Difference between revisions of "PHP"

From SME Server
Jump to navigationJump to search
m
Line 291: Line 291:
 
From SME Server V8 up to and including SME Server V9, you could sometimes have an error thrown by PHP and would then need to specify a temporary directory (e.g. upload_tmp_dir) which is not set in php.ini. see [[bugzilla:6650]] and [[bugzilla:7652]]. Many php applications need this setting, the best-known culprits are Wordpress, Roundcube, eGroupWare, and there are others. The symptoms observed are that you can't upload contents to the PHP application.
 
From SME Server V8 up to and including SME Server V9, you could sometimes have an error thrown by PHP and would then need to specify a temporary directory (e.g. upload_tmp_dir) which is not set in php.ini. see [[bugzilla:6650]] and [[bugzilla:7652]]. Many php applications need this setting, the best-known culprits are Wordpress, Roundcube, eGroupWare, and there are others. The symptoms observed are that you can't upload contents to the PHP application.
  
An easy resolution is to make a Custom Template to resolve this issue. See [[Uploadtmpdir]]
+
An easy resolution is to make a Custom Template to resolve this issue. See [[Uploadtmpdir]].
  
 
=== Advanced use of the php-fpm pools ===
 
=== Advanced use of the php-fpm pools ===

Revision as of 09:30, 27 August 2023


Starting with SME 10, the php module is no longer used for httpd. Instead we rely on php-fpm which can enable every available version of php.

By default we provide the following versions:

  • 54 (maintained by Red-Hat up to CentOS 7 EOL: 30 Jun 2024).
  • 55,56,70,71,72 (Note: unsupported!).
  • 73 (supported up to 6 Dec 2021).
  • 74 (supported up to 28 Nov 2022).
  • 80 (supported up to 26 Nov 2023).


db keys available to control php configuration and services

First you need to decide if you want to alter the php behaviour for an ibay or for a specific php version, of for all php versions.

db configuration properties
keys role
php customization of /etc/php.ini for php54
php55 customization of /opt/remi/php55/root/etc/php.ini if no properties defined, will use php keys properties
php56 customization of /opt/remi/php56/root/etc/php.ini
php70 customization of /etc/opt/remi/php70/php.ini
php71 customization of /etc/opt/remi/php71/php.ini
php72 customization of /etc/opt/remi/php72/php.ini
php73 customization of /etc/opt/remi/php73/php.ini
php74 customization of /etc/opt/remi/php74/php.ini
php80 customization of /etc/opt/remi/php80/php.ini

Every version of php has its own php-fpm service running, the related configuration db entry is (as shown in the Table above) php-fpm for php (ie php54), php55-php-fpm for php55 and so on.

If you really want to disable one version of php, shown below is what you need to do for php55, as an example:

config setprop php55-php-fpm status disabled
signal-event webapps-update

Available properties

Here is a list of available properties to configure php. You have to choose at which level you want to handle the change.

  • Do you want the change for the whole server? -- then probably choose to change it for key php): db configuration setprop php ...
  • Do you want the change for a specific version of php? -- then you should probably do it against a specific php key e.g. : db configuration setprop php74 ...
  • Do you want to apply the change for a specific ibay? -- this is what we suggest you to do in most cases: db accounts setprop myibay ..
php setting ibay property php.ini property default note
- PHPVersion - 74 can vary upon update if left empty
allow_url_fopen AllowUrlFopen AllowUrlFopen off unsecure keep to off
allow_url_include - - off
auto_prepend_file AutoPrependFile - enabled /usr/share/php/auth_translation.php unless disabled
disable_functions DisableFunctions - system,show_source, symlink,exec,dl,shell_exec,passthru,phpinfo,escapeshellarg,escapeshellcmd
display_errors DisplayErrors - off
error_log - - /var/log/php/$key/error.log
error_reporting ErrorReporting - E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT
expose_php - ExposePHP Off
file_upload FileUpload - Off
mail.add_x_header - MailAddXHeader disabled only global, not per php version
mail.force_extra_parameters MailForceSender MailForceSender root@$DomainName ibayname@$DomainName for ibays
mail.log - MailLog disabled
max_execution_time MaxExecutionTime MaxExecutionTime 30
max_file_uploads - MaxFileUpload 20
max_input_time MaxInputTime MaxInputTime 60
memory_limit MemoryLimit MemoryLimit 128M
open_basedir PHPBaseDir - /home/e-smith/files/ibays/IBAYNAME/:/var/lib/php/IBAYNAME/:/usr/share/php/:/usr/share/pear/:/opt/remi/php$version/root/usr/share/pear/:/opt/remi/php$version/root/usr/share/php/
post_max_size PostMaxSize PostMaxSize 20M
security.limit_extensions AllowPHTML disabled allow php to interprete more file (.php .htm .html .phar .phtml .xml)
sendmail_from - MailForceSender root@$DomainName
sendmail_path - SendmailPath /usr/sbin/sendmail -t -i
short_open_tag - ShortOpenTag On
upload_max_filesize UploadMaxFilesize UploadMaxFilesize 10M

