Jump to content
Froxlor Forum
  • 0
gunnyst

PHP-FPM Security (Limit Extensions)

Question

Hello again, hope you don't mind me coming up with another issue (including proposal for solution obviously).

I had another issue using PHP-FPM, where I cannot get my .XML files parsed by the PHP interpreter even though I have this in my .htaccess:

<FilesMatch "\.(xml)$">
  SetHandler php5-fastcgi
  Action php5-fastcgi /fastcgiphp
  Options +ExecCGI
</FilesMatch>

It turns out that there is a limit imposed by the security.limit_extensions setting which defaults to .php only. My .XML files are used in order to automatically return the correct autodiscover/autoconfig settings to Outlook/Thunderbird and the like and therefor need to be "dynamic XML files", but I could imagine someone else needing .phps or the like...

Currently I have gone so far as to add some stuff to /var/www/froxlor/lib/classes/phpinterface/class.phpinterface_fpm.php @ 248:

if ($this->_domain['domain'] == 'autodiscover.mydomain.tld') {
        $fpm_config.= 'security.limit_extensions = .php .xml'."\n";
}

But again, this could be a new string-based setting in the new PHP-FPM versions section.

(Slowly I'll get in touch with the code structure I promise...)

Share this post


Link to post
Share on other sites

5 answers to this question

Recommended Posts

  • 0

Will be a setting in the next version, currently testing my changes :)

Share this post


Link to post
Share on other sites
  • 0

great thx! I've been working all day using the version from yesterday and haven't noticed anything amiss so far... have a nice evening!

Share this post


Link to post
Share on other sites
  • 0

It's all in the git repo ;) have fun Testing. Feedback is very welcome.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Similar Content

    • By gunnyst
      I have some sites that make use of HTTP authorization headers inside of PHP (so not using htaccess/htpasswd, but an internal user database). For the moment I have simply added the required "-pass-header Authorization" to scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php @ 63 right after the "-socket" setting. But it would be nice if this was either always on by default or selectable as a switch in the GUI (could either be a global FCGI/FPM setting, but would be nicer if it was on a level with "PHP Configurations", since it's rarely needed).
      Thanks
      Günther
    • By irisdina
      Debian (9) Stretch
      1. 
      sudo apt install curl wget apt-transport-https dirmngr git 1a. Keys install
      wget http://www.deb-multimedia.org/pool/main/d/deb-multimedia-keyring/deb-multimedia-keyring_2016.8.1_all.deb && dpkg -i deb-multimedia-keyring_2016.8.1_all.deb && wget https://nginx.org/keys/nginx_signing.key && apt-key add nginx_signing.key && curl https://packages.sury.org/php/apt.gpg | apt-key add - 1b. Source List ( nano /etc/apt/source.list )
      1c. 
      sudo apt update && sudo apt dist-upgrade && sudo apt autoclean && sudo apt autoremove 2.  MariaDB Install
      use sudo command for install MariaDB!
      sudo apt install mariadb-server mariadb-client 2a. MariaDB 10.1 Workround (Optional)
      when you MariaDB install with not sudo command, have you Problems with your Froxlor install. 
      you can use this workround: (Thanks J-BBB for this Note  )
      mysql -u root MariaDB [(none)]> update mysql.user set password=password('your PASS') where user='root'; MariaDB [(none)]> update mysql.user set plugin='' where user='root'; MariaDB [(none)]> flush privileges; 3. nginx Install
      sudo apt install nginx 3a. 
      mkdir /etc/nginx/sites-available mkdir /etc/nginx/sites-enabled 3b. nano /etc/nginx/nginx.conf
      3c. 
      service nginx restart 4. PHP install
      sudo apt update && sudo apt install php7.1-mysql php7.1-curl php7.1-gd php7.1-intl php-pear php-imagick php7.1-imap php7.1-mcrypt php-memcache php7.1-memcached php7.1-pspell php7.1-recode php7.1-sqlite3 php7.1-tidy php7.1-xmlrpc php7.1-xsl php7.1-mbstring php-gettext php7.1-fpm php7.1-cli php7.1-cgi php-bcmath php-zip 4a.
      service nginx restart service php7.1-fpm restart  
      Ubuntu 17.10 (Artful)
      1. 
      sudo apt install curl wget apt-transport-https dirmngr git software-properties-common python-software-properties 1b. Source List ( nano /etc/apt/source.list )
      1c. Key Install
      sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8 1d. PPA (https://askubuntu.com/questions/4983/what-are-ppas-and-how-do-i-use-them/4987#4987)
      sudo add-apt-repository ppa:ondrej/nginx-mainline sudo add-apt-repository ppa:ondrej/php 2. 
      sudo apt update && sudo apt dist-upgrade && sudo apt autoclean && sudo apt autoremove 3.  MariaDB Install
      sudo apt install mariadb-server mariadb-client 3a. MariaDB 10.1 Workround (Optional)
      when you MariaDB install with not sudo command, have you Problems with your Froxlor install. 
      you can use this workround: (Thanks J-BBB for this Note  )
      mysql -u root MariaDB [(none)]> update mysql.user set password=password('your PASS') where user='root'; MariaDB [(none)]> update mysql.user set plugin='' where user='root'; MariaDB [(none)]> flush privileges; 4. nginx Install
      sudo apt install nginx 4a. nano /etc/nginx/nginx.conf
      4b. 
      service nginx restart 5. PHP install
      sudo apt update && sudo apt install php7.1-mysql php7.1-curl php7.1-gd php7.1-intl php-pear php-imagick php7.1-imap php7.1-mcrypt php-memcache php7.1-memcached php7.1-pspell php7.1-recode php7.1-sqlite3 php7.1-tidy php7.1-xmlrpc php7.1-xsl php7.1-mbstring php-gettext php7.1-fpm php7.1-cli php7.1-cgi php-bcmath php-zip 5a.
      service nginx restart service php7.1-fpm restart  
      Froxlor Install Git version
      1. vhost
      nano /etc/nginx/sites-enabled/frox 1a. 
      service nginx restart 2. Change dir
      cd /usr/share/nginx/ 2a. Froxlor git Load
      sudo git clone https://github.com/Froxlor/Froxlor.git 2a. Folder Rename
      mv /usr/share/nginx/Froxlor /usr/share/nginx/your Folder Name 2b. User/Group Change for Froxlor Folder
      sudo chown -HR www-data:www-data Your Froxlor Folder 3. Browser Open
      http://your-SubDomain/your-Frolxor-Folder 3c. Change Your DB/User Name for Froxlor

