Welcome! Log In Create A New Profile

Advanced

php-fpm 5.4.6 + httpd 2.4 + mod_fastcgi + unix socket + chroot = impossible?

Posted by Ro Achterberg 
I've been struggling for days to get the following setup working:

- PHP-FPM (from PHP 5.4.6 core) running with chrooted workers.
- httpd 2.4.3 running in a chroot (virtual host docroots are visible to
Apache).
- mod_fastcgi 2.4.6 acting as a bridge between PHP-FPM and httpd, using
FastCgiExternalServer and communicating over a UNIX socket.

My conclusion after many hours of Googling, experimenting and debugging is
that what I want is simply not possible, without some modifications to
PHP-FPM. The problem lies in the fact that Apache will pass on a
DOCUMENT_ROOT to PHP-FPM that is not visible to the PHP-FPM worker process,
when it's chrooted to the virtual host's DocumentRoot. All attempts at
modifying the DOCUMENT_ROOT environment variable prior to passing it on to
the PHP-FPM worker have failed. I've seen one patch where a new
configuration directive was added, that effectively seemed to strip the
chroot path prefix from the document root. However, I'd rather not modify
production code, without seeing some sort of approval from the PHP team.

I'm wondering whether this is currently being worked on and if I should
await any core patches that will enable me to safely run this setup in a
production environment. Any other insights into making this work
(elegantly) are also more than welcome!

Best regards,
Ro Achterberg
I'm having exactly the same issues, please let me know if you found/find a
solution to this.
Also I would love to see the patch you cam across, when i switch chroot on
everything goes to pot. After days and days of debugging i think its
because Apache sends non-chrooted directory information which php-fpm
cannot access. Because PHP-FPM is chrooted but Apache isnt.

Which is what brought me to this group.

Until this is sorted or a solution is found, its not possible for me to use
FPM
It seems i got similar problem with you except from the PHP version that is
5.3, apache 2.2 and libapache2-mod-fastcgi 2.4.6. Using Debian Squeeze.

Is there any solution with Apache2? Do you know Nginx is working with
chroot option at the conf file?

Below is my detail problem:

I am using Debian Squeeze and set up PHP-FPM with fastcgi. I have several
virtual hosts defined on the same host. I defined chroot for each pool
configuration but somehow it is possible to change directory and go above
the root directory definition at the pool conf.

disable_functions at the conf file is not working as well. I haven't
figured it out the reason.

Sample files are below:

/etc/php5/fpm/pool.d/foo.conf:

[foo]

user = foo
group = foo

listen = 127.0.0.1:9018
listen.allowed_clients = 127.0.0.1

pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

chroot = /var/www/foo
chdir = /

php_admin_value[disable_functions] = dir,chdir,opendir,readdir
php_admin_value[doc_root] = /var/www/foo
php_admin_value[open_basedir] = /var/www/foo

access.log = /var/log/$pool.access.log
access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"


/etc/apache2/sites-enables/foo.com:

<VirtualHost 19x.xxx.xxx.xx>
DocumentRoot /var/www/foo
ServerName foo.com

<IfModule mod_fastcgi.c>

FastCgiExternalServer /foocgi/php5-wrapper -host 127.0.0.1:9018
-user foouser -group foogroup


ScriptAlias /foocgi/ /var/www/foo/cgi-bin/

AddHandler php5-fastcgi .php
Action php5-fastcgi /foocgi/php5-wrapper
AddType application/x-httpd-php .php

<Directory /var/www/foo/cgi-bin/>
SetHandler fastcgi-script
Options +ExecCGI
</Directory>

</IfModule>

<Directory /var/www/foo>
allow from all
Options -Indexes SymLinksIfOwnerMatch
</Directory>
</VirtualHost>

/var/www/foo/cgi-bin/php5-wrapper:

#!/bin/sh
PHPRC=/etc/php5/cgi/
export PHPRC
#export PHP_FCGI_MAX_REQUESTS=5000
#export PHP_FCGI_CHILDREN=8
exec /usr/lib/cgi-bin/php


/etc/apache2/mods-enabled/fastcgi.conf:

<IfModule mod_fastcgi.c>
FastCgiConfig -autoUpdate -singleThreshold 100 -killInterval 300
-idle-timeout 240 -maxClassProcesses 1 -pass-header HTTP_AUTHORIZATION
FastCgiWrapper /usr/lib/apache2/suexec

<Directory "/var/www/cgi-bin/">
AllowOverride none
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
</IfModule>


/var/log/foo.access.log is empty though port 9018 is LISTEN at netstat
output. The site is being opened without errors also. Any idea about the
chroot problem or how to make the disable_functions work?

