[SOLVED] Possible bug with PHP version setting

Bug
, ,
1

Hi all,

As suggested by Marko @capote, I investigated NinjaFirewall to replace Wordfence in WordPress.

All was working fine with WordPress and NinjaFirewall in the default directory (/var/lib/html).

When I installed NinjaFirewall in WordPress in a Vhost, it didn’t want to switch to Full WAF.

After exchanging with Marko, he found that in the file /etc/httpd/conf.d/virtualhosts.conf, I have to delete the “/” at the end of the line SetHandler (in 4 lines for each vhost), then restart httpd.

image
image703×117 3.66 KB

After the suppression of the “/(in 4 lines for each vhost), all was working fine and NinjaFirewall was able to swtich to Full WAF in all Vhost directories.

After more investigations, I found that the reason it was working in the default directory and not in the Vhost one, was that in the file /etc/httpd/conf.d/ www.conf , there is no “/” at the end of the line SetHandler :
image

QUESTION #1:
Why there is an ending “/” in /etc/httpd/conf.d/virtualhosts.conf and not in /etc/httpd/conf.d/www.conf ?

QUESTION #2:
Why the difference between GUI 980 and GUI 9090:
GUI 980:

image
image662×535 48.1 KB

GUI 9090:
image

I think the bug is in the setting of the PHP version on both GUIs.

Thank a lot to Marko,

Michel-André

P.S. I prefer to use GUI 980 for the Vhost creation as it will use the name given to the vhost to create the vhost directory as GUI 9090 is using an hex number; is that the reason for the bug?
A name is easier to see than an hex number when you have multiple Vhosts.

1 Like
2

The beginning of investigation:

3

Hi Marko,

I re-read your post:

The first time, I didn’t notice that.

So it is useless to try to take out the ending “/” as it will be put back any time any PHP setting is changed/updated.

The case is worse than I thought,

Michel-André

4

Hi all,

Another weird one:

GUI 980

image
image949×89 4.37 KB

GUI 9090
image

Michel-André

5

For the nethgui php implementation I am guilty, I used php scl of remi, up to php74

For the cockpit php implementation I am too guilty, this time we used rh-php from the official software collections, up to rh-php73

This is why the version are different but when in the same vhost you enable a different php version in cockpit and nethgui, cockpit must win

6

You are using a community module for php.
Here’s a past discussion about it:

7

Salut Stéphane,

My module (remi-safe) is working well as it is not using an ending “/” for the SetHandler for www.
That is the reason why it is possible to switch NinjaFirewall to Full WAF.

So the bug is in “the core package use the official SCL (limited to 7.3 currently)”

What is the solution you recommend for a Vhost as both modules insert an ending “/” for the SetHandler.
Or to put it in another way: Why my module doesn’t insert an ending “/” in www, but insert one for the Vhost

Michel-Andé

8

Salut encore Stéphane,

FILE: /etc/httpd/conf.d/www.conf → no ending “/”

# set a different php version
<Directory "/var/www/html">
  <FilesMatch .php$>
        SetHandler "proxy:fcgi://127.0.0.1:9072"
  </FilesMatch>
</Directory>

FILE: /etc/httpd/conf.d/virtualhosts.conf → ending "/" 
# use php-fpm with mod_proxy_fcgi by socket 
# from Remi repository  instead of the default PHP
<FilesMatch .php$>
  SetHandler "proxy:unix:/var/run/php72-php-fpm/VHOSTNAME-php72.sock|fcgi://localhost/"
</FilesMatch>

This suggest that it is not the module handling the “www” that is causing the problem… or if it is the same module handling both, then it handles “www” differently than the “Vhost”.

Main goal, is it possible to take out the ending “/” ?

Michel-André

9

The www uses the port redirection
The virtualhost uses a linux socket

Too late in my TZ for thinking more :wink:

10

I have no malfunction recognized by removing the “/” from my virtual hosts. I would prefer to correct the the implementation in this way.

Sincerely, Marko

11

Thats why I thought we (means not me :slight_smile: ) can customize the used template to expand the virtualhost.conf.

Sincerely, Marko

12

Bonjour Stéphane,

Après ton p’tit-dej demain matin, :wink:

Unix Domain Socket

By default, FPM listens for incoming requests on a network socket but can use a Unix Domain Socket, which can slightly improve performance.
In Apache httpd configuration: (no ending “/”)

SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"

Now, it is possible to choose PHP version for each directory, from Apache httpd configuration file.
Example: (no ending “/”)

  # Use PHP 7.1 by default
  <FilesMatch \.php$>
    SetHandler "proxy:fcgi://127.0.0.1:9071"
  </FilesMatch>
  # Some legacy application use PHP 5.4
  <Directory /var/www/html/old>
    <FilesMatch \.php$>
      SetHandler "proxy:fcgi://127.0.0.1:9000"
    </FilesMatch>
  </Directory>

Bonne matinée,

Michel-André

13

??

14

Hi Marc,

As it is written: " Double-slashes could be the issue"

And in the recommended follow-up thread:
https://forums.cpanel.net/threads/user-ini-files-not-recursive.601163/

This was fixed as part of internal case HB-2719 in the most recent EasyApache 4 update:

1.0-107 - HB-2719: remove trailing slash from fcgi alias config line in template

Thank you.

Marko suggestion was right, the culprit is the ending “/”.

Michel-André

1 Like
15

Indeed it seems that we have a working solution but buggy in some cases, however the documentation of remi states also to remove the trailling /

another french example, I know you love it.

https://blog.remirepo.net/post/2017/10/28/Astuces-de-configuration-de-PHP

2 Likes
16
1 Like
17
1 Like
18
1 Like
19

I fixed my rpm nethserver-php-scl, could you verify that other ressources using php-fpm are not broken and you fix your issue.

Only for nethgui by now

yum install nethserver-php-scl --enablerepo=stephdl

2 Likes
20

Indeed when I use a phpinfo, I can find this

$_SERVER['SCRIPT_FILENAME'] //usr/share/dokuwiki/phpinfo.php

2 Likes