[horde] Running Horde with Apache 2.4?...SOLVED
Andy Dorman
adorman at ironicdesign.com
Thu Aug 29 21:40:26 UTC 2013
On 08/29/2013 11:32 AM, Andy Dorman wrote:
> On 08/28/2013 05:34 PM, Andy Dorman wrote:
>> On 08/28/2013 10:12 AM, Andy Dorman wrote:
>>> I am trying to get Horde Groupware Webmail Edition (Debian package
>>> 5.1.1-1 with php-horde 5.1.2) running with Apache 2.4. It was
>>> previously working fine with Apache 2.2.
>>>
>>> Now when I go to /index.php I get
>>> ------------------
>>> Forbidden
>>>
>>> You don't have permission to access /index.php on this server.
>>> Apache/2.4.6 (Debian) Server at beta.mail.homefreemail.com Port 80
>>> ------------------
>>>
>>> If anyone has made this switch, any details on what you had to change to
>>> go from Apache 2.2.x -> Apache 2.4.x would be greatly appreciated.
>>>
>>> I updated the .htaccess file in Horde's root dir per the recommendations
>>> at https://httpd.apache.org/docs/2.4/upgrading.html (and yes, I
>>> understand I should not edit that file...for now I am just trying to get
>>> Horde running under A 2.4 on my dev server)
>>>
>>> The Apache upgrade docs include this note about common problems:
>>> "htaccess files aren't being processed - Check for an appropriate
>>> AllowOverride directive; the default changed to None in 2.4.
>>>
>>> I have added this directive to my <VirtualHost *:80>
>>>
>>> <Directory /usr/share/horde>
>>> AllowOverride All
>>> </Directory>
>>>
>>> and this is my current /usr/share/horde/.htaccess
>>>
>>> # IMPORTANT: DO NOT EDIT THIS FILE!
>>> # It will be overwritten with any future upgrade.
>>>
>>> Require all granted
>>>
>>> <IfModule mod_rewrite.c>
>>> RewriteEngine On
>>> RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
>>> RewriteCond %{REQUEST_FILENAME} !-d
>>> RewriteCond %{REQUEST_FILENAME} !-f
>>> RewriteRule ^(.*)$ rampage.php [QSA,L]
>>> </IfModule>
>>>
>>> Thank you for any feedback on this upgrade.
>>>
>> Sorry for the length of this post...
>>
>> OK, some progress but still no success.
>>
>> I should also point out that until this morning when I started working
>> with Apache 2.4.x, this horde install had been working fine with Nginx &
>> php-fpm for a couple of weeks and with Apache 2.2 before that. Long
>> annoying story about WHY we can not use Nginx & Apache 2.2. :-P
>>
>> Anyway, I finally checked the list archives and I saw the note about the
>> problems with Nag & the .htaccess file and Apache 2.4.6. So my main
>> Apache2 config now contains:
>>
>> <Directory /usr/share>
>> AllowOverride FileInfo Nonfatal=All
>> Require all granted
>> </Directory>
>>
>> My /usr/share/horde/.htaccess looks like this:
>>
>> # IMPORTANT: DO NOT EDIT THIS FILE!
>> # It will be overwritten with any future upgrade.
>>
>> <IfModule mod_rewrite.c>
>> RewriteEngine On
>> RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
>> RewriteCond %{REQUEST_FILENAME} !-d
>> RewriteCond %{REQUEST_FILENAME} !-f
>> RewriteRule ^(.*)$ rampage.php [QSA,L]
>> </IfModule>
>>
>> The sites-available config has not changed since Apache 2.2 and looks
>> like this:
>>
>> <VirtualHost *:80>
>> ServerName mail.homefreemail.com
>> ServerAlias beta.mail.homefreemail.com
>> DirectoryIndex index.php
>> DocumentRoot /usr/share/horde/
>> SuexecUserGroup antespam antespam
>> IPCCommTimeout 120
>> <Files "*.php">
>> SetHandler fcgid-script
>> FCGIWrapper /var/www/mail.homefreemail.com/php5-cgi .php
>> </Files>
>> FcgidMaxRequestLen 10496000
>> </VirtualHost>
>>
>>
>> I have the rewrite, fcgid & mime modules enabled.
