[horde] Successful Horde migration to PHP7.0 - can we compare configs?

Andy Dorman adorman at ironicdesign.com
Tue Apr 4 13:50:18 UTC 2017 

On 04/04/2017 03:48 AM, Torben Dannhauer wrote:
>
>> Thanks.  That is encouraging news.
>>
>> Would it be possible for you to share what version of Apache you are
>> using and what the applicable Apache 2.4 config files look like?
>>
>> Our Debian dev server is successfully using PHP 7, but we have an
>> Apache 2.4.xx issue that needs to be fixed before we update our
>> production servers.
>>
>> We have not been able to use any Apache version past 2.4.22 since last
>> summer (fetching IMAP folders fails).  It appears to be a security
>> issue with Apache not passing required info to PHP FPM, and I thought
>> it was fixed with a patch in Apache 2.4.25.  But about a day after
>> thinking it fixed and upgrading Apache on our dev server, fetching the
>> IMAP folders stopped working again after rebooting.
>>
>> So if PHP 7 FPM and a later Apache version are working for you, then I
>> may have something mis-configured in my Apache php fpm config files.
>> Here is what I am currently using successfully with Apache 2.4.10 and
>> PHP FPM 7.0.16 on our dev server that fails when Apache upgraded to
>> 2.4.25:
>
>
> Sure
>
> Here is my config, but without waranty since I may have missed some
> issues you are aware of.
>
> I use Apache 2.4.25 with this modules:
> [...]
> proxy
> proxy_fcgi
> [...]
>
> My vhost config is:
> <VirtualHost *:443>
>         ServerAdmin webmaster at dannhauer.de
>         ServerName dannhauer.de
>         ServerAlias www.dannhauer.de
>
>         DocumentRoot /var/www/YOUR_ROOT/web
>         DirectoryIndex index.php index.html index.htm
>
>         <Directory />
>                 Options FollowSymLinks
>                 AllowOverride None
>         </Directory>
>
>         # PHP7.0-FPM via mod_proxy_fcgi
>         <FilesMatch \.php$>
>             SetHandler
> "proxy:unix:/run/php7.0-fpm.MYPOOL.sock|fcgi://localhost/"
>         </FilesMatch>
>
>         # Override PHP-FPMs plain error messages with Apaches standard
> error messages
>         # ProxyErrorOverride On
>         ProxyErrorOverride Off
>
>         SuexecUserGroup USER USER
>         ScriptAlias /cgi-bin/ /var/www/YOUR-ROOT/cgi-bin
>         <Directory "/var/www/YOUR-ROOT/cgi-bin/">
>                 AllowOverride None
>                 Options +ExecCGI -MultiViews -Indexes -FollowSymLinks
> +SymLinksIfOwnerMatch
>                 Order allow,deny
>                 Allow from all
>         </Directory>
>
>         SSLEngine on
>         SSLCertificateFile      /etc/ssl/certs/YOURCERT
>         SSLCertificateKeyFile /etc/ssl/private/YOURKEY
>         SSLCACertificateFile /etc/ssl/certs/YOURINTERMEDIATE
>         SSLOpenSSLConfCmd DHParameters "/etc/ssl/dh_2048.pem"
>
>         # Bettercrypto.org recommendation
>         SSLProtocol All -SSLv2 -SSLv3
>         SSLHonorCipherOrder On
>         SSLCompression off
>         # Add six earth month HSTS header for all users...
>         Header add Strict-Transport-Security "max-age=15768000"
>         # If you want to protect all subdomains, use the following header
>         # ALL subdomains HAVE TO support HTTPS if you use this!
>         # Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"
>         SSLCipherSuite
> 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
>
>
> [... error loggind and stuff]
>
>
> ##------------------------------------------------------##
> ##                                                      ##
> ##                     Horde Setup                      ##
> ##                                                      ##
> ##------------------------------------------------------##
>
>         ProxyTimeout 5400
>
>         RewriteEngine On
>
>         RewriteRule ^/AutoDiscover/AutoDiscover.xml
> /var/www/YOUR_ROOT/web/horde/rpc.php [NC]
>         RewriteRule ^/Microsoft-Server-ActiveSync
> /var/www/YOUR_ROOT/web/horde/rpc.php [NC]
>
>         # Pass this headers to PHP because fcgid doesn't
>         RewriteRule .* -
> [E=HTTP_MS_ASPROTOCOLVERSION:%{HTTP:Ms-Asprotocolversion}]
>         RewriteRule .* - [E=HTTP_X_MS_POLICYKEY:%{HTTP:X-Ms-Policykey}]
>         RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
>
>         <Directory /var/www/YOUR_ROOT/web/horde/>
>                 Options +FollowSymLinks
>                 AllowOverride None
>                 Order allow,deny
>                 Allow from all
>
>                 RewriteEngine On
>                 RewriteBase /horde
>                 RewriteCond   %{REQUEST_FILENAME}  !-d
>                 RewriteCond   %{REQUEST_FILENAME}  !-f
>                 RewriteRule ^(.*)$ rampage.php [QSA,L]
>         </Directory>
>
>         # hordes root dir uses a .htaccess with an Rewriterule which
> needs to be extented with 'rewrite_base'
>         # Overwriting it is a bad idea since it may be replaced by an
> update.
>         # -> The solution is to disable .htaccess overwriting just for
> horde's root dir and reenable overwriting for all subdirs.
>         <Directory ~ "/var/www/YOUR_ROOT/web/horde/.*>
>                 AllowOverride All
>         </Directory>
>
>
> </VirtualHost>
>

Thank you and I understand about no warranty.  I just hope comparing our 
setup with a known working config will give us a clue about what we have 
missed.

-- 
Andy Dorman

More information about the horde mailing list