Disabling open_basedir on domain level doesn't work

[hannesbe]

I've spend many hours trying to figure out strange behavior when setting op a Laravel domain. Laravel requires access outside the site's root, so I disabled open_basedir by copying /usr/local/nginx/conf/php.conf to /usr/local/nginx/conf/php_l5.conf, commenting out fastcgi_param PHP_ADMIN_VALUE open_basedir and including /usr/local/nginx/conf/php_l5.conf instead of /usr/local/nginx/conf/php.conf in /usr/local/nginx/conf/conf.d/example.com.conf.

At first it seems to work, but I'm getting random 500s every few pages loaded. php-fpm log shows PHP Warning: Unknown: open_basedir restriction in effect. The allowed path(s) mentioned in the log are from other domains that have open_basedir enabled through /usr/local/nginx/conf/php.conf.

tail -1000 /var/log/php-fpm/www-php.error.log |grep open_base

[18-Apr-2016 04:09:57 UTC] PHP Warning:  Unknown: open_basedir restriction in effect. File(/home/nginx/domains/ninja.nextgen.finance/ininja/public/index.php) is not within the allowed path(s): (/home/nginx/domains/lounge-fashion.com/public/:/usr/local/lib/php/:/tmp/) in Unknown on line 0
[18-Apr-2016 04:09:57 UTC] PHP Warning:  Unknown: open_basedir restriction in effect. File(/home/nginx/domains/ninja.nextgen.finance/ininja/public/index.php) is not within the allowed path(s): (/home/nginx/domains/lounge-fashion.com/public/:/usr/local/lib/php/:/tmp/) in Unknown on line 0
[18-Apr-2016 04:09:58 UTC] PHP Warning:  Unknown: open_basedir restriction in effect. File(/home/nginx/domains/ninja.nextgen.finance/ininja/public/index.php) is not within the allowed path(s): (/home/nginx/domains/lounge-fashion.com/public/:/usr/local/lib/php/:/tmp/) in Unknown on line 0
[18-Apr-2016 04:09:58 UTC] PHP Warning:  Unknown: open_basedir restriction in effect. File(/home/nginx/domains/ninja.nextgen.finance/ininja/public/index.php) is not within the allowed path(s): (/home/nginx/domains/lounge-fashion.com/public/:/usr/local/lib/php/:/tmp/) in Unknown on line 0
[18-Apr-2016 04:10:14 UTC] PHP Warning:  Unknown: open_basedir restriction in effect. File(/home/nginx/domains/ninja.nextgen.finance/ininja/public/index.php) is not within the allowed path(s): (/home/nginx/domains/coverswim.be/public/:/usr/local/lib/php/:/tmp/)
in Unknown on line 0
[18-Apr-2016 04:15:01 UTC] PHP Warning:  Unknown: open_basedir restriction in effect. File(/home/nginx/domains/ninja.nextgen.finance/ininja/public/index.php) is not within the allowed path(s): (/home/nginx/domains/ha.nnes.be/public/:/usr/local/lib/php/:/tmp/) in Unknown on line 0
[18-Apr-2016 04:15:03 UTC] PHP Warning:  Unknown: open_basedir restriction in effect. File(/home/nginx/domains/ninja.nextgen.finance/ininja/public/index.php) is not within the allowed path(s): (/home/nginx/domains/ha.nnes.be/public/:/usr/local/lib/php/:/tmp/) in Unknown on line 0
[18-Apr-2016 04:34:08 UTC] PHP Warning:  Unknown: open_basedir restriction in effect. File(/home/nginx/domains/ninja.nextgen.finance/ininja/public/index.php) is not within the allowed path(s): (/home/nginx/domains/connexeon.com/public/:/usr/local/lib/php/:/tmp/) in Unknown on line 0
[18-Apr-2016 05:12:07 UTC] PHP Warning:  Unknown: open_basedir restriction in effect. File(/home/nginx/domains/ninja.nextgen.finance/ininja/public/index.php) is not within the allowed path(s): (/home/nginx/domains/connexeon.com/public/:/usr/local/lib/php/:/tmp/) in Unknown on line 0
[18-Apr-2016 05:12:08 UTC] PHP Warning:  Unknown: open_basedir restriction in effect. File(/home/nginx/domains/ninja.nextgen.finance/ininja/public/index.php) is not within the allowed path(s): (/home/nginx/domains/connexeon.com/public/:/usr/local/lib/php/:/tmp/) in Unknown on line 0

Looks alot like this: https://forum.nginx.org/read.php?3,234856

To work around this, I needed to remove fastcgi_param PHP_ADMIN_VALUE open_basedir=..... from all location level references (/usr/local/nginx/conf/php-wpsc.conf and `/usr/local/nginx/conf/php.conf). Only then it was really always disabled.

