I have made a setup of Apache2.4 + FastCgi, PHP-FPM, SuExec which works correctly without Suexec. But when i enable Suexec its giving me File does not exist error (404 Not Found Error in browser when i access php script).
Note: PHP Script works through PHP-FPM when i turn OFF "FastCgiWrapper" but when i turn ON its giving me 404 error.
Apache Error Log (Last Line):
[authz_core:debug] [pid 3906:tid 140546979436288] mod_authz_core.c(802): [client 192.168.91.132:58225] AH01626: authorization result of Require all granted: granted
[authz_core:debug] [pid 3906:tid 140546979436288] mod_authz_core.c(802): [client 192.168.91.132:58225] AH01626: authorization result of <RequireAny>: granted
[authz_core:debug] [pid 3906:tid 140546979436288] mod_authz_core.c(802): [client 192.168.91.132:58225] AH01626: authorization result of Require all granted: granted
[authz_core:debug] [pid 3906:tid 140546979436288] mod_authz_core.c(802): [client 192.168.91.132:58225] AH01626: authorization result of <RequireAny>: granted
[core:info] [pid 3906:tid 140546979436288] [client 192.168.91.132:58225] AH00128: File does not exist: /etc/apache2/fcgi-app/info.php
Configuration:
/etc/apache2/mods-available/fastcgi.conf
FastCgiWrapper On
/etc/apache2/suexec/www-data
/var/www/html
/cgi-bin
/etc/apache2/sites-available/example.net.conf
<VirtualHost *:80>
ServerName example.net
ServerAdmin example#example.net
DocumentRoot /var/www/html/example.net/public_html
LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/error.log
SuexecUserGroup example examplegrp
AddHandler php-fcgi-hand .php
Action php-fcgi-hand /php-fcgi-uri
Alias /php-fcgi-uri fcgi-app
FastCgiExternalServer fcgi-app -socket /var/run/php5-fpm-example.sock -pass-header Authorization -idle-timeout 30000 -flush
<Location /php-fcgi-uri>
Require all granted
</Location>
</VirtualHost>
/etc/php5/fpm/pool.d/example.conf
[example]
user = example
group = examplegrp
listen = /var/run/php5-fpm-example.sock
listen.owner = example
listen.group = examplegrp
listen.mode = 0666
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
/var/www/html/example.net/cgi-bin/php.cgi
#!/bin/sh
PHP_FCGI_CHILDREN=5
export PHP_FCGI_CHILDREN
PHP_FCGI_MAX_REQUESTS=500
export PHP_FCGI_MAX_REQUESTS
exec /var/www/html/example.net/cgi-bin
Folder Structure and Permission
/var/www/html/example.net/cgi-bin/php.cgi
/var/www/html/example.net/public_html/info.php
drwxrwxrwx 13 www-data www-data var
|____drwxr-xr-x 5 www-data www-data www
|____drwxr-xr-x 6 www-data www-data html
|____ drwxr-xr-x 4 example examplegrp example.net
|______ drwxr-xr-x 2 example examplegrp cgi-bin
|_____-r-xr-xr-x 1 example examplegrp php.cgi
|______ drwxr-xr-x 2 example examplegrp public_html
|_____-rwxr-xr-x 1 example examplegrp info.php
I wrote this working configuration long ago and it works on Apache 2.4.x so I'm going to recommend you give it a try https://gist.github.com/diemuzi/3849349. It's too large to post in an answer here. You'll find all the configurations you'll need. You may even see something I have done differently compared to what you have posted here too.
However I will also recommend that you stop thinking about using the FastCgiExternalServer like you are trying and as you will find in my example. But instead look into using the mod_proxy_fcgi. This is a much simpler way of connecting to FPM now and it does support sockets as of recently.
Here is an example of the mod_proxy_fcgi way:
# PHP-FPM via Socket
<IfModule proxy_module>
<IfModule proxy_fcgi_module>
ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/usr/local/php/etc/php-fpm/[USERNAME].sock|fcgi://localhost/vhosts/[DOMAIN]/public/
</IfModule>
</IfModule>
Of course you will want to change the unix: path and the path to your root document too. Notice the localhost part, that is not a mistake. It really does not matter what you put for localhost but I figured it looked better. Yes, my domain is accessible via the IP and Domain even though it says localhost so don't let that fool you.
If you want to use the TCP way of using mod_proxy_fcgi you can do it this way too:
# PHP-FPM via TCP
<IfModule proxy_module>
<IfModule proxy_fcgi_module>
<Location ~ ^/(.*\.php(/.*)?)$>
ProxyPass fcgi://127.0.0.1:[PORT]/vhosts/[DOMAIN]/public/
</Location>
</IfModule>
</IfModule>
Of course make sure the 127.0.0.1:[PORT] matches what you have inside of your FPM Pool, so change it accordingly. Again, make sure you change the path to the document root too.
