I have installed a new Ubuntu 16.04 server and enabled PHP-FPM using this guide. I have also enabled the userdir module (so that I can have virtual sites running from a public_html folder under /home/$user) and mod_ruid2.
One of the things that has to be done according to the first guide is to add these three lines to 000-default.conf:
<FilesMatch "\.php$">
SetHandler "proxy:fcgi://127.0.0.1:9000/"
</FilesMatch>
With the tree lines added, my conf-file looks like this:
<VirtualHost *:80>
ServerName jrrtest
RMode stat
ServerAdmin webmaster#localhost
DocumentRoot /home/jrr/public_html
ErrorLog ${APACHE_LOG_DIR}/jrrtest-error.log
CustomLog ${APACHE_LOG_DIR}/jrrtest-access.log combined
<FilesMatch "\.php$">
SetHandler "proxy:fcgi://127.0.0.1:9000/"
</FilesMatch>
</VirtualHost>
PHP is now executing as expected, but when I try to upload files using the examples on this page, it is not working. If i try to upload a file I get this error in the Apache error_log:
PHP Warning: move_uploaded_file(uploads/jorara.png): failed to open stream: Permission denied in /home/jrr/public_html/upload.php on line 38\nPHP message: PHP Warning: move_uploaded_file(): Unable to move '/tmp/phpAJsos1' to 'uploads/jorara.png' in /home/jrr/public_html/upload.php on line 38
If i remove the FilesMatch lines from 000-default.conf the upload functionality is working againg, but php is no longer executing using FastCGI as I want it to.
If I reenable the FilesMatch lines and change the owner on the uploads folder to www-data:www-data I can also get the upload functionality to work.
How can I configure PHP-FPM so that the owner of the php script can upload files to a folder owned by same owner as the script owner?
Regards,
Jørgen
After spending a couple of hours searching, I finally found a solution that seems to be working.
What I ended up doing was this.
Installed a standard Ubuntu with LAMP.
Installed these extra packages:
apt-get install libapache2-mod-fastcgi php7.0-fpm
Enabled these Apache modules:
a2enmod actions fastcgi
Created a couple of directories:
/var/www/testsite/htdocs
/var/www/testsite/phpsessions
/var/www/testsite/logs
Created a new php-fpm pool in the file /etc/php/7.0/fpm/pool.d/testsite.conf:
[testsite]
user = testsite
group = testsite
listen = /run/php/php7.0-fpm.testsite.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
php_admin_value[session.save_path] = /var/www/testsite/phpsessions
php_admin_value[session.save_handler] = files
php_admin_value[display_errors] = Off
php_admin_value[log_errors] = On
php_admin_value[error_log] = "/var/www/testsite/logs/php_error.log"
php_admin_value[open_basedir] = "/var/www/testsite/htdocs:/usr/share/php:/tmp:/var/www/testsite/phpsessions"
In my first attempts with listen.owner and listen.group I had them set to testsite. That gave me problems accessing the socket file /run/php/php7.0-fpm.testsite.sock if I did not set listen.mode to 0666. In my (and a lot of other peoples) opinion that is a security risk. Instead I enden up setting listen.owner, listen.group and listen.mode to the above shown values which seems to be the recommend solution.
Created a site definition in the file /etc/apache2/sites-available/testsite.conf with this content:
<IfModule mod_fastcgi.c>
AddHandler php7-fcgi-testsite .php
Action php7-fcgi-testsite /php7-fcgi-testsite
Alias /php7-fcgi-testsite /usr/lib/cgi-bin/php7-fcgi-testsite
FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-testsite -socket /run/php/php7.0-fpm.testsite.sock -pass-header Authorization
<Directory "/usr/lib/cgi-bin">
Require all granted
</Directory>
</IfModule>
<VirtualHost *:80>
ServerName testsite
ServerAdmin webmaster#localhost
DocumentRoot /var/www/testsite/htdocs
ErrorLog ${APACHE_LOG_DIR}/testsite-error.log
CustomLog ${APACHE_LOG_DIR}/testsite-access.log combined
<Directory /var/www/testsite/htdocs>
Options -Indexes
</Directory>
<IfModule mod_fastcgi.c>
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler php7-fcgi-testsite
</FilesMatch>
</IfModule>
</VirtualHost>
Enabled the new site:
a2ensite testsite
Disabled the default php module in Apache:
a2dismod php7.0
Restartet Apache and PHP-FPM:
systemctl restart php7.0-fpm apache2
The status of php-fpm (including the new pool) can be seen with this command:
systemctl status php7.0-fpm
Created the file info.php in /var/www/testsite/htdocs with this content:
<?php
phpinfo();
?>
Accessing testsite/info.php in a browser now shows that php is running as FastCGI which is what i wanted and files can be uploaded without problems.