Regards,
Hannes

[centminmod]

@hannesbe what's the contents of /usr/local/nginx/conf/conf.d/example.com.conf ?

this post at https://forum.nginx.org/read.php?3,234856,238870#msg-238870 describes working setup that centmin mod php-fpm uses as well

edit: hmmm

This is provided there are no php_admin_value's in php-fpm.conf

strange as it works for me though

[hannesbe]

❯ cat /usr/local/nginx/conf/conf.d/ninja.nextgen.finance.conf
# Centmin Mod Getting Started Guide
# must read http://centminmod.com/getstarted.html

# redirect from non-www to www
# uncomment, save file and restart Nginx to enable
# if unsure use return 302 before using return 301
#server {
#            listen   80;
#            server_name ninja.nextgen.finance;
#            return 301 $scheme://www.ninja.nextgen.finance$request_uri;
#       }

server {
  server_name ninja.nextgen.finance www.ninja.nextgen.finance;

# ngx_pagespeed & ngx_pagespeed handler
#include /usr/local/nginx/conf/pagespeed.conf;
#include /usr/local/nginx/conf/pagespeedhandler.conf;
#include /usr/local/nginx/conf/pagespeedstatslog.conf;

  # limit_conn limit_per_ip 16;
  # ssi  on;

  access_log /home/nginx/domains/ninja.nextgen.finance/log/access.log combined buffer=256k flush=60m;
  error_log /home/nginx/domains/ninja.nextgen.finance/log/error.log;

  root /home/nginx/domains/ninja.nextgen.finance/ininja/public;

  # prevent access to ./directories and files
  location ~ (?:^|/)\. {
   deny all;
  }

  location / {
   try_files $uri $uri/ /index.php?$query_string;
  }

  include /usr/local/nginx/conf/staticfiles.conf;
  include /usr/local/nginx/conf/php_l5.conf;
  include /usr/local/nginx/conf/drop.conf;
  #include /usr/local/nginx/conf/errorpage.conf;
  include /usr/local/nginx/conf/vts_server.conf;
}

❯ cat /usr/local/nginx/conf/php_l5.conf
location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass   127.0.0.1:9000;
    #fastcgi_pass   unix:/tmp/php5-fpm.sock;
    fastcgi_index  index.php;
    #fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    fastcgi_param  SCRIPT_FILENAME    $request_filename;
    #fastcgi_param PHP_ADMIN_VALUE open_basedir=$document_root/:/usr/local/lib/php/:/tmp/;

# might shave 200+ ms off PHP requests
# which don't pass on a content length header
# slightly faster page response time at the
# expense of throughput / scalability
#sendfile on;
#tcp_nopush off;
#keepalive_requests 0;

fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 512k;
fastcgi_buffers 512 16k;
fastcgi_busy_buffers_size 1m;
fastcgi_temp_file_write_size 4m;
fastcgi_max_temp_file_size 4m;
fastcgi_intercept_errors on;

# next 3 lines when uncommented / enabled
# allow Nginx to handle uploads which then
# passes back the completed upload to PHP
fastcgi_pass_request_body off;
client_body_in_file_only clean;
fastcgi_param  REQUEST_BODY_FILE  $request_body_file;

#new .04+ map method
fastcgi_param HTTPS $server_https;

