Couple of questions

51 posts / 0 new
Last post
#1 Sat, 12/13/2008 - 08:32
wesleyh

Couple of questions

Hi, just a couple of questions if you don't mind:

(Bear in mind, I'm running the GPL version and I have installed webmin after already setting up my server via yum)

  • What does this mean: "Subdirectory for mailbox user home directories" -- It's set to "homes" but is just an empty dir in all my accounts. The mailbox is in "mail" (configured)

  • In virtualmin I can go to virtual server options > document options and see a list of "directory options" (execute CGI programs, etc). This is set to "default". Where can I edit this default? I don't find this anywhere else.

  • I don't need CGi, so i disabled loadmodule mod_actions in apache (amongst other things), but if I then recheck the virtualmin configuration, it complains about that.

"The Apache module mod_actions is either not installed or not enabled.รข

Mon, 12/15/2008 - 12:32
ronald
ronald's picture

you can setup the gpl version to use suexec and mod_fcgid. instructions are in this forum somewhere.
this is highly secure and will create the folders in /home/user that is the /tmp, /etc folder, and in there the /php folder.

if you really want to run mod_php then you would create those additional folders with files in /etc/skel, it then gets copied into the new servers.

some basic security in the php.ini could be: <div class='quote'>disable_functions = show_source, system, exec, shell_exec, passthru, popen, proc_open, ini_restore, symlink</div>

or if you wanna go wild:
<div class='quote'> Disabled Functions: exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,
ini_alter,dl,popen,popen,pcntl_exec,socket_accept,socket_bind,socket_clear_error,
socket_close,socket_connect,socket_create_listen,socket_create_pair,socket_create,
socket_get_option,socket_getpeername,socket_getsockname,socket_last_error,socket_listen,
socket_read,socket_recv,socket_recvfrom,socket_select,socket_send,socket_sendto,socket_set_block,
socket_set_nonblock,socket_set_option,socket_shutdown,socket_strerror,socket_write,
stream_socket_client,stream_socket_server,pfsockopen,stream_set_timeout,disk_total_space,
disk_free_space,chown,diskfreespace,getrusage,get_current_user,set_time_limit,getmyuid,getmypid,dl,
leak,listen,chgrp,link,symlink,dlopen,proc_nice,proc_get_stats,proc_terminate,shell_exec,sh2_exec,
posix_getpwuid,posix_getgrgid,posix_kill,ini_restore,mkfifo,dbmopen,dbase_open,filepro,filepro_rowcount,
posix_mkfifo,putenv,sleep</div>

Tue, 12/16/2008 - 05:43 (Reply to #2)
ronald
ronald's picture

you will need to add the virtualmin repo to /etc/yum.repos.d so it can install the package.

Tue, 12/16/2008 - 05:58 (Reply to #3)
ronald
ronald's picture

i got a centos box with GPL on it.
in that directory is a file called virtualmin.repo
that file contains this:
<div class='quote'>[virtualmin]
name=Red Hat Enterprise $releasever - $basearch - Virtualmin
baseurl=http://software.virtualmin.com/gpl/rhel/$releasever/$basearch/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin
gpgcheck=1

[virtualmin-universal]
name=Virtualmin Distribution Neutral
baseurl=http://software.virtualmin.com/gpl/universal/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin
gpgcheck=1</div>

Tue, 12/16/2008 - 06:24 (Reply to #4)
ronald
ronald's picture

thats the location
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin

the name of the file:
RPM-GPG-KEY-virtualmin

this is whats in it:
<div class='quote'>-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (GNU/Linux)

