:00 2001
From: Dimitra Chatzichrysou <dimitra.chatzichrysou@cern.ch>
Date: Tue, 12 Sep 2023 16:01:28 +0200
Subject: [PATCH] Update httpd config to sevre php files

---
 el9/templates/httpd-configmap.yaml | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/el9/templates/httpd-configmap.yaml b/el9/templates/httpd-configmap.yaml
index 77487bf..74219a0 100644
--- a/el9/templates/httpd-configmap.yaml
+++ b/el9/templates/httpd-configmap.yaml
@@ -118,7 +118,25 @@ data:
         Require all denied 
     </Files>
 
-    AddType application/x-httpd-php .php
+    # The following lines prevent .user.ini files  (PHP config files) from being viewed by Web clients.
+    <Files ".user.ini">
+        Require all denied
+    </Files>
+
+    # Allow php to handle Multiviews
+    AddType text/html .php
+
+    # Redirect to local php-fpm (no mod_php in default configuration)
+    <FilesMatch ".+\.php$">
+        # To avoid executing something unexpected it is critical to verify that the file
+        # actually exists in the filesystem!
+        # cf. https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=115522405
+        <If "-f %{REQUEST_FILENAME}">
+            # Enable http authorization headers
+            SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
+            SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
+        </If>
+    </FilesMatch>
 
     <IfModule mime_module>
         TypesConfig /etc/mime.types
-- 
GitLab