      Install Froxlor finish
      3d. Move userdata (Optional)
      mv /tmp/userdata.inc.php /usr/share/nginx/Your Froxlor Folder/lib/ 4. vhost delete
      rm /etc/nginx/site-enable/frox don't restart nginx!
      Froxlor Settings
      1. cronjob
      nano /etc/cron.d/froxlor # # Set PATH, otherwise restart-scripts won't find start-stop-daemon # PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # # Regular cron jobs for the froxlor package # # Please check that all following paths are correct # */5 * * * *    root    /usr/bin/nice -n 5 /usr/bin/php -q /usr/share/nginx/your Froxlor Folder/scripts/froxlor_master_cronjob.php chmod 0640 "/etc/cron.d/froxlor" chown root:0 "/etc/cron.d/froxlor" service cron restart Froxlor Panel
      1. Change your PHP-Backend Settings
      Settings > Webserver settings > Nginx PHP backend
      from 127.0.0.1:8888 to unix:/run/php/php7.1-fpm.sock
      2. Make Folder and Change chmod
      mkdir -p /etc/nginx/sites-enabled/ chown root:0 /etc/nginx/sites-enabled/ chmod 0600 /etc/nginx/sites-enabled/ mkdir -p /etc/nginx/sites-enabled/ chown root:0 /etc/nginx/sites-enabled/ chmod 0600 /etc/nginx/sites-enabled/ mkdir -p /home/customers/webs/ mkdir -p /var/customers/logs/ mkdir -p /var/customers/tmp chmod 1777 /var/customers/tmp service nginx restart 2a. IPs and Ports > Add IP/Port

      2a(1), SSL Port



      Wait 5min for Autimatic Start Froxlor's cronjob
      Optional
      PHP-FPM activate
      1. User/Group add
      sudo adduser froxlorlocal --disabled-password --no-create-home 2. libnss-extrausers install
      sudo apt install install nscd libnss-extrausers mkdir -p /var/lib/extrausers touch /var/lib/extrausers/{passwd,group,shadow} mv "/etc/nsswitch.conf" "/etc/nsswitch.conf.frx.bak" nano /etc/nsswitch.conf # Make sure that `passwd`, `group` and `shadow` have mysql in their lines # You should place mysql at the end, so that it is queried after the other mechanisams # passwd:         compat extrausers group:          compat extrausers shadow:         compat extrausers hosts:       files dns networks:    files dns services:    db files protocols:   db files rpc:         db files ethers:      db files netmasks:    files netgroup:    files bootparams:  files automount:   files aliases:     files sudo service nscd restart sudo nscd --invalidate=group 2a. Settings > System settings > Activate > Use libnss-extrausers instead of libnss-mysql