mQGiBELR2DcRBACD0l3xYWb6c1whtnrKcPVQGW7AGDYy/PEHhUSsY7Qwg5CoYziS
FSkqXQPhe4P1FqHjvOpZHNfOdC3pSdTgZZYw/DIik3T5NvYbwp+z9GxxIUE9kkt/
uztb75q/QW7mMy9TJHdK883QC3G47nxGXTnO0p6GaTcHBrF/htR/oLXZ/wCgz4dt
PKGcShiWOUzZ6mIBSl2PHWkD/iY/+OFa6Va5igra0SXQjNxqG/L6prsUlWtqMAVq
wjv5UXVCwjBLHl5OUtEz2ky6TgxXOxLsk2p9g9CdZizkhBnLiECXTvnJl5nuwBuz
YGoijbVx/86amUhHupyQp4QvwopI8U3306SWak3eoNRXNkt/pdJ0WZ+WPsVtZXj/
1Za3A/9aWS9Rj0YvfzT4/DljQvmHNWutLgKuORYY6HQp8i/ZIlPokkf5Sa4qpbCS
CU1kiFLRoLbooar1TPhGjusmDn2Re3OxZncHKXPokbNZ1yjiDUd0E0b0Di/ZtVo9
ODCbJxZd2ONvJwI6ZaM8wKTpRYz+ltryOZ2+orPzivo5ClShLbQqVmlydHVhbG1p
biwgSW5jLiA8c2VjdXJpdHlAdmlydHVhbG1pbi5jb20+iF4EExECAB4FAkLR2DcC
GwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQ6N0/oKC9vPlIOgCgoxnWKxwADLGt
5KmVyxISwlvR3sEAn0/iNUd3/hKWurPnoY58zyrTaCrXuQINBELR2EQQCAD7PZNM
QoVPBZrEjVpIz4nL/QJeJpmOKQXs/mHtIZfCz0tAp/q+rqI+kM/ALXsFpkKQwG0K
ExWddzL1qlabozb3BR/7ZHAhBQAfIGsC6HY00d/BXA+T2l5RrbkZ7ijDVeN8jRTD
JkMzNY7+PboqxgSKrQUom3zgO9LZ7sh8o7BP9wIDf71YQq1PvdFaz8FnFp6Kp9NM
EnW3jQe1VmaHZ32HQ2gk39n/Ihabewy4A7yKqi6uNgukn+7fOrFl4i2VA5+euWe8
bCzQutcdMkjSIEQkKzLPLN2v55kQdVtnG89eunwMO7+o8VdbWtN1W5KYeRm+xHOG
o9xZFuhtr1MlJSuTAAMFCADgm2QHNsR4gD0N00cVXp/s38vfG/Cygy7+/RbO8lhL
mkUVfeG7DWP5x51y7bgQ2hvO169ql0W+GbDj7aG7ZsUY6cXN1Z+ExPTF7T0gMEUy
tld1dypyzKZqPLMfdFVg4aiE2W9uecj597nYUGrmG7nYnT3/FyC0ouE8KlIGm/iC
m41GpktYG0H5ed8yhcB+6cUB/2pkneeJIOcKVTp12kB3zcGBtVmD0ITDOmKf4I5W
TWa1qkyPu1ljFcnVURMQMZoeiJZ03U13TjIWALPUjvfH1k28OAObKj7ljWwRo50P
qvHbYtShiH5/OiMidFVO2E0p9LdWuJ4bSHoKCFCNvOtuiEkEGBECAAkFAkLR2EQC
GwwACgkQ6N0/oKC9vPnIEACgjmNJTUFRok6U/AZ/KIOAbKVuY44An0K4VDHVlWp3
TC+VEV9c7jCjeH3P
=5DLX
-----END PGP PUBLIC KEY BLOCK-----</div>

Mon, 12/15/2008 - 13:05
Joe
Joe's picture

<div class='quote'>What does this mean: &quot;Subdirectory for mailbox user home directories&quot; -- It's set to &quot;homes&quot; but is just an empty dir in all my accounts. The mailbox is in &quot;mail&quot; (configured)</div>

You haven't configured your MDA (mail delivery agent...procmail, the built-in Postfix MDA, whatever) to deliver to Maildir style spools. We recommedn Maildir, and that's what our install script sets up for you.

<div class='quote'>In virtualmin I can go to virtual server options &gt; document options and see a list of &quot;directory options&quot; (execute CGI programs, etc). This is set to &quot;default&quot;. Where can I edit this default? I don't find this anywhere else.</div>

You can edit everything that goes into the Apache VirtualHost section in Server Templates in the &quot;Apache website&quot; section.

When in doubt, look in Server Templates. Almost all of the flexibility of Virtualmin is tucked into Server Templates somewhere.

<div class='quote'>I don't need CGi, so i disabled loadmodule mod_actions in apache (amongst other things), but if I then recheck the virtualmin configuration, it complains about that.</div>

mod_actions allows CGI-type actions in response to non-CGI looking requests. Virtualmin does so many things that rely on this behavior that it checks for it. In your case, it probably <i>isn't</i> strictly needed, but Virtualmin hasn't really taken into account the &quot;I don't want to run CGI scripts ever under any circumstances&quot; user, since I don't think we've ever met one. ;-)

I believe you'll have to live with mod_actions being in place, or disabling it after the config check each time. It's harmless, if you never use any directives that would invoke it. Presumably you're not giving your users htaccess privileges, anyway, so you'd be the only person capable of triggering its use.

