I have VPS server (CentOS 6.5) running Apache 2.2.4 and PHP-FPM (FastCGI Process Manager). Looking in php-fpm error_log I've noticed error with every spawn php-fpm child process:
WARNING: [pool www] child 24086 said into stderr: "ERROR: Unable to set php_value 'soap.wsdl_cache_dir'"
I couldn't find any info on this warning googling. Is anybody aware what does this mean and how to get rid of this warning?
UPDATE 1:
fastcgi.conf for apache:
User apache
Group apache
LoadModule fastcgi_module modules/mod_fastcgi.so
<IfModule mod_fastcgi.c>
DirectoryIndex index.php index.html index.shtml index.cgi
AddHandler php5-fcgi .php
# For monitoring status with e.g. Munin
<LocationMatch "/(ping|status)">
SetHandler php5-fcgi-virt
Action php5-fcgi-virt /php5-fcgi virtual
</LocationMatch>
Action php5-fcgi /php5-fcgi
Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /tmp/php5-fpm.sock -pass-header Authorization
</IfModule>
# global FastCgiConfig can be overridden by FastCgiServer options in vhost config
FastCgiConfig -idle-timeout 20 -maxClassProcesses 1
And here is the php-fpm.conf and pool configuration for php:
pid = /var/run/php-fpm/php-fpm.pid
daemonize = yes
; Start a new pool named 'www'.
[www]
listen = /tmp/php5-fpm.sock
group = apache
pm = dynamic
pm.max_children = 8
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.status_path = /status
ping.path = /ping
catch_workers_output = yes
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session
php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache
Everything else is on defaults.
UPDATE 2:
After manually creating /var/lib/php/wsdlcache directory as suggested and setting permissions to 770 and owner to root:apache, I hoped that I won't see the error again, but unfortunately after restarting php-fpm process the error is there again and this becomes something really very strange.
P.S. Maybe this question is more appropriate for serverfault, but generally there are more experts in php and apache configuration on stackoverflow.
I hate so trivial solutions. Finally I've found the problem and solution by myself. Leaving it here for reference for others with some pre-history.
FastCGI configuration files were taken from internet when first configuring FastCGI as I haven't used it before. Tutorials showing FastCGI configuration contained the line php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache. I became really interested what is SOAP as I don't use it on the websites that I run on this server and this curiosity brought me the solution. Actually I don't need SOAP and simply removing that line would fix the problem I guess, but I've decided to leave it there and found out that I needed simply to install php-soap.
yum install php-soap
For RHEL/CentOS
After restarting php-fpm I don't get the error on respawning fpm processes.
You're getting that message if the directory /var/lib/php/wsdlcache specified in your pool configuration doesn't exist and cannot created by the PHP worker either. Note that the PHP worker is not running as root, but as user apache (which is great for security and should be kept that way!), therefore it most likely doesn't have write permissions in /var/lib. Kepp also in mind that workers can be chrooted (your config doesn't look like you're doing it, but one can) - in that case, the directory has, of course, be inside the chroot jail.
Create that directory and modifiy the access rights so that apacheis able to read and write into it and everything should be fine.
Pretty sure you can't use php_value with (fast) CGI. You might want to look at user.ini files if using a version of PHP newer than 5.3.0 and needing PHP_INI_PERDIR ini settings.
Since PHP 5.3.0, PHP includes support for configuration INI files on a
per-directory basis. These files are processed only by the CGI/FastCGI
SAPI. This functionality obsoletes the PECL htscanner extension. If
you are using Apache, use .htaccess files for the same effect.
UPDATE: Didn't see it was pool www. As Johannes H. observes: "You can use php_value inside the pool-cofiguration of php-fpm...". My original answer only really applies for per directory tweaks. See Johannes comment below.
Related
I'm having trouble setting Lucce to run on Apache in a CentOS 9 machine.
The steps I've followed are bellow:
Installed .run file from https://downloads.lucee.org
Left the default for apachectl, httpd conf and http modules (I've already checked and it seems they're correct, I can provide the values if you need)
Set Tomcat to run on port 8888, the default value (tomcat is in fact running because i can access it externally)
Accepted to install Apache connector
Accepted to install mod_cfml
Then, when Lucee is being installed, I get a post-install step error, mentioning that the installation may not complete correctly:
Error running /opt/lucee/sys/install_mod_proxy.sh -m install -t 8888 -f
/etc/httpd/conf/httpd.conf -c /usr/sbin/apachectl: apachectl: The "-M" option is
not supported.
apachectl: The "-M" option is not supported.
But the installation process ends and everything seems to be fine.
