My company has a large hosting, but it’s not managed by us, we don't see configuration files, but I want to reply this feature on our local test server.
I’m new in my company and want to start some debug of applications to fix some minors and majors issues to clients, but the amount of files is so big that single error_file is huge.. and there are many people working on this so each time I check log (like 30 secs to 1 min) has hundreds of added lines.
I don’t know if this is set up on Apache, through .htaccess files or in php.ini.
I am talking about PHP errors, but I don't know if this is set in PHP, Apache, or maybe using a third-party library.
I'm not talking about setting a specific folder error_log. I'm talking about if errors are logged in the scripts folder.
Example: I create a folder named test1. Inside it I make some buggy PHP script that throws some errors. When I run the script I can see an error_log file created in the folder. So it works on the fly.
I have tried to ask the hosting company support how they do this, but they haven’t answered me.
I don't know if maybe could be some kind of cPanel setting (BTW, the hosting support stuff doesn't understand this question either, but well.. usually level 1 of support can’t handle technical stuff).
I found it.
You have to set a directive in the php.ini file as follows, string "error_log". On the right side is the file name you want for the log,
error_log = error_log
This will generate a PHP error log in the folder where script executed are,
I'll try to explain.
Script test.php in folder /www/site/lib:
include "./db_conn.php";
If file db_conn.php is not located in the same directory, this will fire a warning and error. Usually this will be lead to the servers/vhost log, but using this directive you will get an error_log file under the /www/site/lib directory.
Why was I looking or this? Well, as I wrote, I'm working on a huge application, with thousands of files many fires warnings, notices, etc. I'm not the only one in the project and the site error_log file was so huge it was hard to keep tracking debug evolution for one or just some files. Now I just have to track the log from directories where I'm working.
You can manage the logs by adding this to your vhost or htaccess file
ErrorLog /path/to/a/writable/directory/error.log
For more information, have a look at this article on advanced PHP error handling via htaccess.
To do this in PHP, edit file php.ini and add the line
error_log = /path/to/where/you/want/your/php-errors.log
Then restart the web server. This should give you PHP errors, and only PHP errors, to that file. Provided, of course, that the scripts aren't written to throw away all errors.
To do it in Apache, you can use SetEnvIf to add an environment variable to any request ending in PHP, and then printing all logs with that particular environment variable. E.g.:
SetEnvIf Request_URI "\.php$" phplog
CustomLog /path/to/php.log env=phplog
To use this in multiple folders, make one environment variable per folder and one CustomLog per folder, like this:
SetEnvIf Request_URI "/folder1/.*\.php$" log_folder1
Customlog /path/to/folder1/php.log env=log_folder1
SetEnvIf Request_URI "/folder2/.*\.php$" log_folder2
Customlog /path/to/folder2/php.log env=log_folder2
Related
I have a VPS with last Debian installed.
I've apache2 and I use this vps to practicing with some friends.
By the way, I'm the only one with root ssh access, they have their own folders and accounts(ftp only), in /var/www/html/xxxxx/
The problem is: while they try new things and learn programming something, they need to see error.log of apache2, but they can't, and I need to check it for them and copy paste the errors.
Is there a way to let them see the error.log?
I tried these
Link the error.log to their folder (and obviously didn't worked)
Make a script that would copy the error.log to folders on file change. (But i'm not that skilled, and totally don't understand how to use something like: inotifywait).
PHP script that copy error.log and paste in a file in the folder (access denied.. and it is the expected behavior!!)
I'm pretty sure there is an easy solution I didn't thought of (like a php code to echo the error 500 content, this solution doesn't involve me directly, but I didn't find how to do)
Sorry for my english and if this question is stupid or already answered, I searched a lot.
Thanks
Apache is storing error logs in ${APACHE_LOG_DIR}/error.log (usually /var/log/apache2/error.log) which is accessible only by root user.
You can specify custom error log location per website in your vhost config
or .htaccess.
You should think about displaying errors instead of logging them at development stage.
