Inline PHP within .html files -- it downloads src or reports "Access denied"?

jonathanbrickman0000 · January 7, 2025, 1:03am

SYSTEM INFORMATION
OS type and version	Ubuntu 24.04 LTS
Virtualmin version	7.30.3 Pro

Have tried several permutations, none worked so far. I’d like to do this within PHP-FPM if possible, it seems to be the new standard, and I like the architecture. I have set the site’s Apache config to the below (one of many attempts), and it does a download of the source HTML (you can see it at https://test.ponderworthy.com ), it does not render HTML or execute PHP. Other configs (a FilesMatch setup modeled on the .php) produced “Access Denied”. What best to do?

SuexecUserGroup #1003 #1003
ServerName test.ponderworthy.com
ServerAlias www.test.ponderworthy.com
DocumentRoot /home/test/public_html
ErrorLog /var/log/virtualmin/test.ponderworthy.com_error_log
CustomLog /var/log/virtualmin/test.ponderworthy.com_access_log combined
ScriptAlias /cgi-bin/ /home/test/cgi-bin/
ScriptAlias /awstats /home/test/cgi-bin/awstats.pl
DirectoryIndex index.php index.htm index.html
<Directory /home/test/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch 
    Require all granted
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
<Directory /home/test/cgi-bin>
    Require all granted
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
</Directory>
ProxyPass /.well-known !

# RewriteEngine on
# RewriteCond %{HTTP_HOST} =webmail.test.ponderworthy.com
# RewriteRule ^/(?!.well-known)(.*)$ https://test.ponderworthy.com:20000/ [R]
# RewriteCond %{HTTP_HOST} =admin.test.ponderworthy.com
# RewriteRule ^/(?!.well-known)(.*)$ https://test.ponderworthy.com:10000/ [R]

RemoveHandler .php
RemoveHandler .php8.3
<FilesMatch \.php$>
    SetHandler proxy:unix:/run/php/1736097859221067.sock|fcgi://127.0.0.1
</FilesMatch>

RemoveHandler .html .htm
AddType application/x-httpd-php .html
AddHandler application/x-httpd-php .html

SSLEngine on
SSLCertificateFile /etc/ssl/virtualmin/1736097859221067/ssl.cert
SSLCertificateKeyFile /etc/ssl/virtualmin/1736097859221067/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
RedirectMatch ^/awstats$ /awstats/
<Files awstats.pl>
    AuthName "test.ponderworthy.com statistics"
    AuthType Basic
    AuthUserFile /home/test/.awstats-htpasswd
    require valid-user
</Files>
SSLCACertificateFile /etc/ssl/virtualmin/1736097859221067/ssl.ca

Joe · January 7, 2025, 1:52am

You’re not processing HTML files through PHP-FPM with that configuration.

Notice that \.php$ files are being proxied to the FPM server. But, you’re not doing anything with .html (you’re adding a handler, but Apache without mod_php can’t “handle” PHP, so this can’t do anything useful…I’m surprised it’s not an error, actually).

PHP-FPM is not part of Apache (unless you have mod_php enabled, which you should never do), so telling Apache about types is not useful. Apache isn’t processing PHP. You need to configure Apache to send those requests to the FPM proxy, just as is being done for files with a .php extension. You can just add it in an expression: core - Apache HTTP Server Version 2.4

I’ve never tried to do inline PHP in HTML, but I assume you also have to tell the FPM server to deal with it. I’m not actually sure how that’s configured (but it’d be in the php-fpm.conf for the domain…where that appears depends on OS and PHP package, or you can edit it in Web Configuration->PHP-FPM Configuration). Googling looks like security.limit_extensions is the option you need to change, and I believe it defaults to just .php and .phar according to the docs: PHP: Configuration - Manual

verne · January 7, 2025, 2:19am

not sure if this is a good example … my index.php

<html>

<!--    -->
<!-- 28-Jun-2021     -->
<!-- write some php code to redirect 18 sites for xxxx  County to their new domain   -->
<!--    -->

<?php
// create the variables in one block of PHP code
// then later use the variables
$subdomain = strstr($_SERVER["HTTP_HOST"], '.', true);
$new_url = 'http://' . $subdomain . '.XXXXXX.org';
?>

<head>
<title>XXXXX County Schools </title>

<meta http-equiv="refresh" content="5;url=<?php echo $new_url ?>">

</head>

<body>

<p>
<br>
<p>

<center>

<img src=XXXXXXXX-County-BOE-logo.png width=557 height=194 alt="XXXXXXXXX County BOE logo">
</center>

<p>
<br>
<p>


<h2>
<center>
Our website has moved
</center>
</h2>
<p>

<center>
<?php echo "<h2>\nVisit our new site at <a href=" . $new_url . ">" . $new_url . "</a></h2>";
?>
</center>

<p>

</body>
</html>

I can’t remember if this file had to have a PHP extension to work, or I just never tested it with a .HTM extension on my RedHat webserver. As you can see I stripped out the county name but otherwise this is a working production index file.

hope this helps a little

and in regards to php proxy pass and any other settings, Virtualmin has always “done the right thing” for me (again on a RedHat system) – I never had to modify anything by hand.

Joe · January 7, 2025, 2:22am

That’s not where OPs problem lies. The actual HTML files they’re trying to run have nothing to do with it. (Though naming the file with a .php extension would probably make it work without any configuration changes.)

stefan1959 · January 7, 2025, 3:31am

been discussed before, still work?

Joe · January 7, 2025, 3:54am

No. That’s not for a PHP-FPM configuration, that’s for mod_fcgid. So, no, that won’t work.

jonathanbrickman0000 · January 8, 2025, 5:56am

Yep, that’s the rub. I’ve still been trying things, e.g. security.limit_extensions in etc/php/8.3/fpm/pool.d/www.conf as one poster suggested, but this did not make for a change.

Joe · January 8, 2025, 5:58am

That’s not the one you need to modify. I told you the one to modify above. You need the one for the domain (and for each domain, if you’ll be doing this for multiple domains). Every domain gets their own FPM server, so it can run as the domain owner user.

Joe · January 8, 2025, 6:00am

There is a page for editing in the Virtualmin UI, as well.

jonathanbrickman0000 · January 8, 2025, 6:12am

Yup, I just got there. It does not help to edit www.conf. But it does help to add the line to the site-specific file as you said it, I did it via Virtualmin automation. So:

Browse to Web Configuration, PHP-FPM configuration, Edit Configuration Manually.
To the end of that configuration file, which is site-specifc, we add to the end:

security.limit_extensions = .php .html

Browse to Web Configuration, Configure SSL Web Site (and/or non-SSL if you’re going there), Edit Directives.
Scroll to see this code, which we are going to keep as is:

RemoveHandler .php
RemoveHandler .php8.3
<FilesMatch \.php$>
    SetHandler proxy:unix:/run/php/1234longsitenumber5678.sock|fcgi://127.0.0.1
</FilesMatch>

Add this code, just after:

RemoveHandler .html
<FilesMatch \.html$>
    SetHandler proxy:unix:/run/php/1234longsitenumber5678.sock|fcgi://127.0.0.1
</FilesMatch>

So far, this is working well, although it’s very early days! Obviously we’ll need variations if we want more file extensions, including .htm, and if we use multiple PHP versions it will get more complicated.

Joe · January 8, 2025, 6:36am

If this is a normal configuration for your sites, you could make these changes to your Server Templates (I’m not sure about the PHP-FPM configuration, but certainly the Apache configuration directives can be added to Server Templates).

Joe · January 8, 2025, 6:41am

Actually, it looks like you can add the PHP-FPM options in Server Templates as well, in the Additional PHP-FPM pool options field.

shoulders · January 8, 2025, 8:40am

Just use php files and then use htaccess to rewrite the file extension.

jonathanbrickman0000 · January 8, 2025, 11:53am

Blockquote Just use pho files and then use htaccess to rewrite the file extension.

No, I’m interested in making things less complex, not more. I have very neatly written .html files, a large amount of them, with what amounts to a manual framework with PHP includes.

jonathanbrickman0000 · January 8, 2025, 11:54am

Now that’s what I’m talking about Will try it!

jonathanbrickman0000 · January 8, 2025, 12:50pm

Well, I tried using the templates for this, but the code was out of order after save of new sites. Looked like it was doing some interpretation and didn’t get it right.
Not to worry, two small pastes is nice and simple.

verne · January 8, 2025, 4:45pm

I guess I have a lot to learn about websites … what happens to files containing only html that are sent over to the php-fpm daemon for processing?

Joe · January 8, 2025, 4:50pm

Don’t learn from this. While I’m always happy to talk about the old days and the old ways of computing, this is one that is best forgotten. (But, it’s mostly harmless if done with care.)

jonathanbrickman0000 · January 8, 2025, 5:01pm

Why best forgotten ?

Joe · January 8, 2025, 5:15pm

It’s probably best for HTML to be static and served by the web server. It’s (much) faster, and probably has security benefits when you know what is executable and what is unprocessed through PHP.

It’s also quite unusual in modern web dev (so unusual that a lot of folks probably didn’t even understand what you were asking for). Most young devs don’t know about stuff like SSI (Server-Side Includes) or the old inline PHP ways, and so if you ever have to hand off the code to a new developer or bring on new team members, they’ve got to get up to speed on an unusual way of doing things.

But, as I said, it’s mostly harmless. I don’t think this is a crazy thing to do. I just think it’s sub-optimal to process all HTML through PHP and doing things in a way that is recognizable to the average developer is good for long-term planning.

If this is all your own code and no one else will ever have to deal with it, go nuts. Do whatever makes you happy and makes the best use of your time and energy. Webmin certainly doesn’t look like current web apps, either. A lot changes in 25 years.

Just saying I wouldn’t start a greenfield project this way.