If we run into others who also want to not use <i>any</i> CGI, then I guess we'll think on adding the ability to disable this check. But it's extremely rare these days to have websites without applications of some sort.

<div class='quote'>I read that a tmp dir is supposed to be created for each user upon account creation by virtualmin, but with me that is not the case.</div>

As ronald mentioned, in Virtualmin GPL you have to set this up for yourself. In Virtualmin Professional, we provide mod_fcgid and all of the bits and pieces to make everything work smoothly.

But, you're not running any CGI scripts, how could you possibly make use of per-user /tmp files? (You're asking for two completely opposing capabilities here: no mod_actions, which is required for per-user PHP configurations, along with per-user /tmp files.)

It now becomes apparent that you actually do need mod_actions.

<div class='quote'>Am I supposed to put something in /etc/skel? This is an empty dir on my system. I suppose I also need to add the phpadmin directives in a server template?</div>

Server Templates is where all the magic happens. So, probably so. I don't know what you're trying to do, though.

<div class='quote'>I'm not using phpsuexec or anything like that. Is openbasedir enough protection? (Together with disable_functions en loading of dynamic modules in apache, etc.)</div>

No. Nothing short of suexec makes PHP safe for untrusted users. I'd suggest you setup mod_fcgid and suexec the way I've documented it a couple of times here in the forums. If you can't find it via site search (click &quot;Support&quot; in the bottom menu), let me know and I'll dig it up for you.

<div class='quote'>I want the tmp dir in /tmp/username/ -- is this possible to configure automatically? This dir needs to be created beforehand. </div>

No. Put tmp in /home/domainname/tmp. Makes no sense to put it into system-wide /tmp--everything for users (except databases, for technical reasons) goes into /home/domainname. As ronald mentioned, you can add this to whatever skel directory you have configured for use for virtual servers.

--

Check out the forum guidelines!

Tue, 12/16/2008 - 02:04
wesleyh

Thanks for the detailed replies :)

About mod_action, well, if I run php under mod_php then I don't need any CGI. Its not a contradiction.

About the /tmp dir, I want it in /tmp because I have set that to noexec, nosuid.. If I use open_basedir I can keep everyone in their own folder, for sessions, etc. I don't see what the difference is than having it in your home dir?

Also, if you're using phpsuexec, how much slower does that make php / apache? I'm running webmin on my own personal dedicated server, so all accounts are mine. However, I do want to protect myself for when someone hacks one of my sites, he does not get access to all others.

Why isn't open_basedir enough? (If I disable all CGI, perl etc won't be able to be executed so PHP is the only scripting language that can be used, so open_basedir will always be respected)

Thanks for that list of disable_functions too :)

About that &quot;homes&quot; dir, I do have a maildir for each user, and mail works fine? Is there something I have yet to do?

Tue, 12/16/2008 - 02:12 (Reply to #7)
Joe
Joe's picture

<div class='quote'>About mod_action, well, if I run php under mod_php then I don't need any CGI. Its not a contradiction.</div>

I believe it is, if you want per-user tmp dirs, but I'm in no way claiming to be a PHP expert.

<div class='quote'>About the /tmp dir, I want it in /tmp because I have set that to noexec, nosuid.. If I use open_basedir I can keep everyone in their own folder, for sessions, etc. I don't see what the difference is than having it in your home dir?</div>

I have no idea. But, Virtualmin won't create anything in /tmp for you.

<div class='quote'>Also, if you're using phpsuexec, how much slower does that make php / apache?[/qoute]

I don't know. I've never used phpsuexec. We use, and I recommended, mod_fcgid+suexec, which is roughly the same performance as mod_php (faster for some things, slightly slower for most).

