[horde] Successful Horde migration to PHP7.0 - can we compare configs?

Torben Dannhauer torben at dannhauer.info
Tue Apr 4 08:48:24 UTC 2017 

> Thanks.  That is encouraging news.
>
> Would it be possible for you to share what version of Apache you are  
> using and what the applicable Apache 2.4 config files look like?
>
> Our Debian dev server is successfully using PHP 7, but we have an  
> Apache 2.4.xx issue that needs to be fixed before we update our  
> production servers.
>
> We have not been able to use any Apache version past 2.4.22 since  
> last summer (fetching IMAP folders fails).  It appears to be a  
> security issue with Apache not passing required info to PHP FPM, and  
> I thought it was fixed with a patch in Apache 2.4.25.  But about a  
> day after thinking it fixed and upgrading Apache on our dev server,  
> fetching the IMAP folders stopped working again after rebooting.
>
> So if PHP 7 FPM and a later Apache version are working for you, then  
> I may have something mis-configured in my Apache php fpm config  
> files. Here is what I am currently using successfully with Apache  
> 2.4.10 and PHP FPM 7.0.16 on our dev server that fails when Apache  
> upgraded to 2.4.25:


Sure

Here is my config, but without waranty since I may have missed some  
issues you are aware of.

I use Apache 2.4.25 with this modules:
[...]
proxy
proxy_fcgi
[...]

My vhost config is:
<VirtualHost *:443>
         ServerAdmin webmaster at dannhauer.de
         ServerName dannhauer.de
         ServerAlias www.dannhauer.de

         DocumentRoot /var/www/YOUR_ROOT/web
         DirectoryIndex index.php index.html index.htm

         <Directory />
                 Options FollowSymLinks
                 AllowOverride None
         </Directory>

         # PHP7.0-FPM via mod_proxy_fcgi
         <FilesMatch \.php$>
             SetHandler  
"proxy:unix:/run/php7.0-fpm.MYPOOL.sock|fcgi://localhost/"
         </FilesMatch>

         # Override PHP-FPMs plain error messages with Apaches  
standard error messages
         # ProxyErrorOverride On
         ProxyErrorOverride Off

         SuexecUserGroup USER USER
         ScriptAlias /cgi-bin/ /var/www/YOUR-ROOT/cgi-bin
         <Directory "/var/www/YOUR-ROOT/cgi-bin/">
                 AllowOverride None
                 Options +ExecCGI -MultiViews -Indexes -FollowSymLinks  
+SymLinksIfOwnerMatch
                 Order allow,deny
                 Allow from all
         </Directory>

         SSLEngine on
         SSLCertificateFile      /etc/ssl/certs/YOURCERT
         SSLCertificateKeyFile /etc/ssl/private/YOURKEY
         SSLCACertificateFile /etc/ssl/certs/YOURINTERMEDIATE
         SSLOpenSSLConfCmd DHParameters "/etc/ssl/dh_2048.pem"

         # Bettercrypto.org recommendation
         SSLProtocol All -SSLv2 -SSLv3
         SSLHonorCipherOrder On
         SSLCompression off
         # Add six earth month HSTS header for all users...
         Header add Strict-Transport-Security "max-age=15768000"
         # If you want to protect all subdomains, use the following header
         # ALL subdomains HAVE TO support HTTPS if you use this!
         # Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"
         SSLCipherSuite  
'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

[... error loggind and stuff]


##------------------------------------------------------##
##                                                      ##
##                     Horde Setup                      ##
##                                                      ##
##------------------------------------------------------##

         ProxyTimeout 5400

         RewriteEngine On

         RewriteRule ^/AutoDiscover/AutoDiscover.xml  
/var/www/YOUR_ROOT/web/horde/rpc.php [NC]
         RewriteRule ^/Microsoft-Server-ActiveSync  
/var/www/YOUR_ROOT/web/horde/rpc.php [NC]

         # Pass this headers to PHP because fcgid doesn't
         RewriteRule .* -  
[E=HTTP_MS_ASPROTOCOLVERSION:%{HTTP:Ms-Asprotocolversion}]
         RewriteRule .* - [E=HTTP_X_MS_POLICYKEY:%{HTTP:X-Ms-Policykey}]
         RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

         <Directory /var/www/YOUR_ROOT/web/horde/>
                 Options +FollowSymLinks
                 AllowOverride None
                 Order allow,deny
                 Allow from all

                 RewriteEngine On
                 RewriteBase /horde
                 RewriteCond   %{REQUEST_FILENAME}  !-d
                 RewriteCond   %{REQUEST_FILENAME}  !-f
                 RewriteRule ^(.*)$ rampage.php [QSA,L]
         </Directory>

         # hordes root dir uses a .htaccess with an Rewriterule which  
needs to be extented with 'rewrite_base'
         # Overwriting it is a bad idea since it may be replaced by an update.
         # -> The solution is to disable .htaccess overwriting just  
for horde's root dir and reenable overwriting for all subdirs.
         <Directory ~ "/var/www/YOUR_ROOT/web/horde/.*>
                 AllowOverride All
         </Directory>


</VirtualHost>

More information about the horde mailing list