>>
>> The apache trace log below is from a request for the root url, "/",
>> which points to horde's root dir. Now I am NOT an Apache nor php guru,
>> but if I read the log correctly, it shows the .htaccess rewrite rules
>> working as they should and /index.php is passed to be executed with this
>> line
>> [Wed Aug 28 16:52:20.774108 2013] [rewrite:trace1] [pid 14294:tid
>> 140251620177664] mod_rewrite.c(468): [client 71.207.183.174:52146]
>> 71.207.183.174 - -
>> [beta.mail.homefreemail.com/sid#7f8eea927dd8][rid#7f8eea80e0a0/subreq]
>> [perdir /usr/share/horde/] pass through /usr/share/horde/index.php
>>
>> immediately followed by the response with the 403 error.
>>
>> [Wed Aug 28 16:52:20.774173 2013] [http:trace3] [pid 14294:tid
>> 140251620177664] http_filters.c(963): [client 71.207.183.174:52146]
>> Response sent with status 403, headers:
>>
>> My (and another one of our Perl programmers) response to this was WTF
>> happened?
>>
>> When index.php was passed it should have triggered the <Files "*.php">
>> directive which should have set the fcgid-script handler and executed
>> the FCGIWrapper which merely calls the php5-cgi executable to handle it.
>>
>> I even tried running the little wrapper script from the command line as
>> the appropriate user, just to make sure it would start OK. Aside from a
>> couple of php warnings it started up /usr/bin/php5-cgi as it is supposed
>> to.
>>
>> So at this point I am really baffled. If anyone has any suggestions or
>> wants to point out something really dumb that I have missed, please do
>> and I thank you for it. ;-)
>>
>> --- detailed apache trace8 log ---
>> [Wed Aug 28 16:52:20.773208 2013] [core:trace5] [pid 14294:tid
>> 140251620177664] protocol.c(618): [client 71.207.183.174:52146] Request
>> received from client: GET / HTTP/1.1
>> [Wed Aug 28 16:52:20.773393 2013] [http:trace4] [pid 14294:tid
>> 140251620177664] http_request.c(301): [client 71.207.183.174:52146]
>> Headers received from client:
>> [Wed Aug 28 16:52:20.773412 2013] [http:trace4] [pid 14294:tid
>> 140251620177664] http_request.c(305): [client 71.207.183.174:52146]
>> Host: beta.mail.homefreemail.com
>> [Wed Aug 28 16:52:20.773421 2013] [http:trace4] [pid 14294:tid
>> 140251620177664] http_request.c(305): [client 71.207.183.174:52146]
>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20100101
>> Firefox/10.0.12 Iceweasel/10.0.12
>> [Wed Aug 28 16:52:20.773429 2013] [http:trace4] [pid 14294:tid
>> 140251620177664] http_request.c(305): [client 71.207.183.174:52146]
>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> [Wed Aug 28 16:52:20.773438 2013] [http:trace4] [pid 14294:tid
>> 140251620177664] http_request.c(305): [client 71.207.183.174:52146]
>> Accept-Language: en-us,en;q=0.5
>> [Wed Aug 28 16:52:20.773446 2013] [http:trace4] [pid 14294:tid
>> 140251620177664] http_request.c(305): [client 71.207.183.174:52146]
>> Accept-Encoding: gzip, deflate
>> [Wed Aug 28 16:52:20.773454 2013] [http:trace4] [pid 14294:tid
