We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
TUTORIAL: PHP selector for PHP 5.6, 7.0, 7.1, 7.2, 7.3, 7.4 for Debian & Ubuntu (and optionally directly nginx-PHP-FPM)
Re: TUTORIAL: PHP selector for PHP 5.6, 7.0, 7.1, 7.2, 7.3 for Debian and Ubuntu (and optionally directly nginx-PHP-FPM)
To list a few:
- 2 Factor Aurhentication
- Update Backend (Hestia panel) to use the latest PHP 7.3 instead of PHP 5.6 that Vesta uses, as well as the latest nginx version
- Closed a few ports by default (eg. 3306 and 2525)
- Reworked Nginx/Apache templates
- Changed permissions of some files to stricter ones
- Made changes to nearly all applications config files, in order to hide their names and versions
- Disabled admin user shell access by default
- 2 Factor Aurhentication
- Update Backend (Hestia panel) to use the latest PHP 7.3 instead of PHP 5.6 that Vesta uses, as well as the latest nginx version
- Closed a few ports by default (eg. 3306 and 2525)
- Reworked Nginx/Apache templates
- Changed permissions of some files to stricter ones
- Made changes to nearly all applications config files, in order to hide their names and versions
- Disabled admin user shell access by default
Re: TUTORIAL: PHP selector for PHP 5.6, 7.0, 7.1, 7.2, 7.3 for Debian and Ubuntu (and optionally directly nginx-PHP-FPM)
ok, maybe. I don't know about hestia
Re: TUTORIAL: PHP selector for PHP 5.6, 7.0, 7.1, 7.2, 7.3 for Debian and Ubuntu (and optionally directly nginx-PHP-FPM)
There is a very risky vulnerability with default PHP opcache settings for hosting machines! You can include other users cached PHP files without PHP sub-system doing filesystem permission check... By default! It is exploitable with the default install of Vesta C.P., I think because they don't want to tamper Linux install defaults..
https://ma.ttias.be/mitigating-phps-lon ... tive-data/
Re: TUTORIAL: PHP selector for PHP 5.6, 7.0, 7.1, 7.2, 7.3 for Debian and Ubuntu (and optionally directly nginx-PHP-FPM)
To fix this, related to the post https://ma.ttias.be/mitigating-phps-lon ... tive-data/, I did the following:eSzeL wrote: ↑Sat Mar 23, 2019 2:06 pmThere is a very risky vulnerability with default PHP opcache settings for hosting machines! You can include other users cached PHP files without PHP sub-system doing filesystem permission check... By default! It is exploitable with the default install of Vesta C.P., I think because they don't want to tamper Linux install defaults..
https://ma.ttias.be/mitigating-phps-lon ... tive-data/
(DEBIAN 9)
check for current state of you config files and search for "opcache.validate_permission" and "opcache.validate_root" in all php configs
Code: Select all
grep -nrw "/etc/php/" -e "opcache.validate_permission"
grep -nrw "/etc/php/" -e "opcache.validate_root"
Code: Select all
sed -i "s/;* *opcache.validate_root=0/opcache.validate_root=1/g" /etc/php/*/*/php.ini
sed -i "s/;* *opcache.validate_permission=0/opcache.validate_permission=1/g" /etc/php/*/*/php.ini
Code: Select all
grep -nrw "/etc/php/" -e "opcache.validate_permission"
grep -nrw "/etc/php/" -e "opcache.validate_root"
Code: Select all
service php*-fpm restart
service nginx restart
service apache2 restart
In the template files there was written as log path
Code: Select all
/var/log/nginx/domains/%domain%.error.log error;
So I used the %web_system% variable instead in each new template files.
Code: Select all
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
Cheers,
Kalle
Re: TUTORIAL: PHP selector for PHP 5.6, 7.0, 7.1, 7.2, 7.3 for Debian and Ubuntu (and optionally directly nginx-PHP-FPM)
I can't see how it's related to this tutorial, since this tutorial does not modify nginx templates at all :)kallovsky wrote: ↑Thu Mar 28, 2019 11:32 amAlso I wanted to mention, that I ran into trouble with a log file error of nginx after following the howto.
In the template files there was written as log pathCode: Select all
/var/log/nginx/domains/%domain%.error.log error;
Probably vesta default nginx templates have error?
Please check - https://github.com/serghey-rodin/vesta/ ... /web/nginx
(if we are talking about debian9)
Re: TUTORIAL: PHP selector for PHP 5.6, 7.0, 7.1, 7.2, 7.3 for Debian and Ubuntu (and optionally directly nginx-PHP-FPM)
Indeed it doesn't modify, but created new nginx templates. The "step forward" you posted on the first page allows direct communication between nginx and php-fpm. To do so, we create new nginx templates...
That was what my issue was related to ;). The vesta default templates didn't have the error and brought me by compare them to the new templates to the solution :).
That was what my issue was related to ;). The vesta default templates didn't have the error and brought me by compare them to the new templates to the solution :).