Okay, so my error log files are getting filled up really fast due to some unfixable errors (they exist due to the site's design) and it's using up a lot of my webspace pretty fast.
However, I do not need the error_log files at all. I've been looking around and I cannot find a way to stop error_logs in cPanel, so I thought that perhaps I could run a script on each page a user visits that empties or deletes the error_log file.
Is this possible? the error_log file is in the document root of each of my websites
You can disable error logging using corresponding php.ini setting:
http://php.net/manual/en/errorfunc.configuration.php#ini.log-errors
Good morning. I'm having a major issue with my phpBB installation.
I've transfered it to my computer to develop some plugins, so i'm running it on localhost, but, i've created a vHost with the exact same domain he is running online, so, i don't need to change the cookies configuration, and the database connection information is correct already.
Regard all of that, i'm getting a 500 internal server error, which displays no error on the screen nor the logs from apache and php.
I have error reporting on php as E_ALL also. What could be possible causing this, and what the solution might be?
Thanks in advance, Jorge Ferrari.
If you're getting nothing in the Apache / PHP error logs, then it's more likely to be a server configuration issue. I would suspect the problem is in a file called .htaccess in the phpBB folder. It can be used to customize the configuration in various ways, including things like setting up redirects and URL rewriting.
If the htaccess file tries to use an Apache feature which isn't available on the server, then it can generate a 500 error. You can test this by temporarily removing the file, and seeing if the website works at all (albeit possibly with some glitches).
If you've confirmed that it's the source of the problem, then ideally you'll need to enable the missing feature in the server's configuration (or possibly update the Apache installation). Alternatively, you can delete or comment-out the problematic bits of the htaccess file.
Either way, it sounds more like a webserver admin issue than programming. You might have more luck asking on the phpBB forums, or on a different Stack Exchange Q&A site (possibly Server Fault?).
Check whether you have Rewrite module enabled?(most of the this will be the reason)
In httpd.conf and uncomment
LoadModule rewrite_module modules/mod_rewrite.so
If you try to use module which is not loaded you will get 500 internal server error.
Check your modules used in .htaccess file and check httpd.conf whether used modules are loaded
I am a PHP newbie and a have a php security question. Is it possible for somebody to get the source code of a php script file running on a server with default configuration? If so, what is the best way to be protected? I am asking this because I happened to download a php file when I requested a page from a site and what triggered my concerns. I think that maybe apache configuration was wrong and served that file to me like a simple file but I am not sure. Also what is the best place to keep "sensitive" data such as database or smtp configuration?
Thank you,
Alex
For the most sensitive information, I'd suggest putting it outside of your web root folder, and including it through "require" or "include". This way, even is some configuration gets botched on the server, the visitor will only get served the line "include('secret_stuff.php');" and not the actual script.
Exactly what David Dorward said but i would advise you take a look at the following patch(s) that would modify apache to not send source code's regards if there is a misconfiguration.
http://mirror.facebook.net/facebook/patches/ap_source_defense.patch
Patch like so:
cd apache-1.3.x
patch -p1 -i ap_source_defense.patch
More Patches from Facebook Development Team: http://mirror.facebook.net/facebook/patches/
The best way to protect your much needed source is to place them outside the public root directory, as if apache is running it will not be able to serve files directly from the folder up public_html
for example:
C:/server/apache/
C:/server/apache/htdocs/
C:/server/apache/htdocs/includes/
People can specifically view the files my going to
http://hostname.tld/includes/
but having the directory structure of:
C:/server/apache/
C:/server/apache/includes/
C:/server/apache/htdocs/
and then within
C:/server/apache/htdocs/index.php
you have
<?php
require_once('../includes/config.php');
?>
this should protect all major files bar the view file (index.php)
If the server is not configured to handle PHP files, then it will treat them like any other unknown file (and serve them as either text/plain or application/octet-stream.
PHP support is, as far as I know, always provided as an extension or external program (for CGI, FastCGI, etc) and never as a built in for an HTTP server.
If the server is properly configured to run PHP code, then people without direct access to the server cannot view the PHP source code. You don't have to do anything else.
It is only because that server was not configured to run PHP, and instead served it as text, that you could see the source.
If you have this line in your apache.httpd.conf file,
AddType application/x-httpd-php .php
Apache should deal with data, rather than showing them...
Also you need to start php services.
What you describe as "default configuration" is a webserver without php installed (or with php disabled). In these cases, it is certainly possible to download the php script.
Make sure php is installed (as it will be on ~100% of production php servers) and/or block access to your configuration file with an .htaccess file like this:
<FilesMatch "^config.php$">
Order allow,deny
Deny from all
</Files>
If you want to be extra-tricky (and work even on servers where .htaccess files are ignored), prefix the configuration file with .ht, like .ht.config.php. Most Apache(and some other webserver) configurations will refuse serving files beginning with .ht. However, in general, the only way you could be sure no webserver serves your file is to move it to a directory outside of the server's document directory. On most hosts you or your php script won't be able to access those though.
Your second problem are misconfigurations. There's not much you can do, albeit there might(?) be options to construct a rewriterule to prevent accidential accessibility.
The best prevention however is to keep all scripts outside of the DOCUMENT_ROOT. Just leave a single index.php there, and include all dependencies from there. This is also the best strategy to avoid leaking of configuration data (also don't use ini files for sensitive data, but always .php scripts).
Another worry are shared hosting servers however. All concurrent users on a server can read out your scripts (if not through PHP then via Perl/bash CGIs). Nothing you can do about that, unless you change to a professional hoster which supports running everthing through suexec and thus allowing individual permissions.
Well, "default configuration" is a vague term, but as long as the web server is configured to parse .php files through PHP, you should be fine from that angle. If your scripts themselves happen to parse other PHP files (for eg. a template system) then you need to make sure there aren't any loopholes in that too, since the PHP scripts have full access to your files on the server.
Assuming these are taken care of, you don't need to keep the "sensitive" data in any special place -- just put them in your .php files, but make sure all your scripts end in .php (for eg. config.inc.php) so that they are always parsed via PHP and not sent as plain text.
I'm on a VPS environment so I have root access, btw.
So take a look at these issues:
http://www.sonikastudios.com/wp-content/themes/sonikas/scripts/timthumb.php?src=/wp-content/uploads/tedleescreenshot1.jpg&w=100&h=100&zc=1&q=100
That returns a 404 error.
However when I move timthumb.php to the root of the site, it works.
I verified file/folder permissions, it's not the issue. Also, another PHP generated image that i use for Captcha, is doing the same thing...
So essentially it boils down to no .php files running from within folders. However this is not an issue otherwise because PHP scripts I have under /admin/ on other sites work fine.
So... what could cause this? Most forum articles I read lean towards a mod_security problem, but I don't even know where to start, as I'm not an apache expert.
As you have root access, try looking for what is happening in Apache logs. To follow latest request you can use tail.
Which version of Apache you are running? In my configuration of Apache 2.2 you can follow error log in terminal by invoking:
tail -f /var/log/httpd/error_log
It seems that default configuration of Apache 2.2 has error log in /usr/local/apache2/logs/error_log, so my configuration is not default.
If you do not have success with error log, try also looking for information in access log, default location at /usr/local/apache2/logs/access_log.
Same error can occur when the file it self is also writable. Make sure the file is 644 and NOT 666 !
Wordpress is probably using some mod_rewrite rules to send every request to its index.php. And there it’s analyzing the request and returning a 404 status code if one of its internals was requested.
This is a problem with your .htaccess file generated by WordPress. It redirects all requests for your site that aren't wp-admin/ or in your uploads directory to the index.php file for WordPress (the request handler that queries for posts, etc.)
In my case, the following PERMISSION changes solved the (Timthumb.php) issue:
The PHP script must be "644".
All of the parent directories must be "755"; Neither "775" nor "777".