Tomcat is running (I can access through domain.com:8888)
Proxy is added to httpd.conf file with the following rules
<IfModule mod_proxy.c>
ProxyPreserveHost On
ProxyPassMatch ^/(.+\.cf[cm])(/.*)?$ http://127.0.0.1:8888/$1$2
ProxyPassMatch ^/(.+\.cfml)(/.*)?$ http://127.0.0.1:8888/$1$2
# optional mappings
#ProxyPassMatch ^/flex2gateway/(.*)$ http://127.0.0.1:8888/flex2gateway/$1
#ProxyPassMatch ^/messagebroker/(.*)$ http://127.0.0.1:8888/messagebroker/$1
#ProxyPassMatch ^/flashservices/gateway(.*)$ http://127.0.0.1:8888/flashservices/gateway$1
#ProxyPassMatch ^/openamf/gateway/(.*)$ http://127.0.0.1:8888/openamf/gateway/$1
#ProxyPassMatch ^/rest/(.*)$ http://127.0.0.1:8888/rest/$1
ProxyPassReverse / http://127.0.0.1:8888/
</IfModule>
mod_cfml is loaded in httpd.conf file
LoadModule modcfml_module modules/mod_cfml.so
CFMLHandlers ".cfm .cfc .cfml"
ModCFML_SharedKey "{{ shared_key_here }}"
LogHeaders false
LogHandlers false
LogAliases false
VDirHeader false
In the end I restarted Lucee and Apache services and created a index.cfm file in /var/www/html, but when I try o access it I get a 503 error.
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
Catalina.out logs from tomcat and error_logs from apache dont give me any hints on whats happerning.
Can anyone point me any direction to solve this?
Any additional info you may need in order to help me fell free to ask.
Thanks.
So I found that my machine had SE (Security Enhanced) enabled, and there was a setting that prevented the request to be correctly proxied to tomcat, which is httpd_can_network_connect.
I had to run /usr/sbin/setsebool httpd_can_network_connect true in order to make it work, after this and restarting httpd service, everything was ok!
I want to setup Apache and Glassfish on Ubuntu 16.04 server.
I have installed
apache2
libapache2-mod-jk
glassfish
The following are the steps I have followed
Configuring the MPM module
Set MaxRequestWorkers to 400 in /etc/apache2/mods-available/mpm_event.conf
Configuring the JK Module
<IfModule mod_jk.c>
JkWorkersFile /usr/share/glassfish4/glassfish/domains/<domain-doamin1>/config/workers.properties
JkLogFile /var/log/apache2/mod_jk.log
JkLogLevel error
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkRequestLogFormat "%w %V %T"
JkMountCopy all
</IfModule>
JkMount /myapp/* ajp13
<Location "/myapp/WEB-INF/">
require all denied
</Location>
Create a workers.properties file in your GlassFish domain's config directory
worker.list=ajp13
worker.ajp13.type=ajp13
worker.ajp13.host=localhost
worker.ajp13.port=8009
# load balancing only: worker.ajp13.lbfactor=50
connection_pool_size=10
connection_pool_timeout=600
worker.ajp13.socket_keepalive=False
worker.ajp13.socket_timeout=30
Create the JK listener in GlassFish using these commands
asadmin create-http-listener --listenerport 8009 --listeneraddress 0.0.0.0 --defaultvs server jk-listener
asadmin set server-config.network-config.network-listeners.network-listener.jk-listener.jk-enabled=true
then I restarted glassfish domain successfully but when i try to restart apache2 with sudo /etc/init.d/apache2 restart I get the error below
[....] Restarting apache2 (via systemctl): apache2.serviceJob for apache2.service failed because the control process exited with error code. See "systemctl status apache2.service" and "journalctl -xe" for details.
failed!
This error occurs when I edit the file jk.conf located under /etc/apache2/mods-available/jk.conf
Where am I going wrong. Is there a complete guide to accomplishing this? Finally the newer apache2 doesn't have the file httpd.conf and all the tutorials allover the Internet rely upon this file. Thanks in advance.
Since your objective is just to forward requests from Apache to GlassFish, not to loadbalance requests from Apache to multiple GlassFish servers, I would recommend avoiding mod_jk. You can certainly achieve your goal with it, but if you are new to the concepts involved, you will find it difficult to understand and maintain.
Instead you can use mod_proxy and, optionally, mod_proxy_ajp.
First, a definition:
AJP vs HTTP
AJP is a protocol like HTTP, but binary rather than text based. It has no secure/insecure options like HTTPS/HTTP since it is normally used behind a firewall and performs much better than HTTP for these scenarios. When you mark any GlassFish network listener as jk-enabled, you are enabling AJP communication, rather than HTTP.
