Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change to PHP-FPM #591

Merged
merged 111 commits into from Aug 8, 2018

Conversation

Projects
None yet
4 participants
@enoch85
Copy link
Member

enoch85 commented Aug 4, 2018

Here is a demo installed with scripts 2018-08-09: https://testcloud.techandme.se
ncadmin
nextcloud

Activated:

#################################################################################

Fixes #588

BEFORE MERGE:

  • Change to master in the curl command to fetch lib.sh
  • Look for lowest_compatible_version in all scripts and add NC_UPDATE=1 in those.
  • Add wanrning to all scripts that install mod_php that it will break HTTP/2. From the top of my head that is:
  • Adminer
  • Security
  • Modsecurity

THINGS TO CONSIDER

  • Do we use mpm_event or mod_prefork?
  • Should we put the <FileHandler> stuff in apache2.conf / php-fpm.conf instead to use it everywhere?
  • Do we need this
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so

or is it enough to just load the mods with a2enmod?

  • Change the <FileHandler> statement according to Apache2 docs?
With this approach, you can check for the existence of the resource prior to proxying to the php-fpm backend.

    # Defining a worker will improve performance
    # And in this case, re-use the worker (dependent on support from the fcgi application)
    # If you have enough idle workers, this would only improve the performance marginally
    <Proxy "fcgi://localhost:9000/" enablereuse=on max=10>
    </Proxy>
    <FilesMatch "\.php$">
        <If "-f %{REQUEST_FILENAME}">
            # Pick one of the following approaches
            # Use the standard TCP socket
            #SetHandler "proxy:fcgi://localhost/:9000"
            # If your version of httpd is 2.4.9 or newer (or has the back-ported feature), you can use the unix domain socket
            #SetHandler "proxy:unix:/path/to/app.sock|fcgi://localhost/"
        </If>
    </FilesMatch>

Or a more flexible way:

ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/var/www/$1

Daniel Hansson added some commits Aug 4, 2018

Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
@enoch85

This comment has been minimized.

Copy link
Member Author

enoch85 commented Aug 4, 2018

Daniel Hansson added some commits Aug 4, 2018

Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
@enoch85

This comment has been minimized.

Copy link
Member Author

enoch85 commented Aug 4, 2018

OK, so the first attempt failed with:

* @author Joas Schilling * @author Jörn Friedrich Dreyer * @author Lukas Reschke * @author Morris Jobke * @author Robin Appelman * @author Sergio Bertolín * @author Thomas Müller * @author Vincent Petry * * @license AGPL-3.0 * * This code is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License, version 3, * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License, version 3, * along with this program. If not, see * */ require_once __DIR__ . '/lib/versioncheck.php'; try { require_once __DIR__ . '/lib/base.php'; OC::handleRequest(); } catch(\OC\ServiceUnavailableException $ex) { \OC::$server->getLogger()->logException($ex, array('app' => 'index')); //show the user a detailed error page OC_Response::setStatus(OC_Response::STATUS_SERVICE_UNAVAILABLE); OC_Template::printExceptionErrorPage($ex); } catch (\OC\HintException $ex) { OC_Response::setStatus(OC_Response::STATUS_SERVICE_UNAVAILABLE); try { OC_Template::printErrorPage($ex->getMessage(), $ex->getHint()); } catch (Exception $ex2) { \OC::$server->getLogger()->logException($ex, array('app' => 'index')); \OC::$server->getLogger()->logException($ex2, array('app' => 'index')); //show the user a detailed error page OC_Response::setStatus(OC_Response::STATUS_INTERNAL_SERVER_ERROR); OC_Template::printExceptionErrorPage($ex); } } catch (\OC\User\LoginException $ex) { OC_Response::setStatus(OC_Response::STATUS_FORBIDDEN); OC_Template::printErrorPage($ex->getMessage(), $ex->getMessage()); } catch (Exception $ex) { \OC::$server->getLogger()->logException($ex, array('app' => 'index')); //show the user a detailed error page OC_Response::setStatus(OC_Response::STATUS_INTERNAL_SERVER_ERROR); OC_Template::printExceptionErrorPage($ex); } catch (Error $ex) { try { \OC::$server->getLogger()->logException($ex, array('app' => 'index')); } catch (Error $e) { $claimedProtocol = strtoupper($_SERVER['SERVER_PROTOCOL']); $validProtocols = [ 'HTTP/1.0', 'HTTP/1.1', 'HTTP/2', ]; $protocol = 'HTTP/1.1'; if(in_array($claimedProtocol, $validProtocols, true)) { $protocol = $claimedProtocol; } header($protocol . ' 500 Internal Server Error'); header('Content-Type: text/plain; charset=utf-8'); print("Internal Server Error\n\n"); print("The server encountered an internal error and was unable to complete your request.\n"); print("Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.\n"); print("More details can be found in the webserver log.\n"); throw $e; } OC_Response::setStatus(OC_Response::STATUS_INTERNAL_SERVER_ERROR); OC_Template::printExceptionErrorPage($ex); } 

