TUTORIAL: PHP selector for PHP 5.6, 7.0, 7.1, 7.2, 7.3, 7.4 for Debian & Ubuntu (and optionally directly nginx-PHP-FPM)

[alexcy]

To list a few:

- 2 Factor Aurhentication

- Update Backend (Hestia panel) to use the latest PHP 7.3 instead of PHP 5.6 that Vesta uses, as well as the latest nginx version

- Closed a few ports by default (eg. 3306 and 2525)

- Reworked Nginx/Apache templates

- Changed permissions of some files to stricter ones

- Made changes to nearly all applications config files, in order to hide their names and versions

- Disabled admin user shell access by default

[imperio]

ok, maybe. I don't know about hestia

[eSzeL]

Forgot to mention:

- Increased default password generation for HestiaCP users, MySQL users and Email users to 16 characters.

There is a very risky vulnerability with default PHP opcache settings for hosting machines! You can include other users cached PHP files without PHP sub-system doing filesystem permission check... By default! It is exploitable with the default install of Vesta C.P., I think because they don't want to tamper Linux install defaults..

https://ma.ttias.be/mitigating-phps-lon ... tive-data/

[kallovsky]

There is a very risky vulnerability with default PHP opcache settings for hosting machines! You can include other users cached PHP files without PHP sub-system doing filesystem permission check... By default! It is exploitable with the default install of Vesta C.P., I think because they don't want to tamper Linux install defaults..

https://ma.ttias.be/mitigating-phps-lon ... tive-data/

To fix this, related to the post https://ma.ttias.be/mitigating-phps-lon ... tive-data/, I did the following:
(DEBIAN 9)

check for current state of you config files and search for "opcache.validate_permission" and "opcache.validate_root" in all php configs

Code: Select all

grep -nrw "/etc/php/" -e "opcache.validate_permission"
grep -nrw "/etc/php/" -e "opcache.validate_root"

Code: Select all

sed -i "s/;* *opcache.validate_root=0/opcache.validate_root=1/g" /etc/php/*/*/php.ini
sed -i "s/;* *opcache.validate_permission=0/opcache.validate_permission=1/g" /etc/php/*/*/php.ini

Check again your config files if the parameter has changed:

Code: Select all

grep -nrw "/etc/php/" -e "opcache.validate_permission"
grep -nrw "/etc/php/" -e "opcache.validate_root"

Restart the servers

Code: Select all

service php*-fpm restart
service nginx restart
service apache2 restart

Also I wanted to mention, that I ran into trouble with a log file error of nginx after following the howto.
In the template files there was written as log path

Code: Select all

/var/log/nginx/domains/%domain%.error.log error;

That directory basically didn't exist. So I decided to map the log output also to the existing log files of apache2, since I wanted to keep it somehow centralized.
So I used the %web_system% variable instead in each new template files.

Code: Select all

access_log  /var/log/%web_system%/domains/%domain%.log combined;
access_log  /var/log/%web_system%/domains/%domain%.bytes bytes;
error_log   /var/log/%web_system%/domains/%domain%.error.log error;

Cheers,
Kalle

[dpeca]

Also I wanted to mention, that I ran into trouble with a log file error of nginx after following the howto.
In the template files there was written as log path

Code: Select all

/var/log/nginx/domains/%domain%.error.log error;

I can't see how it's related to this tutorial, since this tutorial does not modify nginx templates at all :)
Probably vesta default nginx templates have error?
Please check - https://github.com/serghey-rodin/vesta/ ... /web/nginx
(if we are talking about debian9)

[kallovsky]

Indeed it doesn't modify, but created new nginx templates. The "step forward" you posted on the first page allows direct communication between nginx and php-fpm. To do so, we create new nginx templates...
That was what my issue was related to ;). The vesta default templates didn't have the error and brought me by compare them to the new templates to the solution :).

[dpeca]

Indeed it doesn't modify, but created new nginx templates. The "step forward" you posted on the first page allows direct communication between nginx and php-fpm. To do so, we create new nginx templates...
That was what my issue was related to ;). The vesta default templates didn't have the error and brought me by compare them to the new templates to the solution :).

