Welcome! Log In Create A New Profile

Advanced

apache + php-fpm - and chroot

Posted by Anonymous User 
Anonymous User
apache + php-fpm - and chroot
November 10, 2010 01:24PM
Hi,

I managed to get php-fpm and apache2 working, after many failed attempts ;-)

However, when I enable chroot, it only returns a 404 for every requested
php-file.

What is the trick on getting this to work?
Does it matter that the php-fpm is running in a jail?

I use PHP5.3.3 on FreeBSD7.3.

Apache config ist:

AddType application/x-httpd-php .php .php3


<IfModule mod_fastcgi.c>
AddHandler php5-fcgi .php
Action php5-fcgi /cgi-bin/php5-fcgi.external
<Location "/cgi-bin/php5-fcgi.external">
Order Deny,Allow
Deny from All
Allow from env=REDIRECT_STATUS
Options ExecCGI
SetHandler fastcgi-script
</Location>
</IfModule>

In the vhost-config, I have:

FastCgiExternalServer /home/user/cgi-bin/php5-fcgi.external -host
127.0.0.4:9000

In php-fpm.conf I have:

[global]
pid = /var/run/php-fpm.pid
log_level = debug
[www]
listen = 127.0.0.4:9000

user = user
group = user
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35

chroot = /home/user/FTPROOT

chdir =

catch_workers_output = yes

env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /home/user/tmp
env[TMPDIR] = /home/user/tmp
env[TEMP] = /home/user/tmp





Best Regards,
Rainer
Jérôme Loyet
Re: apache + php-fpm - and chroot
November 10, 2010 02:34PM
2010/11/10 <rainer@ultra-secure.de>:
> Hi,
>
> I managed to get php-fpm and apache2 working, after many failed attempts ;-)
>
> However, when I enable chroot, it only returns a 404 for every requested
> php-file.
>
> What is the trick on getting this to work?
> Does it matter that the php-fpm is running in a jail?
>
> I use PHP5.3.3 on FreeBSD7.3.
>
> Apache config ist:
>
>    AddType application/x-httpd-php .php .php3
>
>
> <IfModule mod_fastcgi.c>
>  AddHandler php5-fcgi .php
>  Action php5-fcgi /cgi-bin/php5-fcgi.external
>  <Location "/cgi-bin/php5-fcgi.external">
>    Order Deny,Allow
>    Deny from All
>    Allow from env=REDIRECT_STATUS
>    Options ExecCGI
>    SetHandler fastcgi-script
>  </Location>
> </IfModule>

can you pastbin you full apache configuration please ?

>
> In the vhost-config, I have:
>
>   FastCgiExternalServer /home/user/cgi-bin/php5-fcgi.external -host
> 127.0.0.4:9000
>
> In php-fpm.conf I have:
>
> [global]
> pid = /var/run/php-fpm.pid
> log_level = debug
> [www]
> listen = 127.0.0.4:9000
>
> user = user
> group = user
> pm = dynamic
> pm.max_children = 50
> pm.start_servers = 20
> pm.min_spare_servers = 5
> pm.max_spare_servers = 35
>
> chroot = /home/user/FTPROOT
>
> chdir =
>
> catch_workers_output = yes
>
> env[HOSTNAME] = $HOSTNAME
> env[PATH] = /usr/local/bin:/usr/bin:/bin
> env[TMP] = /home/user/tmp
> env[TMPDIR] = /home/user/tmp
> env[TEMP] = /home/user/tmp
>
>
>
>
>
> Best Regards,
> Rainer
>
Rainer Duffner
Re: apache + php-fpm - and chroot
November 10, 2010 02:46PM
Am 10.11.2010 um 20:31 schrieb Jérôme Loyet:

> 2010/11/10 <rainer@ultra-secure.de>:
>> Hi,
>>
>> I managed to get php-fpm and apache2 working, after many failed
>> attempts ;-)
>>
>> However, when I enable chroot, it only returns a 404 for every
>> requested
>> php-file.
>>
>> What is the trick on getting this to work?
>> Does it matter that the php-fpm is running in a jail?
>>
>> I use PHP5.3.3 on FreeBSD7.3.
>>
>> Apache config ist:
>>
>> AddType application/x-httpd-php .php .php3
>>
>>
>> <IfModule mod_fastcgi.c>
>> AddHandler php5-fcgi .php
>> Action php5-fcgi /cgi-bin/php5-fcgi.external
>> <Location "/cgi-bin/php5-fcgi.external">
>> Order Deny,Allow
>> Deny from All
>> Allow from env=REDIRECT_STATUS
>> Options ExecCGI
>> SetHandler fastcgi-script
>> </Location>
>> </IfModule>
>
> can you pastbin you full apache configuration please ?