This is when the scripts are run and you try to go to the login screen.

Daniel Hansson added some commits Aug 4, 2018

Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
Daniel Hansson
@tiagoefreitas

This comment has been minimized.

Copy link

tiagoefreitas commented Aug 8, 2018

I changed some settings in nextcloud (nothing that should create problems), then logged out back in, and now it gives errors opening videos, pdfs and documents.
Documents show "Service Unavailable", PDF gives:

PDF.js v1.9.426 (build: 2558a58d)
Message: Unexpected server response (503) while retrieving PDF

@tiagoefreitas

This comment has been minimized.

Copy link

tiagoefreitas commented Aug 8, 2018

Sorry the issue is that I enabled encryption but it became greyed out saying "No encryption module loaded, please enable an encryption module in the app menu."

So I thought nextcloud did not enabled it until I install a module, but it turns out it just stops working and doesn't let you disable encryption. Terrible UI...

@enoch85

This comment has been minimized.

Copy link
Member Author

enoch85 commented Aug 8, 2018

  1. That's known. Just waiting for the Ubuntu maintainer to fix the package, it's not a VM error.
PHP Startup: Unable to load dynamic library 'redis.so' (tried: /usr/lib/php/20170718/redis.so (/usr/lib/php/20170718/redis.so: undefined symbol: igbinary_serialize), /usr/lib/php/20170718/redis.so.so (/usr/lib/php/20170718/redis.so.so: cannot open shared object file: No such file or directory)) at Unknown#0
  1. issuetemplate (a lot of them)

That's also known and also a bug in upstream.

  1. Never seen that one before...
file_get_contents(https://XXXX/coauthoring/CommandService.ashx): failed to open stream: HTTP request failed! HTTP/1.1 502 Proxy Error at /var/www/nextcloud/apps/onlyoffice/lib/documentservice.php#351
  1. I activated modsecurity active defense but I can't find any info about it online

It clairly says that you shouldn'tactivate it if you don't know what you're doing. Can you please try again without activating it and see if you get the same errors?

  1. what is "Set static IP in Ubuntu with netplan.io"?

It's what you think it is, it sets a static IP to your guest system. :)

  1. Terrible UI...

File an issue in the server repo of Nextcloud here on Github. :)

@tiagoefreitas

This comment has been minimized.

Copy link

tiagoefreitas commented Aug 8, 2018

Oh I don't think I need to setup static ip with netplan because the vps already takes care of that.

Ok I found active defense is modecurity SecRuleEngine On.

@tiagoefreitas

This comment has been minimized.

Copy link

tiagoefreitas commented Aug 8, 2018

I think you have a bug in modsecurity.sh...I chose yes and it didn't activate it after all, because you made the if the other way around, or am I missing something?

msg_box "WARNING: Do not enable active defence if you don't know what you're doing!
You can monitor tail -f /var/log/apache2/modsec_audit.log"
if [[ "no" == $(ask_yes_or_no "Do you want to enable active defence?") ]]
then
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine on/g' /etc/modsecurity/modsecurity.conf
fi

Also I think SecStatusEngine should be Off by default, or ask..

@enoch85

This comment has been minimized.

Copy link
Member Author

enoch85 commented Aug 8, 2018

OK, so just to be sure I tested myself. Enjoy!

https://testcloud.techandme.se/s/oampL35QiorG78e

HTTP/2 enabled by default, I patched that in the install script prior to running it. But - it will not work since it's disabled when you install Adminer and ModSecurity.

Daniel Hansson
@tiagoefreitas

This comment has been minimized.

