[SOLVED] Possible bug with PHP version setting

Hi all,

As suggested by Marko @capote, I investigated NinjaFirewall to replace Wordfence in WordPress.

All was working fine with WordPress and NinjaFirewall in the default directory (/var/lib/html).

When I installed NinjaFirewall in WordPress in a Vhost, it didn’t want to switch to Full WAF.

After exchanging with Marko, he found that in the file /etc/httpd/conf.d/virtualhosts.conf, I have to delete the “/” at the end of the line SetHandler (in 4 lines for each vhost), then restart httpd.

After the suppression of the “/(in 4 lines for each vhost), all was working fine and NinjaFirewall was able to swtich to Full WAF in all Vhost directories.

After more investigations, I found that the reason it was working in the default directory and not in the Vhost one, was that in the file /etc/httpd/conf.d/ www.conf , there is no “/” at the end of the line SetHandler :
image

QUESTION #1:
Why there is an ending “/” in /etc/httpd/conf.d/virtualhosts.conf and not in /etc/httpd/conf.d/www.conf ?

QUESTION #2:
Why the difference between GUI 980 and GUI 9090:
GUI 980:

GUI 9090:
image

I think the bug is in the setting of the PHP version on both GUIs.

Thank a lot to Marko,

Michel-André

P.S. I prefer to use GUI 980 for the Vhost creation as it will use the name given to the vhost to create the vhost directory as GUI 9090 is using an hex number; is that the reason for the bug?
A name is easier to see than an hex number when you have multiple Vhosts.

1 Like

The beginning of investigation:

Hi Marko,

I re-read your post:

The first time, I didn’t notice that.

So it is useless to try to take out the ending “/” as it will be put back any time any PHP setting is changed/updated.

The case is worse than I thought,

Michel-André

Hi all,

Another weird one:

GUI 980

GUI 9090
image

Michel-André

For the nethgui php implementation I am guilty, I used php scl of remi, up to php74

For the cockpit php implementation I am too guilty, this time we used rh-php from the official software collections, up to rh-php73

This is why the version are different but when in the same vhost you enable a different php version in cockpit and nethgui, cockpit must win

You are using a community module for php.
Here’s a past discussion about it:

Salut Stéphane,

My module (remi-safe) is working well as it is not using an ending “/” for the SetHandler for www.
That is the reason why it is possible to switch NinjaFirewall to Full WAF.

So the bug is in “the core package use the official SCL (limited to 7.3 currently)”

What is the solution you recommend for a Vhost as both modules insert an ending “/” for the SetHandler.
Or to put it in another way: Why my module doesn’t insert an ending “/” in www, but insert one for the Vhost

Michel-Andé

Salut encore Stéphane,

FILE: /etc/httpd/conf.d/www.conf → no ending “/”

# set a different php version
<Directory "/var/www/html">
  <FilesMatch .php$>
        SetHandler "proxy:fcgi://127.0.0.1:9072"
  </FilesMatch>
</Directory>

FILE: /etc/httpd/conf.d/virtualhosts.conf → ending "/"
# use php-fpm with mod_proxy_fcgi by socket 
# from Remi repository  instead of the default PHP
<FilesMatch .php$>
  SetHandler "proxy:unix:/var/run/php72-php-fpm/VHOSTNAME-php72.sock|fcgi://localhost/"
</FilesMatch>

This suggest that it is not the module handling the “www” that is causing the problem… or if it is the same module handling both, then it handles “www” differently than the “Vhost”.

Main goal, is it possible to take out the ending “/” ?

Michel-André

The www uses the port redirection
The virtualhost uses a linux socket

Too late in my TZ for thinking more :wink:

I have no malfunction recognized by removing the “/” from my virtual hosts. I would prefer to correct the the implementation in this way.

Sincerely, Marko

Thats why I thought we (means not me :slight_smile: ) can customize the used template to expand the virtualhost.conf.

Sincerely, Marko

Bonjour Stéphane,

Après ton p’tit-dej demain matin, :wink:

Unix Domain Socket

By default, FPM listens for incoming requests on a network socket but can use a Unix Domain Socket, which can slightly improve performance.
In Apache httpd configuration: (no ending “/”)

SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"

Now, it is possible to choose PHP version for each directory, from Apache httpd configuration file.
Example: (no ending “/”)

  # Use PHP 7.1 by default
  <FilesMatch \.php$>
    SetHandler "proxy:fcgi://127.0.0.1:9071"
  </FilesMatch>
  # Some legacy application use PHP 5.4
  <Directory /var/www/html/old>
    <FilesMatch \.php$>
      SetHandler "proxy:fcgi://127.0.0.1:9000"
    </FilesMatch>
  </Directory>

Bonne matinée,

Michel-André

??

Hi Marc,

As it is written: " Double-slashes could be the issue"

And in the recommended follow-up thread:
https://forums.cpanel.net/threads/user-ini-files-not-recursive.601163/

This was fixed as part of internal case HB-2719 in the most recent EasyApache 4 update:

1.0-107 - HB-2719: remove trailing slash from fcgi alias config line in template

Thank you.

Marko suggestion was right, the culprit is the ending “/”.

Michel-André

1 Like

Indeed it seems that we have a working solution but buggy in some cases, however the documentation of remi states also to remove the trailling /

another french example, I know you love it.

https://blog.remirepo.net/post/2017/10/28/Astuces-de-configuration-de-PHP

2 Likes
1 Like
1 Like
1 Like

I fixed my rpm nethserver-php-scl, could you verify that other ressources using php-fpm are not broken and you fix your issue.

Only for nethgui by now

yum install nethserver-php-scl --enablerepo=stephdl

2 Likes

Indeed when I use a phpinfo, I can find this

$_SERVER['SCRIPT_FILENAME'] //usr/share/dokuwiki/phpinfo.php

2 Likes