PHP-FPM Status Page
Description
PHP-FPM (FastCGI Process Manager) includes a built-in status page feature that displays real-time operational metrics and pool information. This page is configured using the pm.status_path directive and is intended for administrative monitoring purposes.
This server has the PHP-FPM status page exposed to the public internet without access restrictions. This configuration allows unauthorized users to view sensitive operational data that should be restricted to administrators only.
Remediation
Restrict access to the PHP-FPM status page by implementing IP-based access controls in your web server configuration. Only allow access from trusted administrative IP addresses or localhost.
For Nginx:
Add IP restrictions to the status page location block:
location ~ ^/(status|ping)$ {
access_log off;
allow 127.0.0.1; # Allow localhost
allow 192.168.1.100; # Replace with your admin IP
deny all; # Deny all other access
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
}
For Apache:Use the Require directive to limit access:
Require ip 127.0.0.1
Require ip 192.168.1.100 # Replace with your admin IP
Alternatively, if the status page is not needed, disable it entirely by removing or commenting out the pm.status_path directive in your PHP-FPM pool configuration file (typically located in /etc/php-fpm.d/ or /etc/php/fpm/pool.d/).