Copy link

tiagoefreitas commented Aug 8, 2018

I don't understand how I chose yes for modsecurity and it didn-t enable it, because your if looks wrong, or is it correct after all?
if [[ "no" == $(ask_yes_or_no

should be

if [[ "yes" == $(ask_yes_or_no

??

Daniel Hansson added some commits Aug 8, 2018

Daniel Hansson
Daniel Hansson
@enoch85

This comment has been minimized.

Copy link
Member Author

enoch85 commented Aug 8, 2018

@tiagoefreitas You're right! Just did a copy and paste ⛔️

Thanks for testing, this is great!

So I fixed some final stuff based on your comments and merged some other PRs into this branch. Should be perfect now. Can you please confirm?

@tiagoefreitas

This comment has been minimized.

Copy link

tiagoefreitas commented Aug 8, 2018

I think I'm done with reinstalling from scratch, but I would like to have modsecurity and extra security (spamhaus, evasive, qos) with http2, is it not possible?

I installed all of them before you added the warnings, and http/2 seems to be working.

From here it appears modsecurity works with http2 but needs a config modification:
https://blog.paranoidpenguin.net/2018/01/how-to-enable-http-2-in-apache-2-4-on-gentoo-linux/

Daniel Hansson
@tiagoefreitas

This comment has been minimized.

Copy link

tiagoefreitas commented Aug 8, 2018

Forgot to tell you about this error when it finishes installing onlyoffice:

Certs are generated!

Enabling site office.prout-global.org.
To activate the new configuration, you need to run:
systemctl reload apache2
/var/scripts/onlyoffice.sh: line 187: restart_webserver: command not found
Cloning into 'onlyoffice'...

@enoch85

This comment has been minimized.

Copy link
Member Author

enoch85 commented Aug 8, 2018

but I would like to have modsecurity and extra security (spamhaus, evasive, qos) with http2, is it not possible?

If it's not provided by Ubuntu, then no. We're not building packages here that's a task for the source maintainers. :) It needs to be stable and easy to maintain for the end-user.

That's one of the reasons I chose to change from Redis installed by PECL to Ubuntu sources. It gives an error output in the logs, but that will hopefully be fixed soon when the maintainer of that package fixes it, or upgrades the version.

I think I'm done with reinstalling from scratch

Life as a maintainer. ;)

and http/2 seems to be working.

Ok, please install one app at the time to see which one disables HTTP/2. Then we'll know for sure. If it's Adminer then we can remove the warnings from ModSecurity and Extra-Security.

/var/scripts/onlyoffice.sh: line 187: restart_webserver: command not found

Did you change the curl command in the top of the script? I didn't change all scripts to the php-fpm branch, just the most important. That's why some functions doesn't exist until we merge to master or change the curl command in the top.

@tiagoefreitas

This comment has been minimized.

Copy link

tiagoefreitas commented Aug 8, 2018

I think Adminer disables HTTP/2 will test.

You mean this line in onlyoffice.sh?
NC_UPDATE=1 && OO_INSTALL=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)

I did not change it because I installed as part of the startup script so it should use php-fpm branch all the way. The branch could be a variable so it changes everywhere...

But it seemed to install everything ok...do you know something else that breaks?

@enoch85

This comment has been minimized.

Copy link
Member Author

enoch85 commented Aug 8, 2018

I think Adminer disables HTTP/2 will test.

Thanks! You need a clean install for that, and then enable Adminer last of them. You don't need SSL or OnlyOffice, just a local machine to check the error.log for Apache.

You mean this line in onlyoffice.sh? NC_UPDATE=1 && OO_INSTALL=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)

Exactly.

I did not change it because I installed as part of the startup script so it should use php-fpm branch all the way. The branch could be a variable so it changes everywhere...

I didn't change all scripts to the php-fpm branch, just the most important.

But it seemed to install everything ok...do you know something else that breaks?

Only the new functions that aren't merged wit master yet.

@enoch85

This comment has been minimized.

Copy link
Member Author

enoch85 commented Aug 8, 2018

Btw, if the only remaining "issue" is which apps that breaks HTTP/2, can we merge this you think? We already have warnings in place for all three apps, and in best case we can remove the warning for ModSecurity and Extra Security, so no harm done.

Or do you have something else that is not fixed? My list is cleared.

@enoch85

This comment has been minimized.

Copy link
Member Author

enoch85 commented Aug 8, 2018

Oh, and also. Check this if you haven't already: https://testcloud.techandme.se/s/oampL35QiorG78e

@enoch85

This comment has been minimized.