if you want to set a specific value for an ibay, here we show how to use php80 for ibay MYIBAY and avoid having any disabled function:

db accounts setprop MYIBAY disable_functions none PHPVersion 80
signal-event webapps-update
Important.png Note:
It is strongly suggested that you install the smeserver-webhosting contrib enabling you to set your ibay php values from the server-manager. Everything is available and it prevents you from making a mistake in the settings.


Display Error Messages

By default PHP does not display error messages on screen. Sometimes you get a blank page when executing PHP scripts. Usually some sort of error has occurred, but this error text will not be displayed as SME Server is configured to not display them. Instead the error messages are reported to the log files of the webserver and the general logfile of the server.

Try to analyze your logfiles: /var/log/httpd/error_log and /var/log/httpd/access_log and perhaps also /var/log/messages.


Warning.png Warning:
It is strongly advised that you disable "display errors" after you have tracked and solved the problem, as the displayed error message might provide information (like filesystem layout) that only should be known to the system administrators and not to users, let alone people with bad intentions. Thus it is a potential SECURITY RISK. After debugging, disable it again.


Enable changes for all php versions

If you (for debugging purposes for instance) would like to enable it you can do it with the instructions found below:

mkdir -p /etc/e-smith/templates-custom/etc/php.ini
cp /etc/e-smith/templates/etc/php.ini/30ErrorHandling /etc/e-smith/templates-custom/etc/php.ini

After that:

sed -i /etc/e-smith/templates-custom/etc/php.ini/30ErrorHandling -e 's/display_errors.*/display_errors          = On/g' 

After that issue the following commands:

signal-event webapps-updates


Now access your page again and see what the error is.

Undo Changes

If everything works you remove the 30ErrorHandling file from the /etc/e-smith/templates-custom/etc/php.ini folder and issue the last two lines again:

signal-event webapps-update 

Enable changes for a specific ibay

Starting SME10 and smeserver-php-3.0.0-39

db accounts setprop MYIBAY DisplayErrors enabled 
signal-event webapps-update

Open basedir restriction

SME Server has a security measure in place which is called 'open basedir restriction'. This measure prevents PHP from executing or invoking other PHP scripts outside the scope of its own tree; in other words it creates a 'sandbox' or 'jail'.

Overall configuration is defined in the php.ini file but you can add an override on a per ibay basis.

Error message

The PHP open basedir restriction is usually presented to the user like this in the /var/log/messages file:

Aug 12 17:27:42 homer httpd: PHP Warning:  main(): open_basedir restriction in effect. File(/tmp/test.php) is not within the allowed path(s): (/home/e-smith/files/ibays/Primary/html/) in /home/e-smith/files/ibays/Primary/html/test.php on line 2

In general you will find this message in the log files only as by default PHP is configured to prevent the display of error messages to the end users. This can be changed as per this HowTo.

Modifying the PHPBaseDir setting for an ibay

    (Please also see: these instructions on the Useful_Commands page.)
  1. Open a SME Server shell as root user and document the current setting of the PHPBaseDir directive by writing down the output of the following command: db accounts getprop ibayname PHPBaseDir Be careful to write it down to the letter as we need it in the next step. For the Primary ibay the ouptut of above command would normally look like this: /home/e-smith/files/ibays/Primary/html/
  2. Decide on what directory you would like to add and issue the following: db accounts setprop ibayname PHPBaseDir value Replace ibayname with the name of the ibay and value with the old value for the PHPBaseDir directive you have written down and a colon (:) followed by the full path to the directory you would like to add with a tailing slash (/), e.g. db accounts setprop Primary PHPBaseDir /home/e-smith/files/ibays/Primary/html/:/opt/gallery2/ Above command would allow for invocation of scripts in the /opt/gallery2 path from the Primary ibay html folder by PHP. To allow uploading of files to via http to a ibay name wiki: db accounts setprop wiki PHPBaseDir /home/e-smith/files/ibays/wiki/:/tmp/
  3. After defining the new setting we need to reflect the change in the configuration file of the web server and have the web server reload it's configuration file. This is done by issuing the following command: signal-event ibay-modify ibayname Be sure to replace ibayname with the name of the ibay you have just modified.