The three answers I've given you are all working examples. I even tested just before I posted this answer.
You ask for Apache to run as user example, but you set the configuration file for user www-data . The documentation says that the config file /etc/apache2/suexec/www-data is read when the Apache user is www-data. I never experimented with that, but it might be that you need to set the config file /etc/apache2/suexec/example. One thing that I find a bit confusing is these two stages: the Apache user and then the target user, which is allowed to run the target cgi. Suexec runs checks in these two stages. The custom version of suexec allows a different Apache user to run with a different config file, but this is different from the selection of a target user with the SuexecUserGroup Apache directive. We don't need to change the Apache user, if we only want to change the target user, the one that will run the CGI. For that purpose, the pristine version is sufficient. Anyway, this is my understanding. I hope it helps someone.
Related
I have installed Apache 2.4.6 on Centos7 official.
httpd.conf was not changed from default.
Configured webdav.conf with the following:
DavLockDB /var/www/html/DavLock
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html/webdav/
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log combined
Alias /webdav /var/www/html/webdav
<Directory /var/www/html/webdav>
DAV On
</Directory>
</VirtualHost>
webdav directory has 755 rights. DavLock not created.
I keep getting this error and not sure what the cause might be. Have tried many things without success:
[Fri Jan 29 11:41:17.027110 2021] [dav:error] [pid 15068] [client xxx.xxx.xxx.xxx:53946] The locks could not be queried for verification against a possible "If:" header. [500, #0]
[Fri Jan 29 11:41:17.027134 2021] [dav:error] [pid 15068] [client xxx.xxx.xxx.xxx:53946] Could not open the lock database. [500, #400]
[Fri Jan 29 11:41:17.027137 2021] [dav:error] [pid 15068] (13)Permission denied: [client xxx.xxx.xxx.xxx:53946] Could not open property database. [500, #1]
any ideas are welcome
Got it working now.
all files/folders under /var/www/ are chown to apache
moved DavLock to here: /var/lib/dav/
and added this line under httpd.conf:
<IfModule mod_dav_fs.c>
# Location of the WebDAV lock database.
DAVLockDB /var/lib/dav/DavLock
</IfModule>
At this point, I am getting 403 error. Solved by executing the following:
chcon -R -t httpd_sys_content_rw_t /var/www/html/webdav/
When moving files from my main disk (where the OS is installed), to a second disk (other storage), I am trying to redirect Apache to the new disk, but this returns error number 403. I am running Ubuntu 16.04.
I originally redirected Apache to /home/user/Documents by adding the following lines to corresponding files:
in /etc/apache2/apache2.conf
<Directory /home/jawa/Documents/>
#<Directory /media/jawa/R2D2/Webpages>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
and in /etc/apache2/sites-enabled/000-default.conf
DocumentRoot /home/jawa/Documents
#DocumentRoot /media/jawa/R2D2/Webpages
This worked fine, but since I have moved the files to a new location, I must also redirect Apache.
When trying to redirect Apache to /media/jawa/R2D2/Webpages, I toggle the above comments and restart apache using sudo service apache2 restart. Visiting localhost in the browser returns error 403 and using the command cat /var/log/apache2/error.log gives the following log:
[Wed Dec 27 17:24:48.583062 2017] [core:error] [pid 22343] (13)Permission denied: [client ::1:35704] AH00035: access to / denied (filesystem path '/media/jawa/R2D2') because search permissions are missing on a component of the path
Permissions and owners of both folders:
drwxr-xr-x 2 jawa jawa 4096 dec 27 17:12 Documents
drwxrwxrwx 1 jawa jawa 0 dec 27 16:46 Webpages
What is causing the error and how can it be fixed?
Since we know one works and the other does not, list the permissions of both the folder structures :
ls -ld /home/ /home/jawa /home/jawa/Documents
ls -ld /media/ /media/jawa/ /media/jawa/R2D2 /media/jawa/R2D2/Webpages
Once listed compare the two.
The default permissions are controlled by umask and this could result in the permissions being different.