Related
for very long time I'm trying to set up apache server on ubuntu with multiple hosts and somehow it just doesn't want to work for me.
My general goal: Hosting multiple websites with apache and using chrooted php and ftp. For ftp it's not a problem using vsftpd but PHP seems to be a problem.
In the current configuration without chroot php can access to files using scandir and thus access to other virtual hosts.
If there's a better way to solve this problem you can also make a suggestion! Trying for 2 or 3 days now to get this working.
I've set up a virtual machine for testing purpose and want to show my current configuration and hope to find some help.
I've added two hosts on my /etc/hosts: web1 and web2, thus I'm using http://web1 and http://web2 for testing.
apache config of my vhost web1:
<VirtualHost *:80>
ServerAdmin admin#yadbo.com
ServerName web1
DocumentRoot /var/www/web1/html
ErrorLog /var/www/web1/logs/error.log
CustomLog /var/www/web1/logs/logaccess.log combined
AssignUserId web1 www-data
DirectoryIndex index.php
<Directory "/usr/lib/cgi-bin">
Require all granted
</Directory>
AddHandler php7-fcgi-web1 .php
Action php7-fcgi-web1 /php7-fcgi-web1
Alias /php7-fcgi-web1 /usr/lib/cgi-bin/php7-fcgi-web1
FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-web1 -socket /run/php/php7.4-fpm.web1.sock -pass-header Authorization
<FilesMatch \.php$ >
SetHandler php7-fcgi-web1
</FilesMatch>
</VirtualHost>
I've added also new pool for my user web1 in /etc/php/7.4/fpm/pool.d/web1:
[web1]
listen = /run/php/php7.4-fpm.web1.sock
access.log = /var/www/web1/logs/$pool.access.log
prefix = /var/www/web1/
chroot = $prefix
chdir = /
user = web1
group = www-data
listen.owner = web1
listen.group = www-data
listen.mode = 0660
php_value[session.save_path] = /sessions
pm=dynamic
pm.max_children=5
pm.start_servers=2
pm.min_spare_servers=1
pm.max_spare_servers=3
That's pretty much all I got as configuration. I've also tried to add some softlinks in /var/www/html to make the sockets accessable and adapted the links but it still doesn't work...
In current configuration which I've used I get 404 for every php file and thus it claims it can't find e.g. /index.php 404.
I know I'm missing something due to chroot. But I'm new to this topic and have really difficulties at setting up this construction.
I really hope I can find help here.
Thank you in advance for your time!
FPM runs its own process, not as part of the apache process (mod_fcgid).
I am looking to run an number of Apache server which will host websites for multiple clients. I have installed the libapache2-mpm-itk module and have created unique users/groups for each clients set of files. And configured their corresponding vhost file to run the process with that user/group.
<IfModule mpm_itk_module>
AssignUserId www-client www-client1
</IfModule>
This works fine until I try to use PHP sessions. In the vhost file I have also added a custom session save path.
