I'm having problems with my open files limits when running my script through command line vs through apache.
My apache server is running under the user "apache" and it has its limits overridden in the /etc/security/limits.conf file as follow:
apache soft nofile 10240
apache hard nofile 40960
I've got a simple script that I use for testing:
<?php
system('whoami');
system('ulimit -a | grep open');
When I hit this script through my browser I get:
apache
open files (-n) 1024
But when I run it in command line under user apache I get:
[reza#app pdf]$ sudo -u apache php script.php
apache
open files (-n) 10240
Can someone explain to me what would cause this discrepancy?
(not sure if it's a ServerFault question, feel free to move it there)
Cheers
When you run from the command line, the limits for the apache user apply. When you hit the web server, the limits from the environment that launched the web server apply. You probably want to add ulimit statements to the script that launched the apache web server.
Related
I installed PHP 7 on Red Hat Linux server, but apparently due to running a few commands on the server to configure PHP I have the lost the php-fpm.sock file.
Could anyone please assist me with contents of the file?
Yes that file should be auto generated, do not create the file manually! Ensure that the service is running service php-fpm start If it still fails, check the permissions. Check here for help: /etc/php-fpm.d/www.conf This is your main php-fpm config file. Make sure user, group, listen.owner, listen.group are set to your either nginx or apache user, depending on what web server you use. Also note that listen point to the actual socket file.
We have websites running on a linux server with apache httpd and php. On that server a certain directory from a windows server is mounted as let's say /mnt/some_directory/. I can browse this directory with both WinSCP or SSH, using my own user account.
I can also perform the following in SSH:
php -r "print_r(file_get_contents('/mnt/some_directory/file_name.txt'));"
and see contents of that file.
We need to read a file and parse from that directory in order to import it in the database that is used by the website. But when an fopen or a file_get_contents on the website we get a permission denied error.
I have limited access to the web server (and limited knowledge of *nix and apache configuration), but the administrator that is supposed to resolve this apparently is also lacking this knowledge and I need to have this task resolved,that's why I am asking here.
What the admin did was to set the group and ownership of the mounted directory to"apache", which is the user the httpd process is running as. But that didn't help.
As far as I know access to files outside of the webroot is disallowed by default. Would it be sufficient to set a DIRECTORY directive in httpd.conf for /mnt/some_directory/? Or is there anything else that has to be done?
our team had the same issue, my team-mate was able to resolve this by adding context to mount options.
we are using the following format for mounting windows shared folder to linux that apache will be able to access:
mount -v -t cifs <//$hostname/$(windows shared dir)> <mount directory> -o username="<username>",password=<password>,domain=<domain name>,iocharset=utf8,file_mode=0777,dir_mode=0777,context="system_u:object_r:httpd_sys_content_t:s0"
For example:
mount -v -t cifs //192.168.1.19/sample_dir /mnt/mount_dir -o username="admin",password=adminpwd,domain=MIINTER,iocharset=utf8,file_mode=0777,dir_mode=0777,context="system_u:object_r:httpd_sys_content_t:s0"
Link the mounted directory to your www root dir and name the link "share"
ln -s /mnt/some_directory /path/to/your/www/root/directory/share
than try reading the file
php -r "print_r(file_get_contents('/path/to/your/www/root/directory/share/file_name.txt'));"
...or you can allow (if you have enough privileges to edit the webserver's configuration)
<Directory /mnt/somedirectory >
Allow from All
</Directory>
i have seen the same problem with a cifs mount
linux/unix apache that user can have access to the mounted volume, but not apache.
see also this: EnableSendfile off
but when turned off, apache may work slowly,
in .htaccess, only for the cifs mount path, it should work ... .
http://httpd.apache.org/docs/current/en/mod/core.html
best regards
L.Tomas
Where can I find error log files?
I need to check them for solving an internal server error shown after installing suPHP.
You can use lsof to find open logfiles on your system. lsof just gives you a list of all open files.
Use grep for "log" ... use grep again for "php" (if the filename contains the strings "log" and "php" like in "php_error_log" and you are the root user you will find the files without knowing the configuration).
lsof | grep log
... snip
gmain 12148 12274 user 13r REG 252,1 32768 661814 /home/user/.local/share/gvfs-metadata/home-11ab0393.log
gmain 12148 12274 user 21r REG 252,1 32768 662622 /home/user/.local/share/gvfs-metadata/root-56222fe2.log
gvfs-udis 12246 user mem REG 252,1 55384 790567 /lib/x86_64-linux-gnu/libsystemd-login.so.0.7.1
==> apache 12333 user mem REG 252,1 55384 790367 /var/log/http/php_error_log**
... snip
lsof | grep log | grep php
**apache 12333 user mem REG 252,1 55384 790367 /var/log/http/php_error_log**
... snip
Also see this article on finding open logfiles: Find open logfiles on a Linux system
It works for me. How can we log all PHP errors to a log file?
