[opensuse-factory] PHP-FPM and PHP 7.3.0
Is someone successfully using PHP-FPM and PHP 7.3.0 on Tumbleweed? None of my PHP applications worked after upgrading PHP-PHP and PHP, even simple phpinfo-scripts. I use the latest Apache2, PHP and PHP-FPM packages. At the beginning I used the old configuration from PHP 7.2, later I updated the configuration from *.rpmnew files. It did not help. Even the status check does not work: /etc/php7/fpm/php-fpm.d/www.conf: [...] pm.status_path = /status [...] myusername@mybox:~> SCRIPT_NAME=/status \
SCRIPT_FILENAME=/status \ QUERY_STRING=full \ REQUEST_METHOD=GET \ cgi-fcgi -bind -connect 127.0.0.1:9000
Primary script unknownStatus: 404 Not Found X-Powered-By: PHP/7.3.0 Content-type: text/html; charset=UTF-8 File not found. Unfortunately I didn't get useful logs from PHP-FPM, e.g. the "cgi-fcgi" script does not product logs for PHP-FPM. I gave up and returned to MOD_PHP7 (apache2-mod_php7). MOD_PHP7 works. Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Citeren Bjoern Voigt <bjoernv@arcor.de>:
Is someone successfully using PHP-FPM and PHP 7.3.0 on Tumbleweed?
I do. Except for php7-memcached (which needed an upgrade) it has been smooth sailing.
None of my PHP applications worked after upgrading PHP-PHP and PHP, even simple phpinfo-scripts. I use the latest Apache2, PHP and PHP-FPM packages.
At the beginning I used the old configuration from PHP 7.2, later I updated the configuration from *.rpmnew files. It did not help.
Even the status check does not work:
/etc/php7/fpm/php-fpm.d/www.conf: [...] pm.status_path = /status [...]
myusername@mybox:~> SCRIPT_NAME=/status \
SCRIPT_FILENAME=/status \ QUERY_STRING=full \ REQUEST_METHOD=GET \ cgi-fcgi -bind -connect 127.0.0.1:9000
Primary script unknownStatus: 404 Not Found X-Powered-By: PHP/7.3.0 Content-type: text/html; charset=UTF-8
File not found.
Unfortunately I didn't get useful logs from PHP-FPM, e.g. the "cgi-fcgi" script does not product logs for PHP-FPM.
I think the 'modern' way of running PHP-FPM is through mod_proxy_fcgi. At least that is what I do here; <IfModule mod_proxy_fcgi.c> <FilesMatch "\.php$"> # Note: The part that matters is /var/run/php-fpm/www.sock SetHandler "proxy:unix:/var/run/php-fpm/www.sock|fcgi://localhost" </FilesMatch> # Add index.php to the list of index pages. DirectoryIndex index.php </IfModule> This is basically all I do (running the 'event' MPM) and I have not modified anything in this. Note that I run PHP-FPM on a UNIX socket.
I gave up and returned to MOD_PHP7 (apache2-mod_php7). MOD_PHP7 works.
Greetings, Björn
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Arjen de Korte wrote:
I think the 'modern' way of running PHP-FPM is through mod_proxy_fcgi. At least that is what I do here;
<IfModule mod_proxy_fcgi.c> <FilesMatch "\.php$"> # Note: The part that matters is /var/run/php-fpm/www.sock SetHandler "proxy:unix:/var/run/php-fpm/www.sock|fcgi://localhost" </FilesMatch>
# Add index.php to the list of index pages. DirectoryIndex index.php </IfModule>
My PHP-FPM Apache configuration looks like this: /etc/apache/conf.d/php7-fpm.conf: ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/srv/www/htdocs/$1 <Proxy "fcgi://localhost:9000/" enablereuse=on max=10> </Proxy> <FilesMatch \.php$> <If "-f %{REQUEST_FILENAME}"> SetHandler "proxy:fcgi://127.0.0.1:9000" </If> </FilesMatch> SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1 Apache's error_log shows such errors: [Sat Jan 05 00:40:32.267686 2019] [proxy:warn] [pid 22833] [client ::1:58160] AH00917: connect to remote machine 127.0.0.1 blocked: IP 127.0.0.1 matched [Sat Jan 05 00:40:32.267713 2019] [proxy:error] [pid 22833] [client ::1:58160] AH00898: Connect to remote machine blocked returned by /phpinfo.php I found with Wireshark, that Apache does not even try to communicate with php-fpm over port 9000. FPM-FPM runs on port 9000: # netstat -tulpen|grep 9000 tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 0 322196 18092/php-fpm: mast Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Saturday 2019-01-05 00:54, Bjoern Voigt wrote:
Arjen de Korte wrote:
I think the 'modern' way of running PHP-FPM is through mod_proxy_fcgi. At least that is what I do here;
<IfModule mod_proxy_fcgi.c> <FilesMatch "\.php$"> # Note: The part that matters is /var/run/php-fpm/www.sock SetHandler "proxy:unix:/var/run/php-fpm/www.sock|fcgi://localhost" </FilesMatch>
# Add index.php to the list of index pages. DirectoryIndex index.php </IfModule>
My PHP-FPM Apache configuration looks like this:
/etc/apache/conf.d/php7-fpm.conf: ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/srv/www/htdocs/$1 <Proxy "fcgi://localhost:9000/" enablereuse=on max=10> </Proxy> <FilesMatch \.php$> <If "-f %{REQUEST_FILENAME}"> SetHandler "proxy:fcgi://127.0.0.1:9000" </If> </FilesMatch> SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
Well looks like tonight we're all sharing our approaches to fpm. Here's mine in the bucket: <IfModule mod_proxy_fcgi.c> <IfModule !mod_php5.c> <IfModule !mod_php7.c> <IfModule mod_rewrite.c> RewriteRule \.php$ proxy:fcgi://localhost:9000/%{DOCUMENT_ROOT}/%{REQUEST_FILENAME} [L] </IfModule> </IfModule> </IfModule> </IfModule> -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
[Sat Jan 05 00:40:32.267686 2019] [proxy:warn] [pid 22833] [client ::1:58160] AH00917: connect to remote machine 127.0.0.1 blocked: IP 127.0.0.1 matched [Sat Jan 05 00:40:32.267713 2019] [proxy:error] [pid 22833] [client ::1:58160] AH00898: Connect to remote machine blocked returned by /phpinfo.php
I found with Wireshark, that Apache does not even try to communicate with php-fpm over port 9000.
FPM-FPM runs on port 9000:
# netstat -tulpen|grep 9000 tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 0 322196 18092/php-fpm: mast
Greetings, Björn
If you are 100% sure that apparmor or firewalld are not blocking things or any kind of rule especially the following in your log the client of apache2 is accessing by ipv6 client ::1:58160 and then you goes to ipv4 with the way you configure it. Otherwise I can confirm socket way is the easiest one and safer when you have dual stack. -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch Bareos Partner, openSUSE Member, fsfe supporter GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Citeren Bjoern Voigt <bjoernv@arcor.de>:
Arjen de Korte wrote:
I think the 'modern' way of running PHP-FPM is through mod_proxy_fcgi. At least that is what I do here;
<IfModule mod_proxy_fcgi.c> <FilesMatch "\.php$"> # Note: The part that matters is /var/run/php-fpm/www.sock SetHandler "proxy:unix:/var/run/php-fpm/www.sock|fcgi://localhost" </FilesMatch>
# Add index.php to the list of index pages. DirectoryIndex index.php </IfModule>
My PHP-FPM Apache configuration looks like this:
/etc/apache/conf.d/php7-fpm.conf: ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/srv/www/htdocs/$1 <Proxy "fcgi://localhost:9000/" enablereuse=on max=10> </Proxy> <FilesMatch \.php$> <If "-f %{REQUEST_FILENAME}"> SetHandler "proxy:fcgi://127.0.0.1:9000" </If> </FilesMatch> SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
You have PHP-FPM configured to listen on '127.0.0.1', but in the above configuration you also use 'localhost' in your proxy configuration. In a dual-stacked system these are not equivalent. If you need processes to communicate with each other you'll have to make a choice for one or the other. So either use '127.0.0.1' or 'localhost' (or [::] for that matter) everywhere. Or better yet, configure processes to communicate over a domain socket, which is not prone to this and is actually a bit more efficient.
Apache's error_log shows such errors: [Sat Jan 05 00:40:32.267686 2019] [proxy:warn] [pid 22833] [client ::1:58160] AH00917: connect to remote machine 127.0.0.1 blocked: IP 127.0.0.1 matched [Sat Jan 05 00:40:32.267713 2019] [proxy:error] [pid 22833] [client ::1:58160] AH00898: Connect to remote machine blocked returned by /phpinfo.php
I found with Wireshark, that Apache does not even try to communicate with php-fpm over port 9000.
FPM-FPM runs on port 9000:
# netstat -tulpen|grep 9000 tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 0 322196 18092/php-fpm: mast
Greetings, Björn
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El 04-01-2019 a las 19:40, Bjoern Voigt escribió:
Is someone successfully using PHP-FPM and PHP 7.3.0 on Tumbleweed?
Yes, there is something wrong with your configuration because it works for me, with apache-event Either with the ProxyPassMatch or the SetHandler "proxy:unix:...thing. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Thank you for all the tips. Part of my problem was probably Ninja Firewall. I installed Ninja Firewall (free) some weeks ago for testing. The free version does not allow whitelisting. So for unknown reasons Ninja Firewall blocked localhost/127.0.0.1/::1. After disabling, updating and re-enabling Ninja Firewall I have access again. But after some minutes I was blocked again for unknown reasons. Now I switched from Apache2-PHP-FPM TCP connection to unix socket connection. The setup works now: /etc/apache2/conf.d/php7-fpm.conf: <IfModule mod_proxy_fcgi.c> <FilesMatch \.php$> <If "-f %{REQUEST_FILENAME}"> SetHandler "proxy:unix:/var/run/php-fpm-www.sock|fcgi://localhost/" </If> </FilesMatch> SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1 </IfModule> /etc/php7/fpm/php-fpm.d/www.conf: [www] user = wwwrun group = www listen = /var/run/php-fpm-www.sock listen.owner = wwwrun listen.group = www listen.mode = 0660 pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 pm.status_path = /status catch_workers_output = yes php_flag[display_errors] = on php_admin_value[error_log] = /var/log/fpm-php.www.log php_admin_flag[log_errors] = on One remaining question: How can I disable apache2-mod_php7 in openSUSE? apache2-mod_php7 is a dependency for packages like nextcloud. My current work-around is ugly. I install apache2-mod_php7 in the RPM database and lock the package in Zypper. zypper al apache2-mod_php7 zypper install --download-only apache2-mod_php7 rpm -Uvh --justdb /var/cache/zypp/packages/repo-oss/x86_64/apache2-mod_php7-7.3.0-1.1.x86_64.rpm BTW, I use PHP-FPM, because I want to use HTTP/2 and HTTP/2 does not work with Apache Prefork MPM, which is required by MOD_PHP. Later I want to use different PHP-FPM pools with different users and groups to separate my PHP apps. Unfortunately none of the big PHP applications seems to have a documentation about how harden the applications with PHP-FPM. Greetings Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (5)
-
Arjen de Korte -
Bjoern Voigt -
Bruno Friedmann -
Cristian Rodríguez -
Jan Engelhardt