[quote]Why isn't open_basedir enough? (If I disable all CGI, perl etc won't be able to be executed so PHP is the only scripting language that can be used, so open_basedir will always be respected)</div>

I dunno. I've frequently been told by folks who know PHP far better than I do (again, I know very little about PHP) that none of the built-in security features of PHP are sufficient on a system with untrusted users, and that suexec is the best choice. I understand suexec quite well, so I trust it. I don't understand open_basedir, so I don't trust it. If you understand it, and trust it, then I won't argue with you. ;-)

But, don't be intimidate by using suexec and mod_fcgid. They are extremely easy to configure. If you're just trying to avoid it because you think it's hard to setup, don't let that stop you.

<div class='quote'>About that &quot;homes&quot; dir, I do have a maildir for each user, and mail works fine? Is there something I have yet to do?</div>

As I mentioned, if you didn't use our install script, you will have to configure your MDA to deliver to Maildir. It is not the default behavior of procmail or postfix. (I'm assuming you didn't use our automated install script, since it would have setup Maildir for you.)

--

Check out the forum guidelines!

Tue, 12/16/2008 - 02:14 (Reply to #8)
Joe
Joe's picture

Argh. I'm too sleepy for posting. The formatting got messy on that one.. Sorry. (And the forum is still broken for editing posts, so I can't fix it. Oh, well.)

--

Check out the forum guidelines!

Tue, 12/16/2008 - 04:10
wesleyh

No worries :)

Could you direct me to the article to install fcgid?

I looked at this: http://www.virtualmin.com/forums/blue-skies/take-ownership-of-user-folde... which points to this repo: http://software.virtualmin.com/gpl/centos/5/x86_64/?C=M;O=D

What do I need to download from there?

Be aware that I have previously installed apache, php, etc via standard yum repositories. I did not use the webmin install.sh -- not sure if that's a problem?

Tue, 12/16/2008 - 04:41 (Reply to #10)
andreychek

You can install fcgid by logging in via SSH, and typing:

yum install mod_fcgid

Also, the install.sh normally handles installing the Apache related packages (there's lots of things that the installer normally takes care of :-) -- but you'll want to make sure you have the httpd* and mod_ssl packages from Virtualmin installed as well rather than the standard ones from your distro.
-Eric

Tue, 12/16/2008 - 04:58
wesleyh

yum install mod_fcgid doesn't seem to work. Also tried apache2-mod_fcgid

[root@server ~]# yum install mod_fcgid
Loading &quot;fastestmirror&quot; plugin
Loading mirror speeds from cached hostfile
* base: mirrors.serveraxis.net
* updates: yum.singlehop.com
* addons: mirror.steadfast.net
* extras: mirror.myriadnetwork.com
Setting up Install Process
Parsing package install arguments
No package mod_fcgid available.
Nothing to do

Btw, I installed webmin via RPM, did that not execute the install.sh? I had already yum installed httpd etc beforehand.. But did not know that there was an install.sh

Tue, 12/16/2008 - 12:40 (Reply to #12)
Joe
Joe's picture

<div class='quote'>Btw, I installed webmin via RPM, did that not execute the install.sh? I had already yum installed httpd etc beforehand.. But did not know that there was an install.sh</div>

How far along are you in getting things running on your system? If you don't have any Virtualmin virtual hosts setup yet, you probably do want to run install.sh. Manual installation of a full-featured virtual hosting system is extremely intimidating, even for experienced administrators. It's also very time consuming.

If you have already setup virtual hosts and the system is in production, then you'll have to go the manual route.

First step would be installing the virtualmin-release package, so yum can install packages from our repository (you obviously can't install packages from a repository that yum doesn't know about, which is why &quot;yum install mod_fcgid&quot; doesn't work for you!).

The CentOS 5 release package can be installed like this:

http://software.virtualmin.com/gpl/centos/5/i386/virtualmin-release-late...

From there, you can install mod_fcgid, our httpd packages, etc.

--

Check out the forum guidelines!

Tue, 12/16/2008 - 04:59
wesleyh

This is centos btw.

Tue, 12/16/2008 - 05:48 (Reply to #14)
andreychek

No, the install.sh pulls in Webmin, but not vice-versa. The Webmin RPM is simply the Webmin package -- install.sh installs and configures the entire Virtualmin stack (which happens to include the Webmin package).

It looks like you're missing the Virtualmin yum repository from your config (which install.sh sets up for you :-)

I don't have a CentOS box with Virtualmin handy so I can't offer an example, but you'd either need to setup that yum repository (in /etc/yum.repos.d), or manually download those packages from the Virtualmin repo.