It's here:
http://pastebin.com/ueM6T0eZ




Thanks in advance,

Rainer
Jérôme Loyet
Re: apache + php-fpm - and chroot
November 10, 2010 03:18PM
2010/11/10 Rainer Duffner <rainer@ultra-secure.de>:
>
> Am 10.11.2010 um 20:31 schrieb Jérôme Loyet:
>
>> 2010/11/10  <rainer@ultra-secure.de>:
>>>
>>> Hi,
>>>
>>> I managed to get php-fpm and apache2 working, after many failed attempts
>>> ;-)
>>>
>>> However, when I enable chroot, it only returns a 404 for every requested
>>> php-file.
>>>
>>> What is the trick on getting this to work?
>>> Does it matter that the php-fpm is running in a jail?
>>>
>>> I use PHP5.3.3 on FreeBSD7.3.
>>>
>>> Apache config ist:
>>>
>>>   AddType application/x-httpd-php .php .php3
>>>
>>>
>>> <IfModule mod_fastcgi.c>
>>>  AddHandler php5-fcgi .php
>>>  Action php5-fcgi /cgi-bin/php5-fcgi.external
>>>  <Location "/cgi-bin/php5-fcgi.external">
>>>   Order Deny,Allow
>>>   Deny from All
>>>   Allow from env=REDIRECT_STATUS
>>>   Options ExecCGI
>>>   SetHandler fastcgi-script
>>>  </Location>
>>> </IfModule>
>>
>> can you pastbin you full apache configuration please ?
>
>
>
> It's here:
> http://pastebin.com/ueM6T0eZ
>
>

The problem is :

your DocumentRoot is set to /usr/home/user/FTPROOT/htdocs/. So Apache
ask FPM for file DocumentRoot /usr/home/user/FTPROOT/htdocs/index.php
but FPM is chrooted in DocumentRoot /usr/home/user/FTPROOT. So FPM
tries to open /usr/home/user/FTPROOT/usr/home/user/FTPROOT/htdocs/index.php
which doesn't exist.

I don't know how to configure apache to change this only for PHP file.
It's quite easy with nginx.

You have to reset DOCUMENT_ROOT and SCRIPT_FILENAME to values without
the chroot directory:
DOCUMENT_ROOT /htdocs
SCRIPT_FILENAME /htdocs/index.php

Try to add (not sure it works and event if it's valid):

RewriteRule ^ - [E=DOCUMENT_ROOT:/htdocs,
E=SCRIPT_FILENAME:/htdocs/%{DOCUMENT_URI}]

in the bloc "<Location "/cgi-bin/php5-fcgi.external">"


Try to ask on an apache or mod_fastcgi mailing list for help on this.
Maybe some here has the solution.
Rainer Duffner
Re: apache + php-fpm - and chroot
November 10, 2010 04:44PM
Am 10.11.2010 um 21:15 schrieb Jérôme Loyet:

>>
>
> The problem is :
>
> your DocumentRoot is set to /usr/home/user/FTPROOT/htdocs/. So Apache
> ask FPM for file DocumentRoot /usr/home/user/FTPROOT/htdocs/index.php
> but FPM is chrooted in DocumentRoot /usr/home/user/FTPROOT. So FPM
> tries to open /usr/home/user/FTPROOT/usr/home/user/FTPROOT/htdocs/
> index.php
> which doesn't exist.
>
> I don't know how to configure apache to change this only for PHP file.
> It's quite easy with nginx.
>
> You have to reset DOCUMENT_ROOT and SCRIPT_FILENAME to values without
> the chroot directory:
> DOCUMENT_ROOT /htdocs
> SCRIPT_FILENAME /htdocs/index.php
>
> Try to add (not sure it works and event if it's valid):
>
> RewriteRule ^ - [E=DOCUMENT_ROOT:/htdocs,
> E=SCRIPT_FILENAME:/htdocs/%{DOCUMENT_URI}]
>
> in the bloc "<Location "/cgi-bin/php5-fcgi.external">"
>
>



It says, I cannot have RewriteEngine On there.


I put it in the vhost config instead, but it seems it does not work
either.

Also, it seems to also want to rewrite stuff for the Location-block,
too.
Is that supposed to happen.



> Try to ask on an apache or mod_fastcgi mailing list for help on this.
> Maybe some here has the solution.



Thanks a lot so far.



