Add a "big red warning" about making sure php-fpm is not publicly exposed

[damianwadley]

Every once in a while, someone reports unusual behavior to php-src, like how auto_prepend_file has changed, or how they see their $_POST data as output. There was one specific Issue a while back I'd cite as perhaps the first report of this sort of thing, a number of people spent quite some time in troubleshooting what happened, but it has popped up again today in php/php-src#16671.

There needs to be a big red warning in the php-fpm docs that tells people to make sure that php-fpm is not publicly accessible lest there be Significant Problems and that Very Bad Things can happen if malicious actors were to submit custom FastCGI requests to the server. It should probably talk about listen being a socket, and/or listen.allowed_clients only permitting a local machine, and/or other things I'm not familiar with.

Given the proliferation of Docker and Compose, the warning should probably also cover making sure to not expose php-fpm through a ports mapping that typically isn't necessary (like when nginx/Apache/whatever is running in the same Docker network).

Such a warning won't prevent misconfiguration from happening, but at least it'll be clearly documented somewhere.

[cmb69]

I agree that we should warn users about such misconfiguration. I think this is not particular special for FPM, though, but rather holds for any (F)CGI setup. However, given that FPM is by far the most used SAPI, its documentation should be addressed first, and most explicit. Maybe @bukka can help with that.

[bukka]

Yeah agreed, it's a good idea.