I am trying to encrypt the connection from an application running on php 5.6.40 to gearman server(version 1.1.12). I have started gearman server enabling ssl and passed the ca file, certificate and key as arguments.
gearmand -d --ssl --ssl-ca-file=ca.crt --ssl-certificate=gearman.crt --ssl-key=gearman.key
Where I am stuck now is to get my php client use ssl. I am using GearmanClient class that comes with php's gearman extension and I could not figure out a way to achieve this.
$gearmanClient = new GearmanClient();
$gearmanClient->addServer('server ip', 4730);
$result = $gearmanClient->doHighBackground('job-type', 'workload');
The code above works but the job-type and workload are sent un-encrypted to gearman server. If it is not possible with php's gearman extension, does anybody know if we can use socket functions to achieve this? I have gone through a lot of threads related to this, but could not find a proper answer. Apologies if this has been already answered.
SSL support in gearmand works just fine. I have been using it in a production environment for ~3 years now. The issue mentioned in another answer is still open because that issue is really about making improvements to the documentation, and that wishlist item is unresolved.
Getting SSL support in the PHP extension is possible, but it will require patching and compiling the code yourself. The current version of the PHP extension can be found at https://github.com/wcgallego/pecl-gearman, but that is for PHP 7.x.
The Gearman PECL extension for older versions of PHP (< 7.x) is no longer maintained, as far as I know, but you can download the latest version at https://github.com/hjr3/pecl-gearman and apply the patch at https://bugs.php.net/bug.php?id=67623. It works. My workplace used that in production for about a year before moving to PHP 7.x.
If you are using PHP 7+, I recently opened a PR for adding SSL support at https://github.com/wcgallego/pecl-gearman/pull/72. You should also read the issue thread at https://github.com/wcgallego/pecl-gearman/issues/43 for some caveats.
In either case, you also need a libgearman.so from gearmand 1.1.19 or newer that was compiled with --enable-ssl and has support for the setSSL() API.
I hesitated to answer the question previously because it is related to PHP.
Actually gearmand supports SSL connection properly. The issue mentioned by #emix is still opened because there is no ssl tests for gearmand itself in repository.
Perl Implementation of gearmand Client/Worker supports SSL connection and contains ssl tests for the purpose.
SSL is alleged to be not working. This was posted as a bug long time ago and the issue is still considered open. The official extension seems dead as well: last release was more than 6 years ago.
If I were in your shoes I'd switch to something more stable with better community support.
Related
I have an application that I need to be using a non-thread-safe(nts) version of php 8.0 being built on current RHEL. I have tried a few different ways of recompiling php including this one to no avail. Checking the php info page, It still says that thread safety is enabled. Does anyone know of a way to recompile PHP without thread safety? I have found many posts talking about enabling thread safety, but almost nothing on disabling it. Thank you in advance!
Sorry to get back to you for a question that has been asked many years ago. But I am really stuck with this.
I have a legacy application which is very old, running PHP 5.2.17.
I followed this guide to setup my docker container
https://andrewscaya.net/blog/bringing-php-52-back-life
I have everything setup correctly. I made a downloaded and compiled a PHP installation and configured this with Apache. And its working fine with php.
However, it is essential that I have SSL support (in PHP) for the POSTGRES connection.
Which is now default not enabled according to PHPINFO
I have basically the very same problem somebody else had many years ago. SSL support of Pgsql
See:
Enable SSL support for pgsql
So from what I am understanding is that I need to recompile PHP again, but with a package called libpg ?
Where do I get this package and how can I compile this with the PHP source code?
After 2 days of searching I finally found LAPP stack which has some older versions available with pgsql ssl support
https://community.bitnami.com/t/can-i-get-the-installers-for-wapp-and-lapp-stacks-for-5-4-45/38548
In the long-run I would recommend upgrading PHP versions, but I understand that this can be a lot of work. There are many good guides on upgrading versions. I recommend going through the version upgrades one-by-one, dealing with deprecated features and other potential problems one-at-a-time and testing each script.
In the short-term, I'm not sure if this would work, but PDO is supported in 5.2 (actually in 5.1 even) and as it simply passes info to the PostgreSQL library, I would expect SSL support to work. I have used it in 5.4, and I am not aware of any changes made between those two versions.