Best Regards,
Rainer
Rainer Duffner
Re: apache + php-fpm - and chroot
November 10, 2010 04:58PM
Am 10.11.2010 um 22:41 schrieb Rainer Duffner:

>
>
> It says, I cannot have RewriteEngine On there.
>
>
> I put it in the vhost config instead, but it seems it does not work
> either.
>
> Also, it seems to also want to rewrite stuff for the Location-block,
> too.
> Is that supposed to happen.
>


I should add, from the rewrite log:
217.71.83.52 - - [10/Nov/2010:22:39:50 +0100] [www.hotelwalther.ch/sid#485be2f0
][rid#48b09058/initial] (5) setting env variable 'DOCUMENT_ROOT' to '/
htdocs'
217.71.83.52 - - [10/Nov/2010:22:39:50 +0100] [www.hotelwalther.ch/sid#485be2f0
][rid#48b09058/initial] (5) setting env variable 'SCRIPT_FILENAME' to
'/htdocs/'


So, somehow this DOCUMENT_URI variable does not exist or is empty.




Rainer
Ben
Re: apache + php-fpm - and chroot
November 22, 2010 10:42PM
The problem probably is your Apache config, which doesn't resolve URI
to FastCgiExternaServer.

I would suggest you to edit your apache config as following:

# Register a custom handler and point to a fake script
# We will use the fake script later
AddHandler php5-fcgi .php ( Or use FilesMatch + SetHandler
combination, which is more correct way )
Action php5-fcgi /path/to/fastcgi/phpfpm-server.handler

# Setup FastCgiExternalServers as many as you want
# you just need to make sure your php-fpm has a pool to listen to
the -host or -socket
# socket would be faster in Unix
FastCgiExternalServer /path/to/fastcgi/phpfpm-server -host
127.0.0.4:9000

# Don't forget to enable path access to /path/to/fastcgi for Apache
# if your apache other directory config didn't allow access to the
path, you will get wrong
# message. You don't need to set fastcgi-script handler or ExecCGI
here, which is for
# dynamic fastcgi.
# We put both two fake scripts under the same directory is just for
management purpose.
#
<Directory /path/to/fastcgi>
# other directives if you want, or just skip here
....
Option None ( no need ExecCGI )
AllowOverride none
....

# allow Apache to access the fastcgi directory
Order deny,allow
allow from all
</Directory>

# Just use the alias to point to FastCgiExternalServer, so Apache
can resolve URI to
# FastCgiExternalServer

# You also can use ScriptAlias, but we don't need to treat phpfpm-
server as a CGI script.
# phpfpm-server is just another fake URI for apache to resolve to,
and send request to
# FastCgiExternalServer. Please note, use FastCgiExternalserver,
mod_fastcgi won't manage
# the fastcgi processes, it just simply treat php-fpm as a server
independently.
# If you use action directive to point to FastCgiExteranlServer
directly, you'll get 404 not found

Alias /path/to/fastcgi/phpfpm-server.handler /path/to/fastcgi/phpfpm-
server

On Nov 10, 9:52 pm, rai...@ultra-secure.de wrote:
> Hi,
>
> I managed to get php-fpm and apache2 working, after many failed attempts ;-)
>
> However, when I enable chroot, it only returns a 404 for every requested
> php-file.
>
> What is the trick on getting this to work?
> Does it matter that the php-fpm is running in a jail?
>
> I use PHP5.3.3 on FreeBSD7.3.
>
> Apache config ist:
>
>     AddType application/x-httpd-php .php .php3
>
> <IfModule mod_fastcgi.c>
>   AddHandler php5-fcgi .php
>   Action php5-fcgi /cgi-bin/php5-fcgi.external
>   <Location "/cgi-bin/php5-fcgi.external">
>     Order Deny,Allow
>     Deny from All
>     Allow from env=REDIRECT_STATUS
>     Options ExecCGI
>     SetHandler fastcgi-script
>   </Location>
> </IfModule>
>
> In the vhost-config, I have:
>
>    FastCgiExternalServer /home/user/cgi-bin/php5-fcgi.external -host
> 127.0.0.4:9000
>
> In php-fpm.conf I have:
>
> [global]
> pid = /var/run/php-fpm.pid
> log_level = debug
> [www]
> listen = 127.0.0.4:9000
>
> user = user
> group = user
> pm = dynamic
> pm.max_children = 50
> pm.start_servers = 20
> pm.min_spare_servers = 5
> pm.max_spare_servers = 35
>
> chroot = /home/user/FTPROOT
>
> chdir =
>
> catch_workers_output = yes
>
> env[HOSTNAME] = $HOSTNAME
> env[PATH] = /usr/local/bin:/usr/bin:/bin
> env[TMP] = /home/user/tmp
> env[TMPDIR] = /home/user/tmp
> env[TEMP] = /home/user/tmp
>
> Best Regards,
> Rainer
Anonymous User
Re: apache + php-fpm - and chroot
November 23, 2010 11:32AM
> The problem probably is your Apache config, which doesn't resolve URI
> to FastCgiExternaServer.
>
> I would suggest you to edit your apache config as following:


Hi Ben,

I got this working, but still not with chroot :-(
I only get chroot working with nginx.