php_admin_value session.save_path "/var/www/html/client1/_php/session"
A PHP script is able to generate session files in the directory with the following permissions but isn't able to read them:
-rw------- www-client1 www-client1
A full example of my vhost is:
<VirtualHost *:443>
ServerName client1.com
ServerAlias client1.com www.client1.com
DocumentRoot /var/www/html/client1/www
ErrorLog /var/www/logs/client1/www-error.log
CustomLog /var/www/logs/client1/www-access.log combined
php_admin_value error_log "/var/www/logs/client1/www-error.php.log"
<Directory /var/www/html/client1/www>
Options None
AllowOverride None
Order Deny,Allow
Allow from All
</Directory>
<IfModule mpm_itk_module>
AssignUserId www-client1 www-client1
</IfModule>
php_admin_value log_errors 1
php_admin_value open_basedir "/var/www/html/client1"
php_admin_value upload_tmp_dir "/var/www/html/client1/_php/upload_tmp"
php_admin_value session.save_path "/var/www/html/client1/_php/session"
php_admin_value soap.wsdl_cache_dir "/var/www/html/client1/_php/soap_cache"
SSLEngine On
SSLCertificateFile /var/www/certs/client1/www.crt
SSLCertificateKeyFile /var/www/certs/client/www.key
</VirtualHost>
I'm running Apache 2.4.41,PHP 7.4.3 on Ubuntu 20.04 and there are no errors being outputted to any of my log files.
Any ideas/suggestions on this and further enhancements would be very much appreciated.
After a lot of Googling I have found a solution.
I also needed to ensure that php-fpm was installed and adding the following lines of configuration to the Apache VHost pointing to a unique PHP FPM socket per user fixed my issue.
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php/php-fpm-client1.sock|fcgi://localhost"
</FilesMatch>
My PHP FPM configuration file looks like:
vi /etc/php/X/fpm/pool.d/client1.conf
[client1]
user = www-client1
group = www-client1
listen = /run/php/php-fpm-client1.sock
listen.owner = www-client1
listen.group = www-client1
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
php_admin_value[log_errors] = 1
php_admin_value[error_log] = "/var/www/logs/client1/php-error.log"
php_admin_value[open_basedir] = "/var/www/html/client1"
php_admin_value[session.save_path] = "/var/www/html/client1/_php/session"
bash /etc/init.d/php*-fpm restart
I also found that all php_admin_value values defined in the VHost needed to be moved to the FPM pool.
As we have upgrade OS from centos 6.9 to Centos 7 on server. We have installed "Apache/2.4.6" and "PHP 5.6.36 (fpm-fcgi)" on this server. But we are facing problem to execute "PHP Code" in ".html" files. PHP code working fine in ".php file" but not in ".html files". I have ready many blogs but no where mentioned exact solution.
Can you please guide us how we can execute PHP code in .html files.
Note : We are using Apache 2.4, PHP-FPM and MPM_worker on centos 7.
After change below in files "/etc/php-fpm.d/www.conf" and "/etc/httpd/conf.d/php.conf" :
"security.limit_extensions = .php .php3 .php4 .php5 .htm" // in www.conf
and
SetHandler "proxy:fcgi://127.0.0.1:9000" // in php.conf
PHP code working in htm files but due to to these changes every html files renders as php. We want only php code render as php not html code render by php.
Your help would be appreciated.
This is how I configure Apache / PHP-FPM for a virtual host. It's not a public server so I'm only using HTTPS. This is from /etc/httpd/conf.d/ssl.conf:
<VirtualHost _default_:443>
DocumentRoot "/home/myvhost/public_html"
ServerName myvirtualhost.com:443
<Directory "/home/myvhost/public_html">
allow from all
Options FollowSymLinks SymLinksIfOwnerMatch
Require all granted
php_admin_value open_basedir /home/myvhost/public_html
</Directory>
SuexecUserGroup myvhost myvhost
ProxyPassMatch ^(/.*\.php)$ fcgi://127.0.0.1:9000/home/myvhost/public_html/$1
<FilesMatch \.php$>
# SetHandler application/x-httpd-php
SetHandler "proxy:fcgi://127.0.0.1:9000"
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
</FilesMatch>
</VirtualHost>
And this is from /etc/php-fpm.d/myvhost.conf (copied from the default PHP-FPM configuration file):
[myvirtualhost.com]
user = myvhost
group = apache
listen = 127.0.0.1:9000
security.limit_extensions = .php
So basically you could just copy the "ProxyPassMatch" line and change php to html and do the same thing with "FilesMatch". You can also modify the regex but I'm not really good at that.