>> 140251620177664] http_request.c(305): [client 71.207.183.174:52146]
>> Connection: keep-alive
>> [Wed Aug 28 16:52:20.773462 2013] [http:trace4] [pid 14294:tid
>> 140251620177664] http_request.c(305): [client 71.207.183.174:52146]
>> Cookie: __utma=42324028.948667847.1354917052.1355285020.1372106985.3;
>> __utma=25218849.1843664432.1355285037.1355331468.1375823233.4;
>> __utmz=42324028.1372106985.3.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
>>
>> __utmz=25218849.1375823233.4.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
>>
>> __utmv=25218849.comehome.net; default_horde_view=auto
>> [Wed Aug 28 16:52:20.773472 2013] [http:trace4] [pid 14294:tid
>> 140251620177664] http_request.c(305): [client 71.207.183.174:52146]
>> Cache-Control: max-age=0
>> [Wed Aug 28 16:52:20.773782 2013] [authz_core:debug] [pid 14294:tid
>> 140251620177664] mod_authz_core.c(802): [client 71.207.183.174:52146]
>> AH01626: authorization result of Require all granted: granted
>> [Wed Aug 28 16:52:20.773795 2013] [authz_core:debug] [pid 14294:tid
>> 140251620177664] mod_authz_core.c(802): [client 71.207.183.174:52146]
>> AH01626: authorization result of <RequireAny>: granted
>> [Wed Aug 28 16:52:20.773804 2013] [core:trace3] [pid 14294:tid
>> 140251620177664] request.c(238): [client 71.207.183.174:52146] request
>> authorized without authentication by access_checker_ex hook: /
>> [Wed Aug 28 16:52:20.773832 2013] [rewrite:trace3] [pid 14294:tid
>> 140251620177664] mod_rewrite.c(468): [client 71.207.183.174:52146]
>> 71.207.183.174 - -
>> [beta.mail.homefreemail.com/sid#7f8eea927dd8][rid#7f8eea8160a0/initial]
>> [perdir /usr/share/horde/] strip per-dir prefix: /usr/share/horde/ -
>> [Wed Aug 28 16:52:20.773843 2013] [rewrite:trace3] [pid 14294:tid
>> 140251620177664] mod_rewrite.c(468): [client 71.207.183.174:52146]
>> 71.207.183.174 - -
>> [beta.mail.homefreemail.com/sid#7f8eea927dd8][rid#7f8eea8160a0/initial]
>> [perdir /usr/share/horde/] applying pattern '.*' to uri ''
>> [Wed Aug 28 16:52:20.773869 2013] [rewrite:trace5] [pid 14294:tid
>> 140251620177664] mod_rewrite.c(468): [client 71.207.183.174:52146]
>> 71.207.183.174 - -
>> [beta.mail.homefreemail.com/sid#7f8eea927dd8][rid#7f8eea8160a0/initial]
>> setting env variable 'HTTP_AUTHORIZATION' to ''
>> [Wed Aug 28 16:52:20.773893 2013] [rewrite:trace3] [pid 14294:tid
>> 140251620177664] mod_rewrite.c(468): [client 71.207.183.174:52146]
>> 71.207.183.174 - -
>> [beta.mail.homefreemail.com/sid#7f8eea927dd8][rid#7f8eea8160a0/initial]
>> [perdir /usr/share/horde/] strip per-dir prefix: /usr/share/horde/ -
>> [Wed Aug 28 16:52:20.773903 2013] [rewrite:trace3] [pid 14294:tid
>> 140251620177664] mod_rewrite.c(468): [client 71.207.183.174:52146]
>> 71.207.183.174 - -
>> [beta.mail.homefreemail.com/sid#7f8eea927dd8][rid#7f8eea8160a0/initial]
>> [perdir /usr/share/horde/] applying pattern '^(.*)$' to uri ''
>> [Wed Aug 28 16:52:20.773924 2013] [rewrite:trace4] [pid 14294:tid
>> 140251620177664] mod_rewrite.c(468): [client 71.207.183.174:52146]