Just add the following line to file /etc/php.ini to log errors to specified file – file /var/log/php-scripts.log
vi /etc/php.ini
Modify the error_log directive:
error_log = /var/log/php-scripts.log
Make sure display_errors is set to Off (no errors to end users):
display_errors = Off
Save and close the file. Restart the web server:
/etc/init.d/httpd restart
How do I log errors to syslog or Windows Server Event Log?
Modify error_log as follows:
error_log = syslog
How can we see logs?
Login using ssh or download a log file /var/log/php-scripts.log using SFTP:
sudo tail -f /var/log/php-scripts.log
On CentOS with cPanel installed, my logs were in:
/usr/local/apache/logs/error_log
To watch: tail -f /usr/local/apache/logs/error_log
It depends on what OS you are using and which web server.
On Linux and Apache, you can find the Apache error_log in folder /var/log/apache2/.
This will definitely help you,
Enable PHP error logging
Or
In php.ini (vim /etc/php.ini or sudo vim /usr/local/etc/php/7.1/php.ini)
display_errors = Off
log_errors = On
error_log = /var/log/php-errors.log
Make the log file, and writable by user www-data:
sudo touch /var/log/php-errors.log
/var/log/php-errors.log
sudo chown <owner>:www
I am using CentOS 6.6 with Apache and for me error log files are in:
/usr/local/apache/log
This is a preferable answer in most use cases, because it allows you to decouple execution of the software from direct knowledge of the server platform, which keeps your code much more portable. If you are doing a lot of cron or CGI, this may not help directly, but it can be set into a configuration at web runtime that the cron and CGI scripts pull from to keep the log location consistent in that case.
You can get the current log file assigned natively to PHP on any platform at runtime by using:
ini_get('error_log');
This returns the value distributed directly to the PHP binary by the web server, which is what you want in 90% of use cases (with the glaring exception being CGI). CGI will often log to this same location as the HTTP web server client, but not always.
You will also want to check that it is writeable before committing anything to it to avoid errors. The configuration file that defines its location (typically either file apache.conf globally or vhosts.conf on a per-domain basis), but the configuration does not ensure that file permissions allow write access at runtime.
For Unix CLI users:
Most probably the error_log ini file entry isn't set. To verify:
php -i | grep error_log
// error_log => no value => no value
You can either set it in your php.ini CLI file, or just simply quickly pipe all standard error yourself to a file:
./myprog 2> myerror.log
Then quickly:
tail -f myerror.log
I am creating a web application. Part of the functionality is depending on that the user can start/stop a cronjob that imports emails.
It doesn't work.
Just to make sure I'm on the right track, as a starter I just want to make 'crontab -l' from php to work and print it to the web browser.
This is how I do it (handle_email_cronjob.php):
$output = shell_exec('crontab -l');
echo $output;
but all I get is nothing. (doing shell_exec('ls -l'); gives me the list of files/dir in the directory)
cat error_log:
'/var/spool/cron' is not a directory, bailing out.
Well, it is a directory no matter what the error log say. ls -Z /var/spool:
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 cron
SELinux is on and I don't want that to change.
ls -Z /var/spool/cron:
-rwxrwxrwx. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 apache
-rw-------. root root unconfined_u:object_r:cron_spool_t:s0 root
it's apache that should be used. (I did try setting cron_spool_t to apache, but still didn't work.)
ls -Z handle_email_cronjob.php:
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_script_exec_t:s0 handle_email_cronjob.php
I just have a gut feeling that it is related to SELinux, but I can't figure out how to fix it.
What is the problem and how can I fix it? (or is there a better approach for doing this than my?)
After learning how to troubleshoot SELinux I realized that I had to label /var/spool/cron so httpd can read/write to that directory:
chcon -R -t httpd_sys_script_rw_t /var/spool/cron
References:
Understanding audit.log
Troubleshoot SELinux
I get a 502 Bad Gateway with nginx when using spawn fcgi to spawn php5-cgi.
I use this to span an instance on server start using the following line in rc.local
/usr/bin/spawn-fcgi -a 127.0.0.1 -p 9000 -u www-data -g www-data -f /usr/bin/php5-cgi -P /var/run/fastcgi-php.pid
presumably I'm getting the error because the spawn-fcgi / php5-cgi dies and there is nothing listening there anymore to parse php.
I get nothing in the logs that I can see anywhere, I'm out of ideas (and new to this setup with nginx)
I executed my localhost and the page displayed the 502 bad gateway message. This helped me:
Edit /etc/php5/fpm/pool.d/www.conf
Change listen = /var/run/php5-fpm.sock to listen = 127.0.0.1:9000
Ensure the location is set properly in nginx.conf.
Run sudo service php5-fpm restart
Maybe it will help you.
Source from: http://wildlyinaccurate.com/solving-502-bad-gateway-with-nginx-php-fpm
The 502 error appears because nginx cannot hand off to php5-cgi. You can try reconfiguring php5-cgi to use unix sockets as opposed to tcp .. then adjust the server config to point to the socket instead of the tcp ...
ps auxww | grep php5-cgi #-- is the process running?
netstat -an | grep 9000 # is the port open?
Go to /etc/php5/fpm/pool.d/www.conf and if you are using sockets or this line is uncommented
listen = /var/run/php5-fpm.sock
Set couple of other values too:-
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
Don't forget to restart php-fpm and nginx. Make sure you are using the same nginx owner and group name.
You have to match the settings for PHP-FPM and Nginx to communicate over sockets or TCP.
So go to /etc/php5/fpm/pool.d/www.conf and look for this line:
listen = /var/run/php5-fpm.sock
Then go to /etc/nginx/nginx.conf
Look for this:
upstream php {
server unix:/var/run/php5-fpm.socket;
}
Match those values and you should be all set.
If running a linux server, make sure that your IPTABLES configuration is correct.
Execute sudo iptables -L -n , you will recieve a listing of your open ports. If there is not an Iptables Rule to open the port serving the fcgi script you will receive a 502 error. The Iptables Rule which opens the correct port must be listed before any rule which categorically rejects all packets (i.e. a rule of the form "REJECT ALL -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable or similar)
On my configuration, to properly open the port, I had to execute this command (assume my fcgi server is running at port 4567):
sudo iptables -I INPUT 1 -p tcp --dport 4567 -j ACCEPT
WARNING: This will open port 4567 to the whole world.
So it might be better to do something like this:
sudo iptables-save >> backup.iptables
sudo iptables -D INPUT 1 #Delete the previously entered rule
sudo iptables -I INPUT 1 -p tcp --dport 8080 -s localhost -j ACCEPT # Add new rule
Doing this removed the 502 error for me.
change
fastcgi_pass unix:/var/run/php-fpm.sock;
to
fastcgi_pass unix:/var/run/php5-fpm.sock;
When I did sudo /etc/init.d/php-fpm start I got the following error:
Starting php-fpm: [28-Mar-2013 16:18:16] ERROR: [pool www] cannot get uid for user 'apache'
I guess /etc/php-fpm.d/www.conf needs to know the user that the webserver is running as and assumes it's apache when, for nginx, it's actually nginx, and needs to be changed.
You can make nginx ignore client aborts using:
location / {
proxy_ignore_client_abort on;
}
I had the same problem while setting up an Ubuntu server. Turns out I was having the problem due to incorrect permissions on socket file.
If you are having the problem due to a permission problem, you can uncomment the following lines from: /etc/php5/fpm/pool.d/www.conf
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
Alternatively, although I wouldn't recommend, you can give read and write permissions to all groups by using the following command.
sudo chmod go+rw /var/run/php5-fpm.sock
Try disabling the xcache or apc modules. Seems to cause a problem with some versions are saving objects to a session variable.
Hope this tip will save someone else's life. In my case the problem was that I ran out of memory, but only slightly, was hard to think about it. Wasted 3hrs on that. I recommend running:
sudo htop
or
sudo free -m
...along with running problematic requests on the server to see if your memory doesn't run out. And if it does like in my case, you need to create a swap file (unless you already have one).
I have followed this tutorial to create swap file on Ubuntu Server 14.04 and it worked just fine:
http://www.cyberciti.biz/faq/ubuntu-linux-create-add-swap-file/
If you're on Ubuntu, and all of the above has failed you, AppArmor is most likely to blame.
Here is a good guide how to fix it: https://www.digitalocean.com/community/tutorials/how-to-create-an-apparmor-profile-for-nginx-on-ubuntu-14-04
Long story short:
vi /etc/apparmor.d/nginx
Or
sudo aa-complain nginx
sudo service nginx restart
See everything working nicely... then
sudo aa-logprof
I still had problems with Nginx not being able to read error.log, even though it had all the permissions possible, including in Apparomor. I'm guessing it's got something to do with the order of the entries, or some interaction with Passenger or PHP-Fpm... I've run out of time to troubleshoot this and have gone back to Apache for now. (Apache performs much better too FYI.)
AppArmor just lets Nginx do whatever it wants if you just remove the profile:
rm /etc/apparmor.d/nginx
service apparmor reload
Shockingly, but hardly surprising, a lot of posts on fixing Nginx errors resorts to completely disabling SELinux or removing AppArmor. That's a bad idea because you lose protection from a whole lot of software. Just removing the Nginx profile is a better way to troubleshoot your config files. Once you know that the problem isn't in your Nginx config files, you can take the time to create a proper AppArmor profile.
Without an AppArmor profile, especially if you run something like Passenger too, I give your server about a month to get backdoored.
For me the error was in default file of Nginx
located at /etc/nginx/sites-available/default
I noticed the version of php-fpm used was 7.0 and the php version i downloaded was 7.2
I simply changed the version to 7.2 and it worked.
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
Similar setup here and looks like it was just a bug in my code. At the start of my app I looked for the offending URL and this worked: echo '<html>test</html>'; exit();
In my case, turns out the problem was an uninitialized variable that only failed under peculiar circumstances.