Re: TUTORIAL: PHP selector for PHP 5.6, 7.0, 7.1, 7.2, 7.3 for Debian and Ubuntu (and optionally directly nginx-PHP-FPM)
Yes, but those templates are vesta fpm templates, not mine.kallovsky wrote: ↑Thu Mar 28, 2019 5:58 pmIndeed it doesn't modify, but created new nginx templates. The "step forward" you posted on the first page allows direct communication between nginx and php-fpm. To do so, we create new nginx templates...
That was what my issue was related to ;). The vesta default templates didn't have the error and brought me by compare them to the new templates to the solution :).
Maybe in FPM variant of Vesta that folder exists.
OK, I'll add additional replace, thank you.
Re: TUTORIAL: PHP selector for PHP 5.6, 7.0, 7.1, 7.2, 7.3 for Debian and Ubuntu (and optionally directly nginx-PHP-FPM)
I guess that's it:dpeca wrote: ↑Thu Mar 28, 2019 10:24 pmYes, but those templates are vesta fpm templates, not mine.kallovsky wrote: ↑Thu Mar 28, 2019 5:58 pmIndeed it doesn't modify, but created new nginx templates. The "step forward" you posted on the first page allows direct communication between nginx and php-fpm. To do so, we create new nginx templates...
That was what my issue was related to ;). The vesta default templates didn't have the error and brought me by compare them to the new templates to the solution :).
Maybe in FPM variant of Vesta that folder exists.
OK, I'll add additional replace, thank you.
Code: Select all
sed -i "s#/var/log/nginx/#/var/log/%web_system%/#g" /usr/local/vesta/data/templates/web/nginx/PHP-FPM-72.tpl
sed -i "s#/var/log/nginx/#/var/log/%web_system%/#g" /usr/local/vesta/data/templates/web/nginx/PHP-FPM-72.stpl
Re: TUTORIAL: PHP selector for PHP 5.6, 7.0, 7.1, 7.2, 7.3 for Debian and Ubuntu (and optionally directly nginx-PHP-FPM)
after install apt upgrade gives me the followin error:
can this be remediated?
Code: Select all
Job for php7.3-fpm.service failed because the control process exited with error code.
See "systemctl status php7.3-fpm.service" and "journalctl -xe" for details.
invoke-rc.d: initscript php7.3-fpm, action "restart" failed.
* php7.3-fpm.service - The PHP 7.3 FastCGI Process Manager
Loaded: loaded (/lib/systemd/system/php7.3-fpm.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2019-04-11 14:14:43 EEST; 7ms ago
Docs: man:php-fpm7.3(8)
Process: 783 ExecStart=/usr/sbin/php-fpm7.3 --nodaemonize --fpm-config /etc/php/7.3/fpm/php-fpm.conf (code=exited, status=78)
Main PID: 783 (code=exited, status=78)
Apr 11 14:14:43 host.example.com systemd[1]: Starting The PHP 7.3 FastCGI Process Manager...
Apr 11 14:14:43 host.example.com php-fpm7.3[783]: [11-Apr-2019 14:14:43] WARNING: Nothing matches the include pattern '/etc/php/7.3/fpm/pool.d/*.conf' from /etc/php/7.3/fpm/php-fpm.conf at line 143.
Apr 11 14:14:43 host.example.com php-fpm7.3[783]: [11-Apr-2019 14:14:43] ERROR: No pool defined. at least one pool section must be specified in config file
Apr 11 14:14:43 host.example.com php-fpm7.3[783]: [11-Apr-2019 14:14:43] ERROR: failed to post process the configuration
Apr 11 14:14:43 host.example.com php-fpm7.3[783]: [11-Apr-2019 14:14:43] ERROR: FPM initialization failed
Apr 11 14:14:43 host.example.com systemd[1]: php7.3-fpm.service: Main process exited, code=exited, status=78/n/a
Apr 11 14:14:43 host.example.com systemd[1]: Failed to start The PHP 7.3 FastCGI Process Manager.
Apr 11 14:14:43 host.example.com systemd[1]: php7.3-fpm.service: Unit entered failed state.
Apr 11 14:14:43 host.example.com systemd[1]: php7.3-fpm.service: Failed with result 'exit-code'.
dpkg: error processing package php7.3-fpm (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
php7.3-fpm
E: Sub-process /usr/bin/dpkg returned an error code (1)
Re: TUTORIAL: PHP selector for PHP 5.6, 7.0, 7.1, 7.2, 7.3 for Debian and Ubuntu (and optionally directly nginx-PHP-FPM)
Just create any subdomain, for example dummy.domain.com, and put PHP-FPM-73 on that subdomain.eugeniu wrote: ↑Thu Apr 11, 2019 11:17 amafter install apt upgrade gives me the followin error:
can this be remediated?Code: Select all
Apr 11 14:14:43 host.example.com php-fpm7.3[783]: [11-Apr-2019 14:14:43] WARNING: Nothing matches the include pattern '/etc/php/7.3/fpm/pool.d/*.conf' from /etc/php/7.3/fpm/php-fpm.conf at line 143.
Error occur when nothing is assigned to installed FPM.