--

---
You received this message because you are subscribed to the Google Groups "highload-php-en" group.
To unsubscribe from this group and stop receiving emails from it, send an email to highload-php-en+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Hi Rob,

Yes, this case is very tricky.. I also played around with:

- Debian Wheezy
- Apache 2.4
- PHP-FPM
- mod_fastcgi
- chroot
- TCP instead of Sockets (mod_proxy_fastcgi)

it seams, that there is a bug with mod_proxy_fastcgi which ends in non
compliant RFC 3875. (wrong PATH_INFO etc)
so use the environment variable proxy-fcgi-pathinfo.

see:
- http://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html
- https://issues.apache.org/bugzilla/show_bug.cgi?id=51517


maybe that helps you a litte bit..

Regards,
Kevin



Am Samstag, 15. September 2012 21:06:48 UTC+2 schrieb Ro Achterberg:
>
> I've been struggling for days to get the following setup working:
>
> - PHP-FPM (from PHP 5.4.6 core) running with chrooted workers.
> - httpd 2.4.3 running in a chroot (virtual host docroots are visible to
> Apache).
> - mod_fastcgi 2.4.6 acting as a bridge between PHP-FPM and httpd, using
> FastCgiExternalServer and communicating over a UNIX socket.
>
> My conclusion after many hours of Googling, experimenting and debugging is
> that what I want is simply not possible, without some modifications to
> PHP-FPM. The problem lies in the fact that Apache will pass on a
> DOCUMENT_ROOT to PHP-FPM that is not visible to the PHP-FPM worker process,
> when it's chrooted to the virtual host's DocumentRoot. All attempts at
> modifying the DOCUMENT_ROOT environment variable prior to passing it on to
> the PHP-FPM worker have failed. I've seen one patch where a new
> configuration directive was added, that effectively seemed to strip the
> chroot path prefix from the document root. However, I'd rather not modify
> production code, without seeing some sort of approval from the PHP team.
>
> I'm wondering whether this is currently being worked on and if I should
> await any core patches that will enable me to safely run this setup in a
> production environment. Any other insights into making this work
> (elegantly) are also more than welcome!
>
> Best regards,
> Ro Achterberg
>

--

---
You received this message because you are subscribed to the Google Groups "highload-php-en" group.
To unsubscribe from this group and stop receiving emails from it, send an email to highload-php-en+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
if only apache would respect RFCs ...

use nginx instead, at least you are in control on what (and how) you're
doing


2013/6/26 Kevin Häfeli <k.haefeli@brandeer.ch>

> Hi Rob,
>
> Yes, this case is very tricky.. I also played around with:
>
> - Debian Wheezy
> - Apache 2.4
> - PHP-FPM
> - mod_fastcgi
> - chroot
> - TCP instead of Sockets (mod_proxy_fastcgi)
>
> it seams, that there is a bug with mod_proxy_fastcgi which ends in non
> compliant RFC 3875. (wrong PATH_INFO etc)
> so use the environment variable proxy-fcgi-pathinfo.
>
> see:
> - http://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html
> - https://issues.apache.org/bugzilla/show_bug.cgi?id=51517
>
>
> maybe that helps you a litte bit..
>
> Regards,
> Kevin
>
>
>
> Am Samstag, 15. September 2012 21:06:48 UTC+2 schrieb Ro Achterberg:
>
>> I've been struggling for days to get the following setup working:
>>
>> - PHP-FPM (from PHP 5.4.6 core) running with chrooted workers.
>> - httpd 2.4.3 running in a chroot (virtual host docroots are visible to
>> Apache).
>> - mod_fastcgi 2.4.6 acting as a bridge between PHP-FPM and httpd, using
>> FastCgiExternalServer and communicating over a UNIX socket.
>>
>> My conclusion after many hours of Googling, experimenting and debugging
>> is that what I want is simply not possible, without some modifications to
>> PHP-FPM. The problem lies in the fact that Apache will pass on a
>> DOCUMENT_ROOT to PHP-FPM that is not visible to the PHP-FPM worker process,
>> when it's chrooted to the virtual host's DocumentRoot. All attempts at
>> modifying the DOCUMENT_ROOT environment variable prior to passing it on to
>> the PHP-FPM worker have failed. I've seen one patch where a new
>> configuration directive was added, that effectively seemed to strip the
>> chroot path prefix from the document root. However, I'd rather not modify
>> production code, without seeing some sort of approval from the PHP team.
>>
>> I'm wondering whether this is currently being worked on and if I should
>> await any core patches that will enable me to safely run this setup in a
>> production environment. Any other insights into making this work
>> (elegantly) are also more than welcome!
>>
>> Best regards,
>> Ro Achterberg
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "highload-php-en" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to highload-php-en+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>

--

---
You received this message because you are subscribed to the Google Groups "highload-php-en" group.
To unsubscribe from this group and stop receiving emails from it, send an email to highload-php-en+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 58
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready