Evander Consus Evander Consus - 2 months ago 13
Apache Configuration Question

How to check in .htaccess if PHP is enabled?

How can I let Apache's

.htaccess
file check if PHP is enabled? I tried things like
<IfModule !mod_php7.0.c>
and
<IfModule !mod_php7.c>
but it doesn not seem to do anything when I enable/disable the module.

I would like to have a fallback in my
.htaccess
that denies acces from all when PHP is disabled. In order to prevent leakage of plain text PHP code.

I want to do something like this:

# If PHP is not installed, deny all access to .php files to prevent PHP code leakage
<IfModule !mod_php7.c>
<FilesMatch \.php$>
order deny,allow
deny from all
</FilesMatch>
</IfModule>


Ultimately it will check something like
if php7 AND php5 AND php4 are disabled, deny access
. Any ideas?

Also, when AllowOverride is None and so the
.htaccess
file is not doing anything. What are the options in order to prevent the PHP code from leaking in plaintext?

Answer
<IfModule !mod_php5.c>
    <FilesMatch ".+\.php$">
        Order Deny,Allow
        Deny from all
    </FilesMatch>
</IfModule>

In Apache 2.4

<IfModule !mod_php5.c>
    <FilesMatch ".+\.php$">
        Require all denied
    </FilesMatch>
</IfModule>

In Apache 2.4 there are several new useful features: define, ifdefine, and if, else, ifelse.

In the following we can deny by default and only enable if PHP_IS_ENABLED is defined.

<IfModule mod_php5.c>
    Define PHP_IS_ENABLED
</IfModule>

<IfModule mod_php7.c>
    Define PHP_IS_ENABLED
</IfModule>

# ...

<IfDefine !PHP_IS_ENABLED>
    <FilesMatch ".+\.php$">
        Require all denied
    </FilesMatch>
</IfDefine>