>> 71.207.183.174 - -
>> [beta.mail.homefreemail.com/sid#7f8eea927dd8][rid#7f8eea8160a0/initial]
>> [perdir /usr/share/horde/] RewriteCond: input='/usr/share/horde/'
>> pattern='!-d' =not-matched
>> [Wed Aug 28 16:52:20.773934 2013] [rewrite:trace1] [pid 14294:tid
>> 140251620177664] mod_rewrite.c(468): [client 71.207.183.174:52146]
>> 71.207.183.174 - -
>> [beta.mail.homefreemail.com/sid#7f8eea927dd8][rid#7f8eea8160a0/initial]
>> [perdir /usr/share/horde/] pass through /usr/share/horde/
>> [Wed Aug 28 16:52:20.773979 2013] [authz_core:debug] [pid 14294:tid
>> 140251620177664] mod_authz_core.c(802): [client 71.207.183.174:52146]
>> AH01626: authorization result of Require all granted: granted
>> [Wed Aug 28 16:52:20.773989 2013] [authz_core:debug] [pid 14294:tid
>> 140251620177664] mod_authz_core.c(802): [client 71.207.183.174:52146]
>> AH01626: authorization result of <RequireAny>: granted
>> [Wed Aug 28 16:52:20.773997 2013] [core:trace3] [pid 14294:tid
>> 140251620177664] request.c(238): [client 71.207.183.174:52146] request
>> authorized without authentication by access_checker_ex hook: /index.php
>> [Wed Aug 28 16:52:20.774012 2013] [rewrite:trace3] [pid 14294:tid
>> 140251620177664] mod_rewrite.c(468): [client 71.207.183.174:52146]
>> 71.207.183.174 - -
>> [beta.mail.homefreemail.com/sid#7f8eea927dd8][rid#7f8eea80e0a0/subreq]
>> [perdir /usr/share/horde/] strip per-dir prefix:
>> /usr/share/horde/index.php -index.php
>> [Wed Aug 28 16:52:20.774022 2013] [rewrite:trace3] [pid 14294:tid
>> 140251620177664] mod_rewrite.c(468): [client 71.207.183.174:52146]
>> 71.207.183.174 - -
>> [beta.mail.homefreemail.com/sid#7f8eea927dd8][rid#7f8eea80e0a0/subreq]
>> [perdir /usr/share/horde/] applying pattern '.*' to uri 'index.php'
>> [Wed Aug 28 16:52:20.774037 2013] [rewrite:trace5] [pid 14294:tid
>> 140251620177664] mod_rewrite.c(468): [client 71.207.183.174:52146]
>> 71.207.183.174 - -
>> [beta.mail.homefreemail.com/sid#7f8eea927dd8][rid#7f8eea80e0a0/subreq]
>> setting env variable 'HTTP_AUTHORIZATION' to ''
>> [Wed Aug 28 16:52:20.774047 2013] [rewrite:trace3] [pid 14294:tid
>> 140251620177664] mod_rewrite.c(468): [client 71.207.183.174:52146]
>> 71.207.183.174 - -
>> [beta.mail.homefreemail.com/sid#7f8eea927dd8][rid#7f8eea80e0a0/subreq]
>> [perdir /usr/share/horde/] strip per-dir prefix:
>> /usr/share/horde/index.php -index.php
>> [Wed Aug 28 16:52:20.774057 2013] [rewrite:trace3] [pid 14294:tid
>> 140251620177664] mod_rewrite.c(468): [client 71.207.183.174:52146]
>> 71.207.183.174 - -
>> [beta.mail.homefreemail.com/sid#7f8eea927dd8][rid#7f8eea80e0a0/subreq]
>> [perdir /usr/share/horde/] applying pattern '^(.*)$' to uri 'index.php'
>> [Wed Aug 28 16:52:20.774071 2013] [rewrite:trace4] [pid 14294:tid
>> 140251620177664] mod_rewrite.c(468): [client 71.207.183.174:52146]
>> 71.207.183.174 - -
>> [beta.mail.homefreemail.com/sid#7f8eea927dd8][rid#7f8eea80e0a0/subreq]
>> [perdir /usr/share/horde/] RewriteCond:
>> input='/usr/share/horde/index.php' pattern='!-d' =matched
