Jump to content
Froxlor Forum
  • 0
gunnyst

PHP-FPM Security (Limit Extensions)

Question

Hello again, hope you don't mind me coming up with another issue (including proposal for solution obviously).

I had another issue using PHP-FPM, where I cannot get my .XML files parsed by the PHP interpreter even though I have this in my .htaccess:

<FilesMatch "\.(xml)$">
  SetHandler php5-fastcgi
  Action php5-fastcgi /fastcgiphp
  Options +ExecCGI
</FilesMatch>

It turns out that there is a limit imposed by the security.limit_extensions setting which defaults to .php only. My .XML files are used in order to automatically return the correct autodiscover/autoconfig settings to Outlook/Thunderbird and the like and therefor need to be "dynamic XML files", but I could imagine someone else needing .phps or the like...

Currently I have gone so far as to add some stuff to /var/www/froxlor/lib/classes/phpinterface/class.phpinterface_fpm.php @ 248:

if ($this->_domain['domain'] == 'autodiscover.mydomain.tld') {
        $fpm_config.= 'security.limit_extensions = .php .xml'."\n";
}

But again, this could be a new string-based setting in the new PHP-FPM versions section.

(Slowly I'll get in touch with the code structure I promise...)

Share this post


Link to post
Share on other sites

5 answers to this question

Recommended Posts

  • 0

Will be a setting in the next version, currently testing my changes :)

Share this post


Link to post
Share on other sites
  • 0

great thx! I've been working all day using the version from yesterday and haven't noticed anything amiss so far... have a nice evening!

Share this post


Link to post
Share on other sites
  • 0

It's all in the git repo ;) have fun Testing. Feedback is very welcome.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By LostNIL
      Greetings,
      I have Froxlor installed with PHP7.2 and need to install/enable PHP7.2-fpm. I've reviewed the wiki, The Froxlor YouTube video on the subject, and reviewed/completed the instructions within the Panel > Configuration > DB Jessie > Other > FPM and am having difficulties getting the panel to work with FPM. 
      All available instructions are written for PHP5 and when I complete the instructions and substitute PHP7.2, when the panel generates configurations there are syntax errors and the websites go down. 
       
