[horde] Dynamic view Horde with apache and php-fpm not working
Jos van der Woude
jos at veerkade.com
Tue Feb 17 14:49:30 UTC 2015
Quoting Torben Dannhauer <torben at dannhauer.info>:
>> Hi Arjen, and others
>
>> I tried that and with you config I get a blank page wih one line "no
>> input specified". Funny aye?
>
>> For good measure I reverted back to php and its handler, and my config
>> works like a charm!
>> So it could very well be that you are on the right track saying that
>> the fcgi proxy does not pass everything it should.
>> But what? and how to fix that?
>
>> Regards
>> Jos
>
>> Links:
>> ------
>> [1] fcgi://127.0.0.1:9000/srv/www/htdocs/%241
>
> Hi,
> I use PHP-FPM without ProxyPassmatch since it did not work for me.
> Instead I use a separate handler (If I remember right this requires
> Apache >=2.4.10).
>
> This is my Virtualhost:
> <VirtualHost *:443>
> ServerAdmin [...]
> ServerName [...]
>
> DocumentRoot [...]
> DirectoryIndex index.php index.html index.htm
>
> <Directory />
> Options FollowSymLinks
> AllowOverride None
> </Directory>
>
> # PHP5-FPM via mod_proxy_fcgi
> <FilesMatch \.php$>
> SetHandler
> "proxy:unix:/run/php5-fpm.mypool.sock|fcgi://localhost/[1]"
> </FilesMatch>
>
> # Override PHP-FPMs plain error messages with Apaches standard
> error messages
> ProxyErrorOverride On
>
> [...]
>
> SSLEngine on
> SSLCertificateFile [...]
> SSLCertificateKeyFile [...]
> SSLCACertificateFile [...]
>
> # Bettercrypto.org recommendation
> SSLProtocol All -SSLv2 -SSLv3
> SSLHonorCipherOrder On
> SSLCompression off
> # Add six earth month HSTS header for all users...
> Header add Strict-Transport-Security "max-age=15768000"
> # If you want to protect all subdomains, use the following
header
> # ALL subdomains HAVE TO support HTTPS if you use this!
> # Strict-Transport-Security: "max-age=15768000 ;
includeSubDomains"
> SSLCipherSuite
>
'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
>
> ErrorLog [...]
>
> # Possible values include: debug, info, notice, warn, error,
crit,
> # alert, emerg.
> # LogLevel debug
> LogLevel warn
>
> CustomLog [...] combined
> ServerSignature On
>
> Alias /icons/ "/usr/share/apache2/icons/"
> <Directory "/usr/share/apache2/icons">
> Options Indexes MultiViews
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
>
> ##------------------------------------------------------##
> ##
> ##
> ## Horde Setup
> ##
> ##
> ##
> ##------------------------------------------------------##
>
> ProxyTimeout 5400
>
> RewriteEngine On
>
> #RewriteRule /.well-known/carddav
> /var/www/torben/web/domain.tld/horde/rpc.php[2] [R,L]
>
> RewriteRule ^/AutoDiscover/AutoDiscover.xml
> /var/www/torben/web/domain.tld/horde/rpc.php[2] [NC]
> RewriteRule ^/Microsoft-Server-ActiveSync
> /var/www/torben/web/domain.tld/horde/rpc.php[2] [NC]
>
> # Pass this headers to PHP because fcgid doesn't
> RewriteRule .* -
> [E=HTTP_MS_ASPROTOCOLVERSION:%{HTTP:Ms-Asprotocolversion}]
> RewriteRule .* -
[E=HTTP_X_MS_POLICYKEY:%{HTTP:X-Ms-Policykey}]
> RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
>
> <Directory /var/www/torben/web/domain.tld/horde/[3]>
> Options +FollowSymLinks
> AllowOverride None
> Order allow,deny
> Allow from all
>
> RewriteEngine On
> RewriteBase /horde
> RewriteCond %{REQUEST_FILENAME} !-d
> RewriteCond %{REQUEST_FILENAME} !-f
> RewriteRule ^(.*)$ rampage.php [QSA,L]
> </Directory>
>
> # hordes root dir uses a .htaccess with an Rewriterule which
> needs to be extented with 'rewrite_base'
> # Overwriting it is a bad idea since it may be replaced by an
> update.
> # -> The solution is to disable .htaccess overwriting just for
> horde's root dir and reenable overwriting for all subdirs.
> <Directory ~ "/var/www/torben/web/domain.tld/horde/.*[4]>
> AllowOverride All
> </Directory>
> </VirtualHost>
>
> --
> This message has been scanned for viruses and dangerous content
> byMailScanner at the Veerkade Network and is believed to be clean.
Hi Torben and all,
The good news is that I got horde and apache in combination with php-fpm to
work!
The thing that got it to work was a setting in /etc/php.ini
cgi.fix_pathinfo=1
This is actually the default but some (long) time ago I set this to 0 due
to a security warning. See:
https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/
The tips by Torben allow me to only enable php for the horde vhost
specifically, and nowhere else. Using unix sockets speeds up the process
nicely, so thank you !
As I understand the security risk only surfaces for uploads. Within my
horde installation only authenticated users can upload (pictures in ansel
and such).
So I consider the security risk acceptable.
Thanks for all the input
Jos
Links:
------
[1] unix:/run/php5-fpm.mypool.sock%7Cfcgi://localhost/
[2] http://domain.tld/horde/rpc.php
[3] http://domain.tld/horde/
[4] http://domain.tld/horde/.*
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5816 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20150217/1f822ff7/attachment.bin>
More information about the horde
mailing list