# comment out PATH_TRANSLATED line if /usr/local/lib/php.ini sets following:
# cgi.fix_pathinfo=0
# as of centminmod v1.2.3-eva2000.01 default is set to cgi.fix_pathinfo=1

fastcgi_param  PATH_INFO          $fastcgi_path_info;
fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# Set php-fpm geoip variables
fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
fastcgi_param GEOIP_COUNTRY_CODE3 $geoip_country_code3;
fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
fastcgi_param GEOIP_CITY_COUNTRY_CODE $geoip_city_country_code;
fastcgi_param GEOIP_CITY_COUNTRY_CODE3 $geoip_city_country_code3;
fastcgi_param GEOIP_CITY_COUNTRY_NAME $geoip_city_country_name;
fastcgi_param GEOIP_REGION $geoip_region;
fastcgi_param GEOIP_CITY $geoip_city;
fastcgi_param GEOIP_POSTAL_CODE $geoip_postal_code;
fastcgi_param GEOIP_CITY_CONTINENT_CODE $geoip_city_continent_code;
fastcgi_param GEOIP_LATITUDE $geoip_latitude;
fastcgi_param GEOIP_LONGITUDE $geoip_longitude;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

                   }

❯ ls -lah /home/nginx/domains/ninja.nextgen.finance/ininja
Alias tip: lsa /home/nginx/domains/ninja.nextgen.finance/ininja
total 476K
drwxr-sr-x 11 nginx nginx 4.0K Apr 18 05:10 .
drwxr-s---  7 nginx nginx 4.0K Apr 18 05:10 ..
drwxr-sr-x 15 nginx nginx 4.0K Apr  9 22:03 app
-rwxr-xr-x  1 nginx nginx 1.6K Apr  9 22:03 artisan
drwxr-sr-x  3 nginx nginx 4.0K Apr  9 22:03 bootstrap
-rw-r--r--  1 nginx nginx  818 Apr  9 22:03 bower.json
-rw-r--r--  1 nginx nginx   36 Apr  9 22:03 .bowerrc
-rw-r--r--  1 nginx nginx 8.4K Apr 18 05:10 c3.php
-rw-r--r--  1 nginx nginx  646 Apr  9 22:03 codeception.yml
-rw-r--r--  1 nginx nginx 3.6K Apr  9 22:03 composer.json
-rw-r--r--  1 nginx nginx 330K Apr  9 22:03 composer.lock
drwxr-sr-x  3 nginx nginx 4.0K Apr  9 22:03 config
drwxr-sr-x  4 nginx nginx 4.0K Apr  9 22:03 database
-rw-r--r--  1 nginx nginx  778 Apr 18 05:21 .env
-rw-r--r--  1 nginx nginx  735 Apr  9 22:03 .env.example
-rw-r--r--  1 nginx nginx   61 Apr  9 22:03 .gitattributes
-rw-r--r--  1 nginx nginx  550 Apr  9 22:03 .gitignore
-rw-r--r--  1 nginx nginx 7.3K Apr  9 22:03 Gruntfile.js
-rw-r--r--  1 nginx nginx  503 Apr  9 22:03 gulpfile.js
-rw-r--r--  1 nginx nginx  239 Apr  9 22:03 .htaccess
-rw-r--r--  1 nginx nginx 2.0K Apr  9 22:03 invoiceninja.komodoproject
-rw-r--r--  1 nginx nginx 2.1K Apr  9 22:03 LICENSE
-rw-r--r--  1 nginx nginx  363 Apr  9 22:03 package.json
-rw-r--r--  1 nginx nginx   87 Apr  9 22:03 phpspec.yml
-rw-r--r--  1 nginx nginx  777 Apr  9 22:03 phpunit.xml
drwxr-sr-x  8 nginx nginx 4.0K Apr  9 22:03 public
-rw-r--r--  1 nginx nginx 7.4K Apr  9 22:03 readme.md
drwxr-sr-x  5 nginx nginx 4.0K Apr  9 22:03 resources
-rw-r--r--  1 nginx nginx  560 Apr  9 22:03 server.php
drwxrws---  7 nginx nginx 4.0K Apr 18 05:21 storage
drwxr-sr-x  8 nginx nginx 4.0K Apr  9 22:03 tests
-rw-r--r--  1 nginx nginx 3.6K Apr  9 22:03 .travis.yml
drwxr-sr-x 81 nginx nginx 4.0K Apr 18 05:10 vendor

[centminmod]

hmm seems for now you'd need to disable open_basedir restrictions globally in /usr/local/nginx/conf/php.conf :)

thanks for bringing this to my attention 👍