Access to the script ‘xxx’ has been denied (see security.limit_extensions)

I was using my project framework for months now. After becoming a freelancer again I began setting up my infrastructure via cloud services and VMs at Digital Ocean.

Yesterday I wanted to install my project framework on a VM at DO. Basically everything went fine – until I tried to actually run a PHP script. Nginx gave me this:

==> …/var/log/nginx/magento.error.log <==
2015/11/25 07:17:36 [error] 8006#0: *1 FastCGI sent in stderr: "Access to the script '…/magento' has been denied (see security.limit_extensions)" while reading response header from upstream, client: x.x.x.x, server: …, request: "GET /info.php HTTP/1.1", upstream: "fastcgi://unix:…/var/run/php5-fpm.sock:", host: "…"

After some hours of thinking and googling I found these articles:

In fact that was exactly the problem. I could have set cgi.fix_pathinfo to 1 but that is known for opening up security holes. Therefore I checked PATH_TRANSLATED and PATH_INFO which seemed to be empty. Removing PATH_TRANSLATED fixed the access denied issue.

Is there a better way?


Also published on Medium.