Copy link
Member Author

enoch85 commented Aug 8, 2018

Tested Extra-Security; no error in the Apache log what I could see.

no log

Tested ModSecurity:

[Thu Aug 09 01:07:28.270406 2018] [ssl:warn] [pid 3873:tid 139975369522112] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Thu Aug 09 01:07:28.270781 2018] [:notice] [pid 3873:tid 139975369522112] ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/) configured.
[Thu Aug 09 01:07:28.270790 2018] [:notice] [pid 3873:tid 139975369522112] ModSecurity: APR compiled version="1.6.2"; loaded version="1.6.3"
[Thu Aug 09 01:07:28.270794 2018] [:warn] [pid 3873:tid 139975369522112] ModSecurity: Loaded APR do not match with compiled!
[Thu Aug 09 01:07:28.270798 2018] [:notice] [pid 3873:tid 139975369522112] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
[Thu Aug 09 01:07:28.270802 2018] [:notice] [pid 3873:tid 139975369522112] ModSecurity: LUA compiled version="Lua 5.1"
[Thu Aug 09 01:07:28.270806 2018] [:notice] [pid 3873:tid 139975369522112] ModSecurity: YAJL compiled version="2.1.0"
[Thu Aug 09 01:07:28.270809 2018] [:notice] [pid 3873:tid 139975369522112] ModSecurity: LIBXML compiled version="2.9.4"
[Thu Aug 09 01:07:28.270813 2018] [:notice] [pid 3873:tid 139975369522112] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
[Thu Aug 09 01:07:28.323343 2018] [ssl:warn] [pid 3891:tid 139975369522112] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Thu Aug 09 01:07:28.325616 2018] [mpm_event:notice] [pid 3891:tid 139975369522112] AH00489: Apache/2.4.34 (Ubuntu) OpenSSL/1.1.0h configured -- resuming normal operations
[Thu Aug 09 01:07:28.325637 2018] [core:notice] [pid 3891:tid 139975369522112] AH00094: Command line: '/usr/sbin/apache2'
[Thu Aug 09 01:07:36.451043 2018] [mpm_event:notice] [pid 3891:tid 139975369522112] AH00491: caught SIGTERM, shutting down
[Thu Aug 09 01:07:36.569467 2018] [ssl:warn] [pid 4084:tid 140225928690624] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Thu Aug 09 01:07:36.569813 2018] [:notice] [pid 4084:tid 140225928690624] ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/) configured.
[Thu Aug 09 01:07:36.569821 2018] [:notice] [pid 4084:tid 140225928690624] ModSecurity: APR compiled version="1.6.2"; loaded version="1.6.3"
[Thu Aug 09 01:07:36.569825 2018] [:warn] [pid 4084:tid 140225928690624] ModSecurity: Loaded APR do not match with compiled!
[Thu Aug 09 01:07:36.569829 2018] [:notice] [pid 4084:tid 140225928690624] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
[Thu Aug 09 01:07:36.569833 2018] [:notice] [pid 4084:tid 140225928690624] ModSecurity: LUA compiled version="Lua 5.1"
[Thu Aug 09 01:07:36.569836 2018] [:notice] [pid 4084:tid 140225928690624] ModSecurity: YAJL compiled version="2.1.0"
[Thu Aug 09 01:07:36.569839 2018] [:notice] [pid 4084:tid 140225928690624] ModSecurity: LIBXML compiled version="2.9.4"
[Thu Aug 09 01:07:36.569871 2018] [:notice] [pid 4084:tid 140225928690624] ModSecurity: StatusEngine call: "2.9.2,Apache/2.4.34 (Ubuntu),1.6.2/1.6.3,8.39/8.39 2016-06-14,Lua 5.1,2.9.4,a25df2be877c33eb1b122772d228b90f45260558"
[Thu Aug 09 01:07:36.754023 2018] [:notice] [pid 4084:tid 140225928690624] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
[Thu Aug 09 01:07:36.818371 2018] [ssl:warn] [pid 4098:tid 140225928690624] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Thu Aug 09 01:07:36.821126 2018] [mpm_event:notice] [pid 4098:tid 140225928690624] AH00489: Apache/2.4.34 (Ubuntu) OpenSSL/1.1.0h configured -- resuming normal operations
[Thu Aug 09 01:07:36.821155 2018] [core:notice] [pid 4098:tid 140225928690624] AH00094: Command line: '/usr/sbin/apache2'