As part of a web-based project I work on, we generate new "sites" which are accessed by passing in a different parameter to $_GET. All of the sites live in /usr/local/sites. None of the sites are owned (either user or group) by the user we use (hwphp, www-data is the default apache user still), but the user is in the group so can read all files in the directories.
I have a python script that generates sites and after running it, half the time when I try and visit it by going to http://localhost/index.php?site=newsite I get File not found: /var/local/sites/newsite/config/config.ini though running PHP CLI it can find the file and hwphp user can read it just fine, just when I go through PHP-FPM/Apache it fails.
Here's my pool configuration:
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[submitty]
user = hwphp
group = hwphp
listen = /run/php/php7.0-fpm-submitty.sock
listen.owner = www-data
listen.group = www-data
;listen.mode = 0660
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
and my apache configuration:
<VirtualHost 192.168.56.101:80>
AddDefaultCharset utf-8
ServerAdmin ADMIN#DOMAIN.HERE
ServerName 192.168.56.101
DocumentRoot /usr/local/submitty/site/public
DirectoryIndex index.html index.php index.htm index.cgi
SuexecUserGroup hwphp hwphp
<IfModule mod_fastcgi.c>
AddHandler php7-fcgi .php
Action php7-fcgi /php7-fcgi
Alias /php7-fcgi /usr/lib/cgi-bin/php7-fcgi
FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi -socket /var/run/php/php7.0-fpm-submitty.sock -pass-header Authorization
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler php7-fcgi
</FilesMatch>
<Directory /usr/lib/cgi-bin>
Require all granted
</Directory>
</IfModule>
<Files .*>
Order allow,deny
Deny from all
</Files>
<Files *~>
Order allow,deny
Deny from all
</Files>
<Files #*>
Order allow,deny
Deny from all
</Files>
<Directory />
AllowOverride None
</Directory>
<Directory /usr/local/submitty/site/public>
Require all granted
Order allow,deny
Allow from all
</Directory>
LogLevel error
ErrorLog ${APACHE_LOG_DIR}/submitty.log
CustomLog ${APACHE_LOG_DIR}/submitty.log combined
</VirtualHost>
as soon as I do:
service php7.0-fpm restart
and it works fine and the file is found. Not sure why this might be as it makes no sense (and why a simple restart is what fixes it).
Server is Ubuntu 16.04, using PHP 7 and Apache 2.4, everything from the stock apt-get installs.
The issue ended up being that PHP was doing some caching of the file read which was causing the issues when trying to open the files. Doing a restart of php-fpm flushed the cache and made things just work.
I'm trying to setup my local web server using vagrant. My vagrant shared folder is in my home folder (~/home/vagrant/www) and I want to use bindfs to mount this folder inside /var/www.
These are the specs of my virtual machine:
Apache/2.4.23 (Ubuntu)
PHP 7.0.12
Ubuntu 14.04
I am using php-fpm to execute php scripts but after using bindfs, my site will always return File not found.
Also here is my virtualhost configuration:
<VirtualHost *:80>
ServerName project1.dev
## Vhost docroot
DocumentRoot "/var/www/project1/public"
## Directories, there should at least be a declaration for /var/www/project1/public
<Directory "/var/www/project1/public">
Options Indexes FollowSymlinks MultiViews
AllowOverride All
Require all granted
<FilesMatch "\.php$">
Require all granted
SetHandler proxy:fcgi://127.0.0.1:9000
</FilesMatch>
</Directory>
## Logging
ErrorLog "/var/log/apache2/av_anhk5lpgjldb_error.log"
ServerSignature Off
CustomLog "/var/log/apache2/av_anhk5lpgjldb_access.log" combined
## Server aliases
ServerAlias www.project1.dev
## SetEnv/SetEnvIf for environment variables
SetEnv APP_ENV dev
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
## Custom fragment
</VirtualHost>
Anyone can help me?
I manage to successfully run php-fpm + bindfs in my virtual machine. I just made sure that user who is running php-fpm and apache are the one I set in my bindfs command. My apache is run by www-user so I change my command to sudo bindfs -o perms=0755,mirror-only=www-user,force-group=www-data,force-user=www-user /home/vagrant/www /var/www and made sure that apache is also run by www-user.