There is a solution here, by IMSoP, that explains how to get this working and points you to more official documentation if you need more info: Connecting to PGSQL over SSL via PHP PDO
If this fails, a second approach that I would try would be to create an SSH tunnel to connect to a local port. An example would be:
ssh -L 127.0.0.1:5443:127.0.0.1:5432 username#remoteboxaddress
Then you can initiate what looks to PHP like a local connection on port 5433, but it will actually be a (secure) SSH tunnel to the remote box. This will also require that the remote box is configured to accept (non-encrypted) local connections, and that you have SSH access to it. Then, if you test it out and it works, you can make a script to start the tunnel on boot, or better yet, when the webserver is started; this necessitates using an authentication method like keys stored in a file, that doesn't require the entering of a password. So...there are a lot of "if's" here, in terms of whether or not you will be able to get this solution to work, but it can be done if you have root access on both servers, and occasionally if you do not, depending on how they are configured.
Hopefully, one of these two solutions will work for you.
I have a complicated custom PHP app written for PHP5.
Can an app be modified to be compatible with both PHP5 and PHP7?
The background is that the server runs PHP5. What if it was upgraded to PHP7, could the upgrade be seamless.
Most likely yes. But only if the app doesn't use PHP7 functions or syntax (In you issue it's only that). The best way to find out is to make a second server to test it out. An example: In Magento (big PHP app, I would say), there is only one line of code that crashes the app. This is a Syntax thing. But without testing out and reading the error log, you will most likely not finding it out by pure source code reading. I port multiple websites a week from PHP5 to PHP7. Most of the time the only problem is that some apps use MySQL instead of MySQLi (talking about the PHP-Modul. Not the Databases itself)
From PHP5 to PHP7 is major version change. It would be surprise if the code worked as it is! As a starting point, you can see this http://php.net/manual/en/migration70.php
I have a web project that for compiling it I use a Non Thread Safe version of php,
but my customer have a Thread Safe version of php on his server and when run the
project, there's many errors on each pages.
the question is: how i can fix it without changing server?
can we run Non Thread Safe project on Thread Safe server?
i use ms iis but my customer using last version of xampp.
Just because it is "thread safe" doesn't mean threads are enabled. XAMPP uses the prefork MPM, which does not use multiple threads. Your errors may be due to something entirely different.
i solve the problem
because php error report on my system was off but on the server not
so i never see some miss programing such and I set it on and recheck errors and fix them
and with some part of code i put it off on pages so it done and fix
I am using the most recent PHP 5.3.6 on a Windows box. I configured a remote MySQL server to accept only SSL connections. Connecting works fine with the MySQL command line client:
mysql.exe -u user -h mysql.example.com -P 3307 --ssl-ca=C:\www\mysql.example.com.crt -p
However, I cannot connect through PHP. According to the PHP documentation, this is due to PHP 5.3 using the newer MySQL Native Driver (mysqlnd) by default. This driver does not support SSL.
I can't believe that they allowed such a regression to slip through (SSL being one of the few reasons why someone would use the mysqli rather than the mysql extension) without offering an easy way to revert back to the old libmysql driver which does support SSL.
On php.net, there is no indication about how to do this. Also, recompiling is not an option. My question thus is: how can this be done easily?
On php.net, there is no indication about how to do this. Also, recompiling is not an option.
In order to create the mysql, mysqli and PDO extensions, PHP must be compiled against a MySQL interface library. You can't simply swap out that underlying library. In order to use another library, like the one provided by MySQL, you have to recompile PHP against it.
The reason for the switch to the native library is that the MySQL-provided library is released under the GPL. The PHP license is not compatible with the GPL, so distributing PHP binaries compiled against GPL code is pretty high up on the Thou Shalt Not list. You can thank and/or curse the MySQL folks for this bit of utter stupidity. Only idiots and evil people release library code under the GPL.
</rant>
If you can't recompile, you're probably out of luck. Keep in mind that Microsoft offers VC9 (Visual Studio 2008) at no cost, so you should be able to perform the recompile, if needed.
You might want to explore other options for a secure connection to your MySQL server.
If the remote machine is Linux or otherwise Unix-based, then using an SSH tunnel (port forwarding) may work for you. There are numerous SSH clients for Windows that can do this.
You should also consider OpenVPN, a VPN solution built on top of SSL/TLS. You can use this to establish a secure connection between the two machines without needing to worry about protocol-level security.