Tested Adminer:

[Thu Aug 09 01:10:03.061754 2018] [mpm_event:notice] [pid 4098:tid 140225928690624] AH00491: caught SIGTERM, shutting down
[Thu Aug 09 01:10:03.170700 2018] [ssl:warn] [pid 8774] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Thu Aug 09 01:10:03.171038 2018] [:notice] [pid 8774] ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/) configured.
[Thu Aug 09 01:10:03.171046 2018] [:notice] [pid 8774] ModSecurity: APR compiled version="1.6.2"; loaded version="1.6.3"
[Thu Aug 09 01:10:03.171050 2018] [:warn] [pid 8774] ModSecurity: Loaded APR do not match with compiled!
[Thu Aug 09 01:10:03.171054 2018] [:notice] [pid 8774] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
[Thu Aug 09 01:10:03.171057 2018] [:notice] [pid 8774] ModSecurity: LUA compiled version="Lua 5.1"
[Thu Aug 09 01:10:03.171060 2018] [:notice] [pid 8774] ModSecurity: YAJL compiled version="2.1.0"
[Thu Aug 09 01:10:03.171064 2018] [:notice] [pid 8774] ModSecurity: LIBXML compiled version="2.9.4"
[Thu Aug 09 01:10:03.171094 2018] [:notice] [pid 8774] ModSecurity: StatusEngine call: "2.9.2,Apache/2.4.34 (Ubuntu),1.6.2/1.6.3,8.39/8.39 2016-06-14,Lua 5.1,2.9.4,a25df2be877c33eb1b122772d228b90f45260558"
[Thu Aug 09 01:10:03.324745 2018] [:notice] [pid 8774] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
[Thu Aug 09 01:10:03.371860 2018] [ssl:warn] [pid 8795] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Thu Aug 09 01:10:03.371951 2018] [http2:warn] [pid 8795] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
[Thu Aug 09 01:10:03.375585 2018] [mpm_prefork:notice] [pid 8795] AH00163: Apache/2.4.34 (Ubuntu) OpenSSL/1.1.0h configured -- resuming normal operations
[Thu Aug 09 01:10:03.375604 2018] [core:notice] [pid 8795] AH00094: Command line: '/usr/sbin/apache2'

There it is! I will send a PR and then merge this. Everything is OK.

127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name is just because the cert is self-signed.

Daniel Hansson added some commits Aug 8, 2018

Daniel Hansson
Daniel Hansson

@enoch85 enoch85 merged commit 4acfcaa into master Aug 8, 2018

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
@enoch85

This comment has been minimized.

Copy link
Member Author

enoch85 commented Aug 8, 2018

@tiagoefreitas Thank you for all the testing! Please continue to test the scripts in the future as well and report back in a separate issue if you find anything.

@shadoxx It's merged now.

@tiagoefreitas

This comment has been minimized.

Copy link

tiagoefreitas commented Aug 9, 2018

I will test one more time after merge from master.

So modsecurity is not working with http2?

[mpm_event:notice] [pid 3891:tid 139975369522112] AH00491: caught SIGTERM, shutting down

Will try to get modsecurity to work if its only configuration, should not need upstream changes because its part of apache2 and its not mentioned anywhere in the docs that its not compatible.

@tiagoefreitas

This comment has been minimized.

Copy link

tiagoefreitas commented Aug 9, 2018

One issue I have is that ncadmin doesn't have permissions to the nextcloud folder or logs folder, shouldn't it?

Also this may be useful to include:
alias occ="sudo -u www-data php /var/www/nextcloud/occ"

@enoch85

This comment has been minimized.

Copy link
Member Author

enoch85 commented Aug 9, 2018

[mpm_event:notice] [pid 3891:tid 139975369522112] AH00491: caught SIGTERM, shutting down

Yeah, the server rebooted.

alias occ="sudo -u www-data php /var/www/nextcloud/occ"

Hmm, maybe. Please add it here: #617

@enoch85

This comment has been minimized.

Copy link
Member Author

enoch85 commented Aug 9, 2018

So modsecurity is not working with http2?

It's working :)

@enoch85 enoch85 deleted the php-fpm branch Sep 4, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.