You've installed Apache via the ubuntu apache2 package which has its own example structure to configuration which is different to the layout you would get if you downloaded and unzipped it. This has advantages, but we need to understand the Apache configuration file before getting to that.
Apache Configuration
Generally, you will see internet guides refer to httpd.conf as the configuration file to edit. This is just the default "parent" configuration file. In Debian/Ubuntu systems (and their derivations, like Linux Mint), the file to look for is apache2.conf.
This file is read, and its directives applied, from top to bottom, so if you have set the same property to two different values, the second will apply. (More accurately, they will both apply but the first will only apply until the second setting is read).
This file can also specifically "include" files and folders (where any *.conf file in an included folder will be included). These will be read in and merged with the main configuration at the point where the "include" statement is written. So the very last line in the main configuration file (if it is not specifying another file) will be the last line of configuration to be set, no matter what.
Debian config layout
I would highly recommend you read the opening comment in the apache2.conf file, since it will tell you all you need to know about the layout. Suffice it to say that keeping all the config in one file is very painful to maintain. The Debian package separates configuration into three categories:
sites
Sites are single configuration files for a website or web project. This could be anything: PHP, static HTML or a Java EE application deployed to an app server like GlassFish.
mods
Modules are subdivided into *.load files which load the actual libraries needed to run them, and *.conf files which have global configuration for the modules. Note that this configuration applies to every site that uses the module, so it is best to put any site/app specific module configuration in the appropriate site.conf file
conf
These files are just for any other general configuration which fits into a nice group. This could be SSL configuration like keystore and truststore locations.
When you look at the directory structure, you will see that each of these have 2 folders: *-available and *-enabled. This is because the Debian Apache package comes with 6 helper tools, a2ensite and a2dissite; a2enmod and a2dismod; a2enconf and a2disconf. The idea is that you follow these rules:
Never directly edit the apache2.conf file
only ever add or change files in the *-available folders
Use the helper tools to enable or disable sites/modules/conf files.
Answer
So to (finally) answer your question, I would do the following steps:
Enable mod_proxy_ajp
a2enmod mod_proxy_ajp
Create a new myApp.conf in sites-available. You can copy the default one, which is a good example. Assuming you have just want to forward all requests to GlassFish, you can use the default VirtualHost settings of ` which will process a request for any hostname on port 80. Use port 443 if you want to add HTTPS.
Add ProxyPass and ProxyPassReverse directives to the location of your server. If Apache and GlassFish are on the same server, it is likely you will want to use ajp://localhost:8080
ProxyPass / ajp://host_name:0000
ProxyPassReverse / ajp://host_name:0000
Note: This assumes you are using AJP. If that causes you problems, switch to HTTP by changing ajp to http above and disabling the jk-listener in GlassFish.
Once you have completed your myApp.conf configuration, remember to disable the default site:
a2dissite 000-default-site.conf
And enable your new site:
a2ensite myApp.conf
Those commands will appropriately modify the main apache2.conf and create the appropriate links in the sites-enabled folder.
That should be all you need. Now, everything that points to your hostname after the root / of the URL will be forwarded to the root context / of GlassFish.
I have attempted to make a few changes to php via .htaccess, yet none have yielded any results. For example:
php_value memory_limit 256M within will not activate.
Attempting to set SetEnv PHPRC /home/username/public_html/php.ini or any similar incantation, such as SetEnv PHPRC /home/username/some_path, will not work yield any difference in phpinfo. I DO see that _SERVER["PHPRC"] is indeed set, but no values are overwritten such as that noted above.
My phpinfo is as follows:
https://gist.github.com/ylluminate/08efd9a2844723631214
I'm wondering if I'm missing an apache module that's not allowing this to work as expected for a custom php.ini or phprc. Further This is an Apache 2.4.4 installation on a VPS over which I have 100% control (Linode) and using WHM + cPanel.
Since PHP 5.3 you can use .user.ini files, given that PHP is setup to run via the CGI/FastCGI SAPI.
http://php.net/configuration.file.per-user
It's a simple extension of the main php.ini and allows specifying options equivalently:
memory_limit = 256M
upload_tmp_dir = /tmp
Usually you can place one of these in the DOCUMENT_ROOT. But every directory may contain one, so options may vary per script/folder. It's meant as full alternative to Apaches/mod_php .htaccess setting directives.
I just installed a fresh copy of Drupal 6.19 to get to speed on how to write modules. But for some reason the rewrite module isn't working for Drupal.
What I have checked:
$ apachectl -M >> it is installed
php_info() on current server >> says rewrite is installed also
I also double-checked the .htaccess file in my Drupal root folder
UPDATE: checked httpd.conf for AllowOverride All
I'm out options here. Looked everywhere but the Drupal settings aren't letting me to enable the settings and their test is simply visiting a site that should work if the rewrite module was there.