I've seen hudreds of questions like this and most of them end up in changing the syntax to latest Apache version or messing up with .htaccess. But not in my case since I used fresh F23 install and never played with erarlier Apache versions. I'm trying to set up a simple virtual host that binds to one of my IP's. Here is what I put in /etc/httpd/conf.d/internal.conf
Listen 10.10.1.177:80
<VirtualHost 10.10.1.177:80>
DocumentRoot "/home/www"
DirectoryIndex index.html
ServerName internal:80
<Directory “/home/www“>
Options All Indexes FollowSymLinks
Options +Indexes
Require all granted
</Directory>
LogLevel debug
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/internal-error.log
CustomLog /var/log/httpd/internal-access.log combined
</VirtualHost>
When I try:
curl http://10.10.1.17
From other host in that network, first 403 page appears and get redirected to default fedora-apache page. This entries entries gets into error log:
2016-04-21 22:45:50.610696 AH01626: authorization result of Require all denied: denied
2016-04-21 22:45:50.610724 AH01626: authorization result of <RequireAny>: denied
2016-04-21 22:45:50.610729 AH01630: client denied by server configuration: /home/www/
2016-04-21 22:45:50.610763 AH01626: authorization result of Require all granted: granted
2016-04-21 22:45:50.610771 AH01626: authorization result of <RequireAny>: granted
I just want this virtual server to serve anything that I put to /home/www. What am I missing?
I changed main httpd.conf file to bind to my other network interface.
I have "greped" all .conf files for "deny|denied" statements and found only default "Require all denied" for "/" directory and .ht files in main config.
There is a LocationMatch directive in /etc/httpd/conf.d/welcome.conf that is causing this behavior:
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /.noindex.html
</LocationMatch>
Comment out the comments of that file (or empty out that file), but
do not remove that file, because a subsequent upgrade of the httpd
package will then bring it back. It will not be overwritten if you
have modified it locally.
I have a virtual machine base box for Debian wheezy that I've been using with vagrant for the last few months without any issues, however yesterday when I brought up a new machine and updated/upgraded packages I started getting a FastCGI server connection failure error:
[Wed Jun 04 14:39:03 2014] [error] [client 10.0.2.2] (13)Permission denied: FastCGI: failed to connect to server "/vagrant/php5-fcgi": connect() failed
[Wed Jun 04 14:39:03 2014] [error] [client 10.0.2.2] FastCGI: incomplete headers (0 bytes) received from server "/vagrant/php5-fcgi"
I am able to resolve the issue temporarily by manually touching and chmodding /tmp/php5-fpm-vagrant.sock, but my question is why did it start happening all of a sudden?
Personal preferences aside, is there anything functionally wrong with my configuration?:
In my apache sites available I have a file called 000php containing:
FastCgiExternalServer /vagrant/php5-fcgi -socket /tmp/php5-fpm-vagrant.sock -pass-header Authorization
Since apache loads sites alphabetically, this always gets loaded first, then I have another file called vagrant that contains:
<VirtualHost *:80 *:8080>
DocumentRoot /vagrant/public_html/
ServerName vagrant.localhost
<Directory /vagrant/>
AllowOverride all
</Directory>
AddHandler php5-fcgi .php
Action php5-fcgi /php5-fcgi
Alias /php5-fcgi /vagrant/php5-fcgi
ErrorLog ${APACHE_LOG_DIR}/vagrant_error.log
CustomLog ${APACHE_LOG_DIR}/vagrant_access.log combined
</VirtualHost>
and a php fpm pool config called vagrant.conf that looks like this:
[vagrant]
listen = /tmp/php5-fpm-vagrant.sock
listen.allowed_clients = 127.0.0.1
user = vagrant
group = vagrant
pm = ondemand
pm.max_children = 50
any suggestions would be greatly appreciated
Figured out the answer, this was caused by https://bugs.php.net/bug.php?id=67060
The fix was to add the following lines to my vagrant.conf php fpm configuration file and restart php fpm, a reload was not enough
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
I've set up Pow and Apache the way they suggest in this tutorial. My httpd-vhosts.conf contains the following entry.
<VirtualHost *:80>
DocumentRoot /Users/michael/Dropbox/Development/test
ServerName test.dev
<Directory "/Users/michael/Dropbox/Development/test">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
I'm still getting a 403 Forbidden when I got to http://test.dev/.
Error log says:
[Wed Nov 21 19:24:21 2012] [crit] [client 127.0.0.1] (13)Permission denied: /Users/michael/Dropbox/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
[Wed Nov 21 19:24:43 2012] [error] [client 127.0.0.1] (13)Permission denied: access to / denied
Has anyone else had this problem?
This seems to have nothing to do with Pow. Apache doesn't have the necessary permissions to work within /Users/michael/Dropbox/Development/test.
Please check the permissions of this directory, I think they should be 755. Check them with:
cd /Users/michael/Dropbox/Development/
ls -l
And copy paste the line of the test directory.
The issue was the permissions. It finally worked when I chmod'd the full path to the directory I was working in to 755.
~/, ~/Dropbox, ~/Development...etc.
I'll bet there's a nicer way to do this, but it's working. So, there you go.