      Does anyone have any pointers or updated instructions on enabling FPM/PHP7+ with Froxlor. 
    • By zed
      Hi, after fresh froxlor install on debian9 and php-fpm I have 503 error :
      Service Unavailable The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later. In /var/log/apache2/error.log I found:
      [proxy:error] [pid 997] (2)No such file or directory: AH02454: FCGI: attempt to connect to Unix domain socket /var/lib/apache2/fastcgi/1-froxlor.panel-sub.domain.com-php-fpm.socket (*) failed [proxy_fcgi:error] [pid 997] [client 1.1.1.1:57529] AH01079: failed to make connection to backend: httpd-UDS I have not created any customers or domains yet and I can't access Froxlor panel and phpmyadmin
      File /var/lib/apache2/fastcgi/1-froxlor.panel-sub.domain.com-php-fpm.socket is not available, I created it but still not work.
      What can I do ?
    • By gunnyst
      I have some sites that make use of HTTP authorization headers inside of PHP (so not using htaccess/htpasswd, but an internal user database). For the moment I have simply added the required "-pass-header Authorization" to scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php @ 63 right after the "-socket" setting. But it would be nice if this was either always on by default or selectable as a switch in the GUI (could either be a global FCGI/FPM setting, but would be nicer if it was on a level with "PHP Configurations", since it's rarely needed).
      Thanks
      Günther
    • By irisdina
      Debian (9) Stretch
      1. 
      sudo apt install curl wget apt-transport-https dirmngr git 1a. Keys install
      wget http://www.deb-multimedia.org/pool/main/d/deb-multimedia-keyring/deb-multimedia-keyring_2016.8.1_all.deb && dpkg -i deb-multimedia-keyring_2016.8.1_all.deb && wget https://nginx.org/keys/nginx_signing.key && apt-key add nginx_signing.key && curl https://packages.sury.org/php/apt.gpg | apt-key add - 1b. Source List ( nano /etc/apt/source.list )
      1c. 
      sudo apt update && sudo apt dist-upgrade && sudo apt autoclean && sudo apt autoremove 2.  MariaDB Install
      use sudo command for install MariaDB!
      sudo apt install mariadb-server mariadb-client 2a. MariaDB 10.1 Workround (Optional)
      when you MariaDB install with not sudo command, have you Problems with your Froxlor install. 
      you can use this workround: (Thanks J-BBB for this Note  )
      mysql -u root MariaDB [(none)]> update mysql.user set password=password('your PASS') where user='root'; MariaDB [(none)]> update mysql.user set plugin='' where user='root'; MariaDB [(none)]> flush privileges; 3. nginx Install
      sudo apt install nginx 3a. 
      mkdir /etc/nginx/sites-available mkdir /etc/nginx/sites-enabled 3b. nano /etc/nginx/nginx.conf
      3c. 
      service nginx restart 4. PHP install
      sudo apt update && sudo apt install php7.1-mysql php7.1-curl php7.1-gd php7.1-intl php-pear php-imagick php7.1-imap php7.1-mcrypt php-memcache php7.1-memcached php7.1-pspell php7.1-recode php7.1-sqlite3 php7.1-tidy php7.1-xmlrpc php7.1-xsl php7.1-mbstring php-gettext php7.1-fpm php7.1-cli php7.1-cgi php-bcmath php-zip 4a.
      service nginx restart service php7.1-fpm restart  
      Ubuntu 17.10 (Artful)
      1. 
      sudo apt install curl wget apt-transport-https dirmngr git software-properties-common python-software-properties 1b. Source List ( nano /etc/apt/source.list )
      1c. Key Install
      sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8 1d. PPA (https://askubuntu.com/questions/4983/what-are-ppas-and-how-do-i-use-them/4987#4987)
      sudo add-apt-repository ppa:ondrej/nginx-mainline sudo add-apt-repository ppa:ondrej/php 2. 
      sudo apt update && sudo apt dist-upgrade && sudo apt autoclean && sudo apt autoremove 3.  MariaDB Install
      sudo apt install mariadb-server mariadb-client 3a. MariaDB 10.1 Workround (Optional)
      when you MariaDB install with not sudo command, have you Problems with your Froxlor install. 
      you can use this workround: (Thanks J-BBB for this Note  )
      mysql -u root MariaDB [(none)]> update mysql.user set password=password('your PASS') where user='root'; MariaDB [(none)]> update mysql.user set plugin='' where user='root'; MariaDB [(none)]> flush privileges; 4. nginx Install
      sudo apt install nginx 4a. nano /etc/nginx/nginx.conf
      4b. 
      service nginx restart 5. PHP install
      sudo apt update && sudo apt install php7.1-mysql php7.1-curl php7.1-gd php7.1-intl php-pear php-imagick php7.1-imap php7.1-mcrypt php-memcache php7.1-memcached php7.1-pspell php7.1-recode php7.1-sqlite3 php7.1-tidy php7.1-xmlrpc php7.1-xsl php7.1-mbstring php-gettext php7.1-fpm php7.1-cli php7.1-cgi php-bcmath php-zip 5a.
      service nginx restart service php7.1-fpm restart  
      Froxlor Install Git version
      1. vhost
      nano /etc/nginx/sites-enabled/frox 1a. 
      service nginx restart 2. Change dir
      cd /usr/share/nginx/ 2a. Froxlor git Load
      sudo git clone https://github.com/Froxlor/Froxlor.git 2a. Folder Rename
      mv /usr/share/nginx/Froxlor /usr/share/nginx/your Folder Name 2b. User/Group Change for Froxlor Folder
      sudo chown -HR www-data:www-data Your Froxlor Folder 3. Browser Open
      http://your-SubDomain/your-Frolxor-Folder 3c. Change Your DB/User Name for Froxlor

      Install Froxlor finish
      3d. Move userdata (Optional)
      mv /tmp/userdata.inc.php /usr/share/nginx/Your Froxlor Folder/lib/ 4. vhost delete
      rm /etc/nginx/site-enable/frox don't restart nginx!
      Froxlor Settings
      1. cronjob
      nano /etc/cron.d/froxlor # # Set PATH, otherwise restart-scripts won't find start-stop-daemon # PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # # Regular cron jobs for the froxlor package # # Please check that all following paths are correct # */5 * * * *    root    /usr/bin/nice -n 5 /usr/bin/php -q /usr/share/nginx/your Froxlor Folder/scripts/froxlor_master_cronjob.php chmod 0640 "/etc/cron.d/froxlor" chown root:0 "/etc/cron.d/froxlor" service cron restart Froxlor Panel
      1. Change your PHP-Backend Settings
      Settings > Webserver settings > Nginx PHP backend
      from 127.0.0.1:8888 to unix:/run/php/php7.1-fpm.sock
      2. Make Folder and Change chmod
      mkdir -p /etc/nginx/sites-enabled/ chown root:0 /etc/nginx/sites-enabled/ chmod 0600 /etc/nginx/sites-enabled/ mkdir -p /etc/nginx/sites-enabled/ chown root:0 /etc/nginx/sites-enabled/ chmod 0600 /etc/nginx/sites-enabled/ mkdir -p /home/customers/webs/ mkdir -p /var/customers/logs/ mkdir -p /var/customers/tmp chmod 1777 /var/customers/tmp service nginx restart 2a. IPs and Ports > Add IP/Port