Yes, but those templates are vesta fpm templates, not mine.
Maybe in FPM variant of Vesta that folder exists.
OK, I'll add additional replace, thank you.

[dpeca]

Indeed it doesn't modify, but created new nginx templates. The "step forward" you posted on the first page allows direct communication between nginx and php-fpm. To do so, we create new nginx templates...
That was what my issue was related to ;). The vesta default templates didn't have the error and brought me by compare them to the new templates to the solution :).

Yes, but those templates are vesta fpm templates, not mine.
Maybe in FPM variant of Vesta that folder exists.
OK, I'll add additional replace, thank you.

I guess that's it:

Code: Select all

sed -i "s#/var/log/nginx/#/var/log/%web_system%/#g" /usr/local/vesta/data/templates/web/nginx/PHP-FPM-72.tpl
sed -i "s#/var/log/nginx/#/var/log/%web_system%/#g" /usr/local/vesta/data/templates/web/nginx/PHP-FPM-72.stpl

[eugeniu]

after install apt upgrade gives me the followin error:

Code: Select all

Job for php7.3-fpm.service failed because the control process exited with error code.
See "systemctl status php7.3-fpm.service" and "journalctl -xe" for details.
invoke-rc.d: initscript php7.3-fpm, action "restart" failed.
* php7.3-fpm.service - The PHP 7.3 FastCGI Process Manager
   Loaded: loaded (/lib/systemd/system/php7.3-fpm.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2019-04-11 14:14:43 EEST; 7ms ago
     Docs: man:php-fpm7.3(8)
  Process: 783 ExecStart=/usr/sbin/php-fpm7.3 --nodaemonize --fpm-config /etc/php/7.3/fpm/php-fpm.conf (code=exited, status=78)
 Main PID: 783 (code=exited, status=78)

Apr 11 14:14:43 host.example.com systemd[1]: Starting The PHP 7.3 FastCGI Process Manager...
Apr 11 14:14:43 host.example.com php-fpm7.3[783]: [11-Apr-2019 14:14:43] WARNING: Nothing matches the include pattern '/etc/php/7.3/fpm/pool.d/*.conf' from /etc/php/7.3/fpm/php-fpm.conf at line 143.
Apr 11 14:14:43 host.example.com php-fpm7.3[783]: [11-Apr-2019 14:14:43] ERROR: No pool defined. at least one pool section must be specified in config file
Apr 11 14:14:43 host.example.com php-fpm7.3[783]: [11-Apr-2019 14:14:43] ERROR: failed to post process the configuration
Apr 11 14:14:43 host.example.com php-fpm7.3[783]: [11-Apr-2019 14:14:43] ERROR: FPM initialization failed
Apr 11 14:14:43 host.example.com systemd[1]: php7.3-fpm.service: Main process exited, code=exited, status=78/n/a
Apr 11 14:14:43 host.example.com systemd[1]: Failed to start The PHP 7.3 FastCGI Process Manager.
Apr 11 14:14:43 host.example.com systemd[1]: php7.3-fpm.service: Unit entered failed state.
Apr 11 14:14:43 host.example.com systemd[1]: php7.3-fpm.service: Failed with result 'exit-code'.
dpkg: error processing package php7.3-fpm (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 php7.3-fpm
E: Sub-process /usr/bin/dpkg returned an error code (1)

can this be remediated?

[dpeca]

after install apt upgrade gives me the followin error:

Code: Select all

Apr 11 14:14:43 host.example.com php-fpm7.3[783]: [11-Apr-2019 14:14:43] WARNING: Nothing matches the include pattern '/etc/php/7.3/fpm/pool.d/*.conf' from /etc/php/7.3/fpm/php-fpm.conf at line 143.

can this be remediated?

Just create any subdomain, for example dummy.domain.com, and put PHP-FPM-73 on that subdomain.

Error occur when nothing is assigned to installed FPM.