Upload_tmp_dir

upload_tmp_dir

From SME Server V8 up to and including SME Server V9, you could sometimes have an error thrown by PHP and would then need to specify a temporary directory (e.g. upload_tmp_dir) which is not set in php.ini. see bugzilla:6650 and bugzilla:7652. Many php applications need this setting, the best-known culprits are Wordpress, Roundcube, eGroupWare, and there are others. The symptoms observed are that you can't upload contents to the PHP application.

An easy resolution is to make a Custom Template to resolve this issue. See Uploadtmpdir.

Advanced use of the php-fpm pools

For the ibays with php-fpm.d/ibays.conf

For the ibays better option is to simply use the contrib Webhosting.

For the contrib sharefolders with php-fpm.d/shares.conf

Similar to ibays.

For the contribs with php-fpm.d/www.conf

Please read Building Your Contrib.

For your custom needs with php-fpm.d/custom.conf

You can build your own pool to use in any place on your server, even in a subfolder of an ibay or in place of the regular ibay php-pool (property PHPCustomPool).

There are two ways in doing that:

using db php

Using the default template : /etc/e-smith/templates/etc/php-fpm.d/custom.conf , you can set your own pool doing:

db php set MYPOOLNAME pool Version 81 status enabled

here are the accepted supplementary properties, as always missing or empty means using default.

property default values information
status enabled enabled,disabled
Version php version to use eg 80 for php 8.0
MemoryLimit 128M
MaxExecutionTime 30
MaxInputTime 60
AllowUrlFopen off
MaxChildren 15
PostMaxSize 10M
UploadMaxFilesize 10M
FileUpload enabled
BaseDir
DisabledFunctions system,show_source,symlink,exec,dl,shell_exec,passthru,phpinfo,escapeshellarg,escapeshellcmd
User www
Group www
DisplayErrors disabled
LogErrors disabled
MaxChildren 15
AutoPrependFile enabled will use the autoprepend file
MailForceSender php\@$DomainName

You will then need two httpd.conf custom template fragment to use your pool. You will need to change MYPOOL to what you want

mkdir -p  /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/
vim /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/98mypoolusage
<Directory /home/e-smith/files/ibays/test/html/mysubfolder>
    SSLRequireSSL
    Options None
    Options +Indexes
    Options +FollowSymLinks
    DirectoryIndex index.php index.shtml index.htm index.html
    <FilesMatch \.php$>
         SetHandler "proxy:unix:/var/run/php-fpm/php80-MYPOOLNAME.sock|fcgi://localhost"
    </FilesMatch>
    AllowOverride All
    order deny,allow
    deny from all
    allow from all
</Directory>

Then just do:

signal-event webapps-update
using a templates-custom

You can write your own fragment in /etc/e-smith/templates-custom/etc/php-fpm.d/custom.conf/ e.g. /etc/e-smith/templates-custom/etc/php-fpm.d/custom.conf/15mypool

You will also need to write a httpd fragment similarly to what shown just above.

Here is an example if you want a custom pool for your ibay, in /etc/e-smith/templates-custom/etc/php-fpm.d/ibays.conf/15MYIBAY

{

use esmith::AccountsDB;
use esmith::php;
my $a = esmith::AccountsDB->open_ro || die "Couldn't open the accounts database";
my $ibay = $a->get("MYIBAY");
  my $version             = PhpFpmVersionToUse($ibay);
  my $dynamic             = $ibay->prop('CgiBin') || 'disabled';
  my $custom              = $ibay->prop('CustomPool') || undef;
  next unless ($dynamic eq 'enabled' && $version eq $PHP_VERSION && $custom);
  my $key                 = $ibay->key;
  my $name                = lc $key;
  my $pool_name           = 'php' . $version . '-' . $name;
  $OUT .=<<"_EOF" if ($version eq $PHP_VERSION);

[$pool_name]
user = www
group = www
listen.owner = root
listen.group = www
listen.mode = 0660
listen = /var/run/php-fpm/$pool_name.sock
;
;
;put whatever you need there
;
;
_EOF
}

You have then to force the ibay to use it by doing :

db accounts MYIBAY setprop CustomPool enabled

This will prevent the generation of the default ibay pool in ibays.conf , and let you use /var/run/php-fpm/php$version-$name.sock socket from your template-custom... or from the db php using the same key as the name of the ibay.

Installation of composer

This is made tricky as we do not have the PHP CLI configured.

But we can install it as follows with command line arguments. This is using php74

Download:

php74 -d allow_url_fopen=on -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"

Install:

php74 -d allow_url_fopen=on  ./composer-setup.php 

Bugs

Please raise bugs under the SME-Server 10.X section in Bugzilla and select the smeserver-php component or use this link .

Below is an overview of the current issues for this package:

"No open bugs found."