      3. Settings > PHP-FPM > Activated:
      Change from NO to YES
      3a. Settings > PHP-FPM > Settings
      Change > Configuration directory of php-fpm to 
      /etc/php/7.1/fpm/pool.d/ Change > php-fpm restart command to
      /etc/init.d/php7.1-fpm restart or service php7.1-fpm restart 3b. Settings > Froxlor VirtualHost settings > Activate > Enable PHP-FPM for the Froxlor vHost

      3c. When you 502 error on Nginx have, use this command (Optional) (Thanks lino16 for this Note)
      sudo usermod -a -G www-data froxlorlocal SSL / Let's Encrypt activate
      1. Create Folder on nginx
      mkdir /etc/nginx/ssl cd /etc/nginx/ssl 1a. Create SSL File
      sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt 1b. create acme.conf
      nano /etc/nginx/acme.conf location /.well-known/acme-challenge {     alias /usr/share/nginx/Your Froxlor Folder/.well-known/acme-challenge;     location ~ /.well-known/acme-challenge/(.*) {         default_type text/plain;     } } 2. Open your  Froxlor Panel
      Settings> SSL > Activated:
      Change from NO to YES
      2a. Settings > SSL > Settings
      Change your path from your certificate / Keyfile
      Path to the SSL certificate
      insert
      /etc/nginx/ssl/nginx.crt Path to the SSL Keyfile
      insert
      /etc/nginx/ssl/nginx.key 2b. Settings > SSL > Settings
      Activate > Enable Let's Encrypt

      2c. Activate on Settings > Froxlor VirtualHost settings
      - Enable Let's Encrypt for the froxlor vhost
      - Enable SSL-redirect for the froxlor vhost
      - HTTP Strict Transport Security (HSTS)
      - Include HSTS for any subdomain

       
    • By headtrick
      Hello there.
      After updating to PHP 7.1 with FPM my customer sites work perfectly, however I cannot access the Froxlor backend (as well as phpmyadmin) anymore, I get an error 503. Froxlor is supposed to also run with FPM.
      I am running on Debian8, Apache 2.4, PHP 7.1, PHP 7.1-FPM
      The apache error log reads:
      [Tue Jun 06 21:56:28.394119 2017] [proxy:error] [pid 6572] (2)No such file or directory: AH02454: FCGI: attempt to connect to Unix domain socket /run/php/php7.1-fpm.sock (*) failed [Tue Jun 06 21:56:28.394177 2017] [proxy_fcgi:error] [pid 6572] [client x.x.x.x:35356] AH01079: failed to make connection to backend: httpd-UDS php7.1-fpm status seems ok, and the logfile is empty besides from restarts.
      Could it be related to the fact that the customer sites all run with ssl, the froxlor and phpmyadmin not yet?

      Where else can I look? Some help would be appreciated
      Best, Michael
    • By jBOKA
      Hi,
       
      I just set up Froxlor to work with php-fpm.
      I'm using pretty much the standard configuration.
       
      Debian Jessie
      Froxlor ver 0.9.35.1-1
      PHP 5.6
       
      My pool-config lies in
      /etc/php5/fpm/pool.d since I'm using Debian Jessie, all other configuration values are set to default. 
      Therefore the configuration alias-directory of php-fpm is set to
      /var/www/php-fpm/  
      My Problem is, that froxlor creates/changes the subdirectories (e.g. /var/www/php-fpm/username) on every master cronjob to owner root:root with permissions 750. This way I get this error on access in the users custom error log from apache stating
      (13)Permission denied: [client 77.181.66.50:49690] AH00035: access to /fastcgiphp/index.php denied (filesystem path '/var/www/php-fpm/username/domain.com') because search permissions are missing on a component of the path, referer: http://domain.com/  
      Right now I fixed it by adding a
      chmod o+x /var/www/php-fpm/* to the webserver restart script, that I have configured. 
      Is this due to a misconfiguration or a bug?
       
      Regards
      jBOKA
       
       
    • By ivan
      I would like to avoid table scan type query for gidsbymem in libnss-mysql.cfg, so I made a new option which allows access for customer dirs to webserver by ACL rules.
      Using ACLs webserver user doesn't need to be a member of all customer group, so gidsbymem query can be changed to: SELECT gid FROM ftp_groups WHERE groupname = '%1$s'
       
      ACL option commit:
      https://github.com/github-ivan/Froxlor/commit/e2dbdb09578fa18d3a0bf1560016b9b3ea6a9ee3
       
      Config option change:
      https://github.com/github-ivan/Froxlor/commit/824a038bce573d3616df599a63f7929b961ea05f
       
      Fix integrity check with ACL option enabled:
      https://github.com/github-ivan/Froxlor/commit/ea2b76c5ffe6c50865f8a5f1200bfcad2d73ec58
       
      This new option doesn't brake compatibility. I will send pull request if this option is welcomed.
       
      Best regards,
      ivan
       
       
       


×