You can download them for now, though ultimately you'd want to have the yum repo setup so ensure you get security updates.
-Eric

Tue, 12/16/2008 - 06:00
wesleyh

I am currently using webmin with virtualmin as a module . i did not know there was an install script at the time because it is not mentioned on webmin.com -- perhaps this should be added? because i would have used that for sure if I had known.

And because i'm running gpl version, can I still use your repos? What is it anyway, can't find it?

If i use the install script now, will it keep my original settings or not?

thanks for all the help you guys are giving to someone who just uses the free version, don't see that much! :)

Tue, 12/16/2008 - 06:03 (Reply to #16)
andreychek

Yeah, running the installer now would be bad :-)

But it's no problem to use the GPL repo as Ronald posted above -- they have a number of packages that'll work just fine on your system.
-Eric

Tue, 12/16/2008 - 13:09 (Reply to #17)
Joe
Joe's picture

<div class='quote'>i did not know there was an install script at the time because it is not mentioned on webmin.com -- perhaps this should be added?</div>

It actually is mentioned. Click &quot;Install Script&quot; on the Virtualmin page at Webmin.com. It takes you to http://www.webmin.com/vinstall.html

The Webmin site is getting an overhaul as we speak, though, so there soon won't be a separate Virtualmin page at Webmin.com--it'll simply link to appropriate docs and information at Virtualmin.com.

--

Check out the forum guidelines!

Tue, 12/16/2008 - 06:02
wesleyh

oh, ok, you've just added the file.

will this mean that all my software will now get updates from virtualmin? eg centos uses older (more stable) apache and php versions, but do you too?

Tue, 12/16/2008 - 06:07
wesleyh

Just tried it, get this error when installing:

Dependencies Resolved

=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
mod_fcgid x86_64 2.2-1.el5.vm virtualmin 124 k

Transaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 124 k
Is this ok [y/N]: y
Downloading Packages:
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID a0bdbcf9

GPG key retrieval failed: [Errno 5] OSError: [Errno 2] No such file or directory: '/etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin'

Tue, 12/16/2008 - 06:18
wesleyh

oh yeah i notice now that's because of your config file. Can you tell me the location of the gpg key so I can rpm --import it (assuming that is correct)

Tue, 12/16/2008 - 06:24
wesleyh

Never mind, found it, assuming this is it:

http://software.virtualmin.com/lib/RPM-GPG-KEY-virtualmin

just installed fcgid and that worked so now off to see how to configure it :) I'll be back in this thread i'm sure.. :)

Tue, 12/16/2008 - 06:26
wesleyh

Hey, that's weird, I ran rpm --import the http url i posted above, which didn't output anything back so i thought it worked. Then installed the fcgid successfully, but now you posted that file contents i decided to check and it's not even there. No file at all in /etc/pki/rpm-gpg hmm

well i guess it worked, but it's strange. searched elsewhere couldn't find it.

Tue, 12/16/2008 - 06:52
wesleyh

Ok, so i didn't do much.. I disabled loading mod_php in /etc/httpd/conf.d/php.conf

I noticed there was already a fcgid.conf which was setup correctly i don't know if that file was already there or not but i didn't need to change anything.

After restarting apache sites now no longer repond. (continuous loading indicator even minutes later)..

i also checked server templates &gt; apache and couldn't find the default php mode directive (to set fcgid)

Tue, 12/16/2008 - 06:53
wesleyh

This is the error in error_log:

[Tue Dec 16 10:53:34 2008] [notice] child pid 32237 exit signal Segmentation fault (11)

Tue, 12/16/2008 - 06:58
wesleyh

Here is the default fcgid.conf that i have:

# This is the Apache server configuration file for providing FastCGI support
# through mod_fcgid
#
# Documentation is available at http://fastcgi.coremail.cn/doc.htm

LoadModule fcgid_module modules/mod_fcgid.so

# Use FastCGI to process .fcg .fcgi &amp; .fpl scripts
# Don't do this if mod_fastcgi is present, as it will try to do the same thing
&lt;IfModule !mod_fastcgi.c&gt;
AddHandler fcgid-script fcg fcgi fpl
&lt;/IfModule&gt;

# Sane place to put sockets and shared memory file
SocketPath run/mod_fcgid
SharememPath run/fcgid_shm

and php.conf

#
# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.
#

#LoadModule php5_module modules/libphp5.so

#
# Cause the PHP interpreter to handle files with a .php extension.
#
AddHandler php5-script .php
AddType text/html .php

#
# Add index.php to the list of files that will be served as directory
# indexes.
#
DirectoryIndex index.php

#
# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#
#AddType application/x-httpd-php-source .phps

Tue, 12/16/2008 - 07:07
wesleyh

I've now added the fcgi-bin directory in the user home dir and added the .fcgi file, also added /etc/php5/php.ini to home dir.. (copy of normal php.ini)

and added the directives to the vhost..