>> [Wed Aug 28 16:52:20.774089 2013] [rewrite:trace4] [pid 14294:tid
>> 140251620177664] mod_rewrite.c(468): [client 71.207.183.174:52146]
>> 71.207.183.174 - -
>> [beta.mail.homefreemail.com/sid#7f8eea927dd8][rid#7f8eea80e0a0/subreq]
>> [perdir /usr/share/horde/] RewriteCond:
>> input='/usr/share/horde/index.php' pattern='!-f' =not-matched
>> [Wed Aug 28 16:52:20.774108 2013] [rewrite:trace1] [pid 14294:tid
>> 140251620177664] mod_rewrite.c(468): [client 71.207.183.174:52146]
>> 71.207.183.174 - -
>> [beta.mail.homefreemail.com/sid#7f8eea927dd8][rid#7f8eea80e0a0/subreq]
>> [perdir /usr/share/horde/] pass through /usr/share/horde/index.php
>> [Wed Aug 28 16:52:20.774173 2013] [http:trace3] [pid 14294:tid
>> 140251620177664] http_filters.c(963): [client 71.207.183.174:52146]
>> Response sent with status 403, headers:
>> [Wed Aug 28 16:52:20.774183 2013] [http:trace5] [pid 14294:tid
>> 140251620177664] http_filters.c(970): [client 71.207.183.174:52146]
>> Date: Wed, 28 Aug 2013 21:52:20 GMT
>> [Wed Aug 28 16:52:20.774190 2013] [http:trace5] [pid 14294:tid
>> 140251620177664] http_filters.c(973): [client 71.207.183.174:52146]
>> Server: Apache
>> [Wed Aug 28 16:52:20.774202 2013] [http:trace4] [pid 14294:tid
>> 140251620177664] http_filters.c(806): [client 71.207.183.174:52146]
>> Content-Length: 287
>> [Wed Aug 28 16:52:20.774210 2013] [http:trace4] [pid 14294:tid
>> 140251620177664] http_filters.c(806): [client 71.207.183.174:52146]
>> Keep-Alive: timeout=5, max=100
>> [Wed Aug 28 16:52:20.774218 2013] [http:trace4] [pid 14294:tid
>> 140251620177664] http_filters.c(806): [client 71.207.183.174:52146]
>> Connection: Keep-Alive
>> [Wed Aug 28 16:52:20.774225 2013] [http:trace4] [pid 14294:tid
>> 140251620177664] http_filters.c(806): [client 71.207.183.174:52146]
>> Content-Type: text/html; charset=iso-8859-1
>> [Wed Aug 28 16:52:20.774269 2013] [core:trace6] [pid 14294:tid
>> 140251620177664] core_filters.c(525): [client 71.207.183.174:52146]
>> core_output_filter: flushing because of FLUSH bucket
>> [Wed Aug 28 16:52:25.775615 2013] [core:trace6] [pid 14294:tid
>> 140251620177664] core_filters.c(525): [client 71.207.183.174:52146]
>> core_output_filter: flushing because of FLUSH bucket
>> --- end detailed apache trace8 log ---
>>
>
> Some more info...
>
> After poking and studying this for several more hours including trying
> solutions discussed here:
>
> http://stackoverflow.com/questions/11992466/apache-permission-denied
>
> On the chance the problem was our fcgid config, I tried Apache's new
> mod_proxy_fcgi module with php5-fpm available since Apache versions
> 2.3+. Implementation is described here:
>
> http://wiki.apache.org/httpd/PHP-FPM
>
> The php5-fpm setup is exactly like what we used successfully with Nginx.
>
> The apache config setup was also simple.
>
> However, when we tried it we got the exact same results already
> described...the .htaccess checks happened as expected with the end
> result being "pass through /usr/share/horde/index.php".
>
> Then Apache returned a 403, not auth, error
>
> [Thu Aug 29 09:42:56.934556 2013] [rewrite:trace1] [pid 12173:tid
> 140479773529856] mod_rewrite.c(468): [client 71.207.183.174:33823]
> 71.207.183.174 - -
> [beta.mail.homefreemail.com/sid#7fc40b2c8710][rid#7fc4041f70a0/subreq]
> [perdir /usr/share/horde/] pass through /usr/share/horde/index.php
> [Thu Aug 29 09:42:56.934629 2013] [http:trace3] [pid 12173:tid
> 140479773529856] http_filters.c(963): [client 71.207.183.174:33823]
> Response sent with status 403, headers:
>
> So at this point it seems to me that our fcgid and proxy_fcgi set ups
> are probably fine, but something in our base Apache 2.4 config is
> preventing anything in our /usr/share/horde/ directory from being
> executed. We have reviewed our base apache2/apache2.conf file till our
> eyes crossed and have not figured it out yet...but we all feel we are
> going to feel pretty stupid when we finally figure this out.
>
> And I assume from the lack of response from the list on this topic that
> no one is using Apache 2.4 yet? Perhaps there is a very good reason for
> that? ;-)
>
The fix turned out to be simple, once you know the problem. The details
below are what worked for us and I do NOT try to go into ALL the basic
details like files perms and ownership. Your server set up is likely
very different from ours, so whatever you do...do NOT just blindly copy
our set up. ;-)
1. You MUST put your specific <Directory ...> directive for your Horde
executable directory in the BASE apache2 config file. In Debian this is
at /etc/apache2/apache2.conf and our Directory directives look like this:
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
# Options +ExecCGI below is ONLY needed if your VirtualHost uses Fcgid
<Directory /usr/share/horde>
Options +ExecCGI
AllowOverride All
Require all granted
</Directory>
<Directory /var/www>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
I still do NOT understand WHY the <Directory /usr/share/horde> directive
had to be in the base apache2.conf file. But we finally figured out
that it was being completely ignored inside the <VirtualHost...>
directive in the virtual server file. But in the end that turned out to
be our major problem...that and adding the "Options +ExecCGI" to get
Fcgid working.
2. You can set up your virtual server config to use either fcgid or the
simpler, more efficient & faster php-fpm (which requires php 5.4+ and
Apache proxy & proxy_fcgi modules). We now have two virtual servers up
and running, one using fcgid and one php-fpm.
=== to use Apache 2.4.x with php-fpm ===
- Follow the steps at http://wiki.apache.org/httpd/PHP-FPM to set up
php-fpm and the Apache proxy modules you need.
Our virtual server config looks like this to use php-fpm
<VirtualHost *:80>
ServerName mail.homefreemail.com
ServerAlias beta.mail.homefreemail.com
DirectoryIndex index.php
DocumentRoot /usr/share/horde/
SuexecUserGroup antespam antespam
IPCCommTimeout 120
ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/usr/share/horde/$1
</VirtualHost>
=== to use Apache 2.4.x with FastCGI (Fcgid) ===
<VirtualHost *:80>
ServerName mail.homefreemail.com
ServerAlias beta.mail.homefreemail.com
DirectoryIndex index.php
DocumentRoot /usr/share/horde/
SuexecUserGroup antespam antespam
IPCCommTimeout 120
<Files "*.php">
SetHandler fcgid-script
FcgidWrapper /var/www/mail.homefreemail.com/php5-cgi .php
</Files>
FcgidMaxRequestLen 10496000
</VirtualHost>
You will also need a simple bash shell script for the FcgidWrapper (ours
is at /var/www/mail.homefreemail.com/php5-cgi for no good reason) that
starts the php executable and passes in your php file & arguments. You
can find a good example here,
http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html, and at other
developer sites by Googling "Apache 2.4 mod_fcgid php".
Hope this helps someone avoid the 4 - 5 days it took us to figure this out.
--
Andy Dorman
CONFIDENTIALITY NOTICE: This message is for the named person's use only.
It may contain confidential, proprietary or legally privileged
information. No confidentiality or privilege is waived or lost by any
erroneous transmission. If you receive this message in error, please
immediately destroy it and notify the sender. You must not, directly or
indirectly, use, disclose, distribute, or copy any part of this message
if you are not the intended recipient.
More information about the horde
mailing list