My specs:
Mac OS X 10.6 Snow Leopard
Using built-in Apache with PHP5
Thanks!
Last but not least, you must authorize your virtual host or directory to use .htaccess.
AllowOverride All
Update:
I can't figure out your exact problem but it's always worth testing that Apache is actually parsing your .htaccess file. Make a syntax error on purpose and see if you get a 500 Internal Server Error message. Also, test mod_rewrite with a simple redirection rule that doesn't involve Drupal.
Two more things to check:
Verify that your .htaccess is readable for your apache processes (Yes, I read that you double checked it, but did that include the file permissions?)
Enable rewrite logging - this might give you some hints on where it fails. Start with a log level of 5 and increase/decrease as needed. (Don't forget to turn it off again later, as it is a huge performance hog ;)
Also, I'd try to simplify the test scenario - start with a simple rewrite directive in a vhost configuration. Once that works, move it to a .htaccess in the top-level of the vhosts document root, then to sub directories (if needed/used).
Make sure that if the install is in a sub-directory that the username is part of the rewriteBase
# Modify the RewriteBase if you are using Drupal in a subdirectory or in a
# VirtualDocumentRoot and the rewrite rules are not working properly.
# For example if your site is at http://example.com/drupal uncomment and
# modify the following line:
RewriteBase /~username/drupal**
If you running your Drupal installation in a sub-folder like: example.com/drupal, then enable "RewriteBase /" in your .htaccess file, it might help you.
A clean url could be something like www.example.com/fisherman instead of www.example.com/data/pages/fisherman.php
Some installations of apache have clean URL functionality out of the box. There are 2 steps that need to be configured correctly for it to work.
Enable rewrite module
Allow .htaccess file overrides
Both steps require SSH root access to your server. So if you are on shared host this probably won't work for you. Open your terminal:
Enable rewrite module
To enable the rewrite module, you can type the following command
sudo a2enmod rewrite
Now type
sudo service apache2 restart
to enable the changes. You can check if it’s working by typing
sudo apache2ctl –M
A list will appear. Look for “rewrite_module”.
http://codeontrack.com/enable-clean-urls-apache/
Look for this Line in your httpd.conf file
#LoadModule rewrite_module modules/mod_rewrite.so
If commented
Just uncomment it restart apache server then try enabling in drupal administer Clean URL Section
I added the following to my .htaccess file and it was solved. My problem was specifically hapening with Rackspace / CentOS image
Options -MultiViews
As Álvaro G. Vicario mentioned, the first thing to do is at the top of the .htaccess file add something like ghfdiddfdjf which should throw an internal error. If it doesn't, you know the .htaccess file isn't being read. Mine wasn't, and I found the following fix:
In the etc/apache2/sites-enabled folder, there was a file called default-000. It was in this file that I changed AllowOverride All in 2 places in the file.
I've came across on this problem, I have a sever running apache and php. We have many virtual hosts but we've noticed that a potentially malicious user could use his web space to browse other user's files(via a simple php script) and even system files, this could happens due to the php permissions.
A way to avoid it is to set the open_basedir var in php.ini, yhis is very simple in a single host system, but in case of virtual hosts there would be a basebir per each host.
Ho can I set dis basedir per each user/host? is there a way to let apache hereditate php privileges of the php file that has been requested
E.G.
/home/X_USER/index.php has as owner X_USER, when apache read the file index.php it checks its path and owner, simply I'm looking for a system set php basedir variable to that path.
Thank in advance
Lopoc
It is possible to set open_basedir on a per-directory basis using the php_admin_value Apache directive.
Example from the manual:
<Directory /docroot>
php_admin_value open_basedir /docroot
</Directory>
Re your comment: yes, external commands are not affected by open_basedir - when calling ls / this is done with the rights the user account PHP runs under (often named www or similar). As far as I know, it is not possible to extend open_basedir to external commands.
In that case, I don't think the kind of protection that you're looking for is possible in a normal Apache/PHP setup. The only thing that maybe comes close is running Apache in a chroot jail. I haven't done this myself so I can't say anything about it - you'd have to dig in and maybe ask a question specifically about that.
You can set many php.ini settings using the Apache configuration file.
See these related pages from the PHP manual:
- http://php.net/manual/en/configuration.changes.php
- http://www.php.net/manual/en/ini.core.php#ini.sect.path-directory
- http://www.php.net/manual/en/configuration.changes.modes.php
chroot is a good idea. And now docker is more effective.
and open_basedir with "/docroot" is not security ,you should end with a "/" or PHP can access /docroot1