How to Fix “AH01071: Primary script unknown” Error in Apache 2.4 with PHP-FPM 7.2 Configuration


3 views

When running Apache 2.4 with PHP-FPM 7.2, you might encounter these error messages in your logs:

[proxy_fcgi:error] [pid 28619:tid 140003157985024] [client 49.233.5.191:37604] 
AH01071: Got error 'Primary script unknown\\n'

This typically occurs when:

  • Bot scans attempt to access non-existent PHP files
  • Your PHP-FPM configuration has strict script handling
  • Apache's mod_proxy_fcgi encounters missing scripts

The error specifically appears for PHP files because of your directive:


    SetHandler "proxy:unix:/run/php/php7.2-fpm.sock|fcgi://localhost"

Apache only proxies PHP files to PHP-FPM, so missing HTML or other files won't generate this particular error.

Here are three approaches to handle this:

1. Catch Missing Files Before PHP-FPM

Modify your virtual host configuration:


    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule \.php$ - [R=404,L]

2. Adjust PHP-FPM Error Handling

Edit your php-fpm pool configuration (/etc/php/7.2/fpm/pool.d/www.conf):

; Handle missing scripts gracefully
catch_workers_output = yes
php_admin_value[error_log] = /var/log/php7.2-fpm.log
php_admin_flag[log_errors] = on

3. Filter Bot Requests

Create a rewrite rule for common attack patterns:

RewriteEngine On
RewriteCond %{REQUEST_URI} (\.php|wp\-|admin) [NC]
RewriteCond %{HTTP_USER_AGENT} (libwww|nmap|nikto|wget|python) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$ 
RewriteRule ^.*$ - [F,L]

If you want to keep the security logging but reduce noise:

ErrorLog "|/usr/bin/rotatelogs -l /var/log/apache2/error.%Y-%m-%d.log 86400"
CustomLog "|/usr/bin/rotatelogs -l /var/log/apache2/access.%Y-%m-%d.log 86400" combined env=!botaccess

SetEnvIfNoCase User-Agent ".*(nmap|nikto|wget|libwww).*" botaccess
SetEnvIfNoCase User-Agent "^$" botaccess

While suppressing these logs might reduce noise, consider that:

  • These scans often precede actual attacks
  • Failed PHP requests might indicate directory probing
  • Keeping some logging helps identify attack patterns

For production systems, implement both logging and active protection:

# Install and configure mod_security
apt install libapache2-mod-security2
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

When examining Apache logs with PHP-FPM configurations, you might encounter the following error pattern:

[proxy_fcgi:error] [pid 28619:tid 140003157985024] [client 49.233.5.191:37604] 
AH01071: Got error 'Primary script unknown\\n'

This typically occurs when:

  • Non-existent PHP files are requested (common with bot scans)
  • The PHP-FPM handler is misconfigured
  • File permissions prevent script execution

Unlike standard 404 errors, this message specifically indicates that Apache's proxy_fcgi module attempted to process the request through PHP-FPM but failed. The key differences:

# Regular 404 (no PHP-FPM interaction)
127.0.0.1 - - [01/Jan:12:00:00 +0000] "GET /nonexistent.html" 404 123

# PHP-FPM related 404
127.0.0.1 - - [01/Jan:12:00:00 +0000] "GET /nonexistent.php" 404 123
[proxy_fcgi:error] AH01071: Got error 'Primary script unknown\\n'

Here's how to modify your Apache configuration to handle these cases more gracefully:

<FilesMatch "\.php$">
    # Verify file existence before passing to PHP-FPM
    <If "-f %{REQUEST_FILENAME}">
        SetHandler "proxy:unix:/run/php/php7.2-fpm.sock|fcgi://localhost"
    </If>
    # Return 404 immediately for non-existent files
    <Else>
        Require all denied
    </Else>
</FilesMatch>

For more robust solutions, consider these approaches:

# Option 1: Rewrite rules to prevent processing
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule \.php$ - [R=404,L]

# Option 2: Custom error handler
<LocationMatch "\.php$">
    ErrorDocument 404 "File not found"
    ErrorDocument 403 "Access denied"
</LocationMatch>

To reduce log noise from bot scans:

# Block common exploit paths
<LocationMatch "(\.php|wp-login|admin)">
    SetEnvIfNoCase User-Agent "(wget|curl|scan|bot)" bad_bot
    Deny from env=bad_bot
</LocationMatch>

# Rate limiting for PHP requests
<LocationMatch "\.php$">
    SetEnvIf X-Forwarded-For "^123\.123\.123\.123$" whitelist
    # Allow 10 requests per minute for non-whitelisted IPs
    BrowserMatchNoCase whitelist skip_limiting
    Include conf/extra/security.conf
</LocationMatch>

Adjust your pool settings to improve error handling:

[www]
; /etc/php/7.2/fpm/pool.d/www.conf
listen = /run/php/php7.2-fpm.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0660

; Security enhancements
security.limit_extensions = .php .phar
php_admin_value[doc_root] = /var/www/html
php_admin_flag[allow_url_fopen] = off

The complete solution involves multiple layers: proper Apache configuration, PHP-FPM tuning, and security measures to filter malicious requests.