      2a(1), SSL Port



      Wait 5min for Autimatic Start Froxlor's cronjob
      Optional
      PHP-FPM activate
      1. User/Group add
      sudo adduser froxlorlocal --disabled-password --no-create-home 2. libnss-extrausers install
      sudo apt install install nscd libnss-extrausers mkdir -p /var/lib/extrausers touch /var/lib/extrausers/{passwd,group,shadow} mv "/etc/nsswitch.conf" "/etc/nsswitch.conf.frx.bak" nano /etc/nsswitch.conf # Make sure that `passwd`, `group` and `shadow` have mysql in their lines # You should place mysql at the end, so that it is queried after the other mechanisams # passwd:         compat extrausers group:          compat extrausers shadow:         compat extrausers hosts:       files dns networks:    files dns services:    db files protocols:   db files rpc:         db files ethers:      db files netmasks:    files netgroup:    files bootparams:  files automount:   files aliases:     files sudo service nscd restart sudo nscd --invalidate=group 2a. Settings > System settings > Activate > Use libnss-extrausers instead of libnss-mysql

      3. Settings > PHP-FPM > Activated:
      Change from NO to YES
      3a. Settings > PHP-FPM > Settings
      Change > Configuration directory of php-fpm to 
      /etc/php/7.1/fpm/pool.d/ Change > php-fpm restart command to
      /etc/init.d/php7.1-fpm restart or service php7.1-fpm restart 3b. Settings > Froxlor VirtualHost settings > Activate > Enable PHP-FPM for the Froxlor vHost

      3c. When you 502 error on Nginx have, use this command (Optional) (Thanks lino16 for this Note)
      sudo usermod -a -G www-data froxlorlocal SSL / Let's Encrypt activate
      1. Create Folder on nginx
      mkdir /etc/nginx/ssl cd /etc/nginx/ssl 1a. Create SSL File
      sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt 1b. create acme.conf
      nano /etc/nginx/acme.conf location /.well-known/acme-challenge {     alias /usr/share/nginx/Your Froxlor Folder/.well-known/acme-challenge;     location ~ /.well-known/acme-challenge/(.*) {         default_type text/plain;     } } 2. Open your  Froxlor Panel
      Settings> SSL > Activated:
      Change from NO to YES
      2a. Settings > SSL > Settings
      Change your path from your certificate / Keyfile
      Path to the SSL certificate
      insert
      /etc/nginx/ssl/nginx.crt Path to the SSL Keyfile
      insert
      /etc/nginx/ssl/nginx.key 2b. Settings > SSL > Settings
      Activate > Enable Let's Encrypt

      2c. Activate on Settings > Froxlor VirtualHost settings
      - Enable Let's Encrypt for the froxlor vhost
      - Enable SSL-redirect for the froxlor vhost
      - HTTP Strict Transport Security (HSTS)
      - Include HSTS for any subdomain

       
    • By headtrick
      Hello there.
      After updating to PHP 7.1 with FPM my customer sites work perfectly, however I cannot access the Froxlor backend (as well as phpmyadmin) anymore, I get an error 503. Froxlor is supposed to also run with FPM.
      I am running on Debian8, Apache 2.4, PHP 7.1, PHP 7.1-FPM
      The apache error log reads:
      [Tue Jun 06 21:56:28.394119 2017] [proxy:error] [pid 6572] (2)No such file or directory: AH02454: FCGI: attempt to connect to Unix domain socket /run/php/php7.1-fpm.sock (*) failed [Tue Jun 06 21:56:28.394177 2017] [proxy_fcgi:error] [pid 6572] [client x.x.x.x:35356] AH01079: failed to make connection to backend: httpd-UDS php7.1-fpm status seems ok, and the logfile is empty besides from restarts.
      Could it be related to the fact that the customer sites all run with ssl, the froxlor and phpmyadmin not yet?

      Where else can I look? Some help would be appreciated
      Best, Michael


×