Do you have it working with chroot?



Best Regards,
Rainer
Ben
Re: apache + php-fpm - and chroot
November 24, 2010 12:20PM
Yes...I've just done the test.

Actually I don't know how to break the chroot/jail to access the php
files.I've tried symlink, but failed.
I'm using FreeBSD 8.1, I guess FreeBSD won't allow a symlink traverse
'up' the chroot.
e.g./home/benpptung/chroot/path/to/php/files --> /path/to/php/files

So, I copied the PHP files directly to the chroot, say /home/benpptung/
chroot/path/to/php/files, then PHP-FPM works.




On Nov 24, 12:31 am, rai...@ultra-secure.de wrote:
> > The problem probably is your Apache config, which doesn't resolve URI
> > to FastCgiExternaServer.
>
> > I would suggest you to edit your apache config as following:
>
> Hi Ben,
>
> I got this working, but still not with chroot :-(
> I only get chroot working with nginx.
>
> Do you have it working with chroot?
>
> Best Regards,
> Rainer
Ben
Re: apache + php-fpm - and chroot
November 24, 2010 09:00PM
On Nov 25, 1:18 am, Ben <benppt...@gmail.com> wrote:
> Yes...I've just done the test.
>
> Actually I don't know how to break the chroot/jail to access the php
> files.I've tried symlink, but failed.


Sorry, I've found a method to allow "PHP-FPM under chroot" and Apache
to share the same files.
Per my previous experience, I cannot allow PHP-FPM to symlink traverse
'up' the chroot, so I do it in a reverse way.
I put a symlink for Apache to link to the folder under chroot, e.g /
htdocs --> /home/benpptung/chroot/htdocs
Then, everything works.
Anonymous User
Re: apache + php-fpm - and chroot
November 26, 2010 05:18AM
>
>
> On Nov 25, 1:18 am, Ben <benppt...@gmail.com> wrote:
>> Yes...I've just done the test.
>>
>> Actually I don't know how to break the chroot/jail to access the php
>> files.I've tried symlink, but failed.
>
>
> Sorry, I've found a method to allow "PHP-FPM under chroot" and Apache
> to share the same files.
> Per my previous experience, I cannot allow PHP-FPM to symlink traverse
> 'up' the chroot, so I do it in a reverse way.
> I put a symlink for Apache to link to the folder under chroot, e.g /
> htdocs --> /home/benpptung/chroot/htdocs
> Then, everything works.


High,

I tried this, and it works.

To clarify:

I have
chroot=/home/user/FTPROOT
in php-fpm.conf

in apache, it is:
DocumentRoot /usr/home/user/FTPROOT/htdocs/

on the filesystem:


server# ll /home/user/FTPROOT/
total 4
lrwxr-xr-x 1 user user 31 Nov 26 10:05 htdocs ->
usr/home/user/FTPROOT/htdocs
drwxr-xr-x 2 user user 512 Nov 26 09:59 tmp
drwxr-xr-x 3 user user 512 Nov 26 10:04 usr

I wish, there would be a more elegant solution (apart from just using nginx)



Rainer
Ben
Re: apache + php-fpm - and chroot
November 26, 2010 06:36AM
>
> High,
>
> I tried this, and it works.
>
> To clarify:
>
> I have
> chroot=/home/user/FTPROOT
> in php-fpm.conf
>
> in apache, it is:
> DocumentRoot /usr/home/user/FTPROOT/htdocs/
>
> on the filesystem:
>
> server# ll /home/user/FTPROOT/
> total 4
> lrwxr-xr-x  1 user  user   31 Nov 26 10:05 htdocs ->
> usr/home/user/FTPROOT/htdocs
> drwxr-xr-x  2 user  user  512 Nov 26 09:59 tmp
> drwxr-xr-x  3 user  user  512 Nov 26 10:04 usr
>
> I wish, there would be a more elegant solution (apart from just using nginx)
>
> Rainer

Yes...glad to see your php-fpm working under chroot with apache.
and Sorry to assume your apache config has problem. It's my
mistake..sorry..^_^
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 227
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready