I was wondering, whether knockd http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki would be a good was to be able to restart apache without logging into ssh. But my programming question was whether there is a way to send tcp/udp packages via PHP so I can knock via a webclient.
I am aware that this is not the safest way of doing it, but I will only want to do things like update the svn, restart apache without having any passwords in it like with using ssh to do that.
You may use fsockopen() functions... but what you are doing(and the way you are doing it) is very risky from a security standpoit.. as it had been said, ssh is the way:)
If you really want to restart the apache server by using remote access (non-ssh) you can create a small php-daemon, that just watches for a specific file,(ex: /tmp/restart.apache) and when that file appears run exec("/etc/init.d/apache restart") (or whatever the command is for your distribution). This daemon should run as root... and the thing is that the whole security thing is up to you this way, you have to make sure this cannot get arbitrarly executed...
Your portknock ideea... a simple port scanner may restart your apache by mistake:) portknock is recommented to be used in conjunction with a ssh auth , not directly with apache:)
Seriously, you do not want to do what your trying to do.
You should look into calling your remote server through some sort of secure protocol, like SSH. And on the client side, have a small PHP utility application/script that executes remote SSH commands (preferably with a keyfile only based authentication mechanism).
Why not have a PHP script that calls "svn update"? As long as the files are writeable by the user Apache runs as, it works great. Just hit that URL to update the website
For SVN you have whole PHP api, try search SVN on php.net
Related
I have developed a web app which shows information in real time from certain actions carried out by different users. For this I use websockets, built in PHP, in a local environment (WAMP) and works fine, but I need this to also work on an external server (web hosting service), which I only have access to through the CPanel and FTP.
Locally I make the websocket work executing next code line through Windows' CMD:
C:\wamp64\bin\php\php7.2.10\php.exe -q C:\wamp64\www\myapp\websocket_daemon.php
My question is, how can I achieve the same result in CPanel, or maybe there is another way?
It is not likely for a shared hosting environment (i.e. Apache with VirtualHost config, PHP, MySQL, and a CPanel interface) to support your websocket application.
For websocket to work, you need to either:
have a port dedicated to websocket in-bound connections; or
have a HTTP/HTTPS server that knows when to upgrade a connection and proxy pass to your websocket application.
To run your own websocket service, you should think about using Virtual Private Server services such as Amazon EC2, DigitalOcean VPS.
For that purpose you will need to have CLI (Command-Line Interface) access to the (Linux) server involved. Assuming that you have such access, running the WS service would look something like
./websocket_daemon.php
The small script assumes that you are in the appropriate folder. However, you need to resolve a few things before you get there:
Step 1: SSH support on your machine
You will need to ensure that your OS supports SSH. Your OS appears to be Windows, so you will need to either install Putty of Git Bash. Read about these technologies
Step 2 Generate an SSH key
In your CPanel, you will need to generate SSH keys:
Click on Manage SSH Keys
Click on Generate a New Key
Use the settings you prefer in order to generate a key, don't worry, you can remove the SSH keys at any time and recreate them if you realize that you prefer a different way to generate them
Read more here: https://docs.cpanel.net/cpanel/security/ssh-access/
SSH keys are composite keys, that is, it consists of a private and a public key. You can share your public key with anyone, but never ever send your private key to anyone. It should be on your computer and possibly saved to backups. Read more about SSH keys here: https://sectigo.com/resource-library/what-is-an-ssh-key
Step 3: Ensure that your computer uses the SSH keys you have generated for CPanel
You will need to tell your OS where the SSH key-pair is located, luckily this is not a new problem, see an exhausting discussion about this topic here: https://serverfault.com/questions/194567/how-do-i-tell-git-for-windows-where-to-find-my-private-rsa-key
Step 4: Test your SSH
Run the following command into your CLI that supports SSH:
ssh <username>#path
If there is no error, then you have successfully tested SSH and you are almost ready to proceed further
Step 5: Upload your Websocket script
You can do this via FTP, as you already know, but you can also do it via SCP. scp would not only use your newly created SSH connection and having fun with it, but it's also secure. Syntax:
scp file.txt remote_username#10.10.0.2:/remote/directory
Step 6: SSH to the server
See Step #4.
Step 7: Navigate to your file's location
Step 8: Ensure that you have the rights to run it
See more here: https://alligator.io/workflow/command-line-basics-file-permissions/
Step 9:: Execute the file
Run
./websocket_daemon.php
If this succeeded, then the job is basically done, you will need some script to run it upon startup and to manage it, but this is not strictly related to the question.
https://oracle-base.com/articles/linux/linux-scripts-running-in-the-background
https://smallbusiness.chron.com/run-command-startup-linux-27796.html
However, if the issue is not resolved yet, read further
Step 10: Ensuring WS support on server
You will need to set up your own WS support. Since you have managed to do so locally on your Windows, hopefully your know-how will work on the remote Linux as well. If not, read more here:
PHP Websocket server in Linux hosting
We have a PHP application which automates script commands. Many of these are through web interfaces. I want this php application user to be running lots of cli and ssh commands, so I dont really want www-data doing it, as it would involve changing lots of script files to www-data executable permissions, and we want scripts to be entered into web interfaces.
This application is cross-operating system. Ideally on anything that php runs on, but win, mac,
The important things that we need to be able to do are (I think) ...
1) Have a Web Server (It's currently Apache, and that's working cross os so that would be great), that is running under normal settings, normal user, reverse proxied to the below application on te same server.
2) Have a PHP application on a different port, running as its own user that can do whatever it wants.
The ability to just run
php -S localhost:8000
As is available in the built in php web server seems ideal for this. So...
1) Is it safe to use the PHP built in Web Server if it's behind an apache proxy? I'm assuming the fact we are proxying over the entire request anyway means no, since it says not to.
2) Is there another Web Server/PHP Server that can easily do this?
3) Is there a way of running two apache processes to do this?
4) Am i doing this the wrong way entirely? There's another app I know that does it like that, but a Java app and the whole process is started and owned by a non apache user.
Thanks in advance
Apache 2.4 + php-fpm + mod_proxy_fcgi will suit you just fine.
(to elaborate for the downvote -- php-fpm allows the PHP process to run as a separate daemon under its own userid which is exactly the privilege separation requested here)
I have created a simple website that will help me in my many projects by creating a sub domain for each new website project that I take on.
I keep going back to the older websites I've created so I have decided to keep all of them as a sub domain on localhost.
My PHP code works fine to add the information to the relevant files.
But I need to restart Apache for the changes to take affect.
I know PHP runs from the Apache service. Is it possible therefor to stop and start or even restart the Apache service from PHP code?
Yes, with exec()
exec("apachectl restart");
You might want to allow programs to close themselves before just shutting down the server, so I'd recommend:
exec("apachectl graceful");
Make sure PHP doesn't run in safemode (<= PHP 5.3), as these functions won't be available then.
Please note, this is how I restart apache on my server, you might have to adjust the command.
Also think about the permissions. Not all users (and probably not the one running php scripts) have permission to stop the server.
i want to statically assign the ip address of my arch linux using php. i want to change the ip by using netmask,interface,broadcast,address & gateway.the user puts up the values into a html page.the html page posts the data to the php page.i want to change the ip using this data. HOW TO DO THIS!!
Files also can be used!! right?
..i was thinking of writing directly into the rc.conf using files!!...will this work and how??..i have my arch linux up with apache & php..any of the help is appreciated!!...thanku..:)
You should write yourself a shell-script and launch that via PHP, instead of trying to accomplish such a task with PHP itself.
If you don't know how to do that, you should ask a related question https://unix.stackexchange.com/.
Why would you use PHP to attempt to configure a server?? You should configure the server using pre-existing tools and commands that are designed for that purpose.
$su
# ifconfig <interface, tpyically eth0> down
# ifconfig eth0 192.168.1.105 netmask 255.255.255.0 up
# ifconfig eth0
You COULD wrap those commands in an exec() statement, but I don't see a PHP script having the necessary system permissions to complete them successfully.
In normal condition, you may be not able to do it from web server directly due to security.
There are several problems like permission on /etc files, security context of user in which apache run etc.
One secure way is to create cron task which will run under root account and regularly check for existence of some file which can be generated by apache (php).
Once file will appear you can reconfigure whatever using ifconfig within cron task with appropriate privileges based on content o this file.
Don't forget that your apache should be configured to use all interfaces and not realy on IP based VirtualHosts or you will immediately lose connection to it.
I want to execute a .exe file on my Apache server using a php script.
the procedure is as follow:
user comes, fills a html form
it goses to a php script
php script executes the name.exe file
php prints the output of the name.exe file on the page.
I execute the name.exe normally from windows like this:
run--> cmd--> D:\name [command]
the name.exe needs to communicate with other files like libraries in the same directory.
the complete comand in cmd at windows is like this:
D:\name library.dll [input from user]
then program executes and prints some results in cmd window.
I actually want to run this program on my server form my clients.
I don't know how, but I now there is a way to do this.
Another related question, is there any shell that I can install on Linux server and execute name.exe in it?
Please rethink your solution as this will likely create more problems (particularly security issues) than it solves. By having a PHP script execute your program you run the danger of a user entering the following into your form:
John Doe; rm \windows\*
or
John Doe; rm d:\name\*
You want to limit user input to a very controlled subset so that you won't get malicious command injection.
PHP does provide an exec() but be very careful.
You should escape the user input with escapeshellarg before sending it to the command.
$saferinput = escapeshellarg($input);
system('D:\name library.dll '.$saferinput);
You probably want passthru() or exec().
As for Linux, if name.exe runs well under WINE, you would probably want to use passthru() or shell_exec() and call WINE to run name.exe. I have no idea what name.exe does, so even if it runs under WINE, there's no guarantee that it will actually work.
There is, however no magic shell that allows Linux to execute arbitrary Windows executables.
As noted, be very careful of what you allow to get to exec() or passthru() or anything else that executes code outside of your script. I'm not going to go as far as to say you probably should not be doing whatever it is that you are doing, but I'm not the one working on whatever you are working on :)
This is a very bad idea. Aside from having to grant ridiculous permissions to the user account under which your web server is executing, which effectively gives anyone visiting your site the power to run executables, your run the risk of thread safety issues, file system locking problems, and others.
If you absolutely must use this exe, create a queuing system. Have your site put the form request into a convenient repository (say, a database), and have a service poll the database periodically to run this process. This allows separation of user accounts and associated permissions for the website and the exe, eliminates any concurrent execution issues, and decreases response latency for your site.
Some (cough) languages allow you to create this service and your site code in the same language/techology, but in this case you'll have to break out the .NET or other compiled language in order to create such a service.
I think we can do this by connecting to the server using PHP SSH. There is a library (http://phpseclib.sourceforge.net/) which allows you to connect to the server via SSH. Earlier I tried connecting to the server using telnet and execte .exe. But my school admin has blocked telnet due to security reasons, so I need to work on ssh.