AddHandler fcgid-script .php5
FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php

now i seem to get blank pages or source code

Tue, 12/16/2008 - 07:20
wesleyh

ok, in the thread about mod_fcgid there were apparently a copule of errors in the first few posts, i hadn't read the whole thread :) i fixed those now.

Now i get a message &quot;forbidden&quot; on all php pages.

php pages are set as the user.

Tue, 12/16/2008 - 07:24
wesleyh

Now I get blanks again...

&lt;VirtualHost 69.65.xx.xx:80&gt;
ServerName example.com
ServerAlias www.example.com
DocumentRoot /home/example/public_html
ErrorLog /home/example/logs/error_log
CustomLog /home/example/logs/access_log combined
AddHandler fcgid-script .php
FCGIWrapper /home/example/fcgi-bin/php5.fcgi .php
DirectoryIndex index.php index.html index.htm index.php4 index.php5
#php_admin_value open_basedir /home/example/:/tmp/
&lt;Directory /home/example/public_html&gt;
Options -Indexes IncludesNOEXEC SymLinksIfOwnerMatch
allow from all
AllowOverride All
&lt;/Directory&gt;
RemoveHandler .php
&lt;/VirtualHost&gt;

Tue, 12/16/2008 - 07:31
wesleyh

ok, i ofcourse had to put those lines in &lt;directory&gt; after i did that we're one step further. now i receive internal server errors but at least it's getting to mod_fcgid

[Tue Dec 16 11:30:13 2008] [notice] mod_fcgid: process /home/example/public_html/index.php(3347) exit(server exited), terminated by calling exit(), return code: 255
[Tue Dec 16 11:30:19 2008] [notice] mod_fcgid: process /home/example/public_html/index.php(3354) exit(communication error), terminated by calling exit(), return code: 255

Tue, 12/16/2008 - 07:33
wesleyh

I also get this:

[Tue Dec 16 11:32:55 2008] [notice] mod_fcgid: call /home/example/public_html/wp-config.php with wrapper /home/example/fcgi-bin/php5.fcgi

which results in 503 service temporarily unavailable.

Tue, 12/16/2008 - 07:44
wesleyh

And also this: [Tue Dec 16 11:43:33 2008] [warn] (104)Connection reset by peer: mod_fcgid: read data from fastcgi server error.
[Tue Dec 16 11:43:33 2008] [error] [client 78.21.x.x] Premature end of script headers: wp-config.php

(this is in the home dir, the others are in /var/log/httpd/error_log)

Tue, 12/16/2008 - 08:08
wesleyh

I've also now updated my other packages; httpd, httpd_devel, mod_ssl to use virtualmin repos as the docroot for suexec was previously var/www, but this is now correctly pointed to /home

however, none of the errors are fixed by doing this (i don't even have suexec enabled yet)

Tue, 12/16/2008 - 08:17
wesleyh

new errors are:

[Tue Dec 16 12:15:43 2008] [warn] (104)Connection reset by peer: mod_fcgid: read data from fastcgi server error.
[Tue Dec 16 12:15:43 2008] [error] [client 78.21.x.x] Premature end of script headers: wp-config.php

Tue, 12/16/2008 - 08:33
wesleyh

And another:

[Tue Dec 16 12:28:41 2008] [warn] mod_fcgid: can't apply process slot for /home/example/public_html/index.php

Tue, 12/16/2008 - 10:08
wesleyh

Do you have any idea what could be wrong?

I have now also enabled suexec:

SuexecUserGroup example example

But now, every .php file i access returns a forbidden error, yet here is my home dir, seems to be set up ok?

drwxr-xr-x 2 example example 4.0K Dec 16 10:32 cgi-bin
drwxr-xr-x 3 example example 4.0K Dec 16 12:18 etc
drwxr-xr-x 2 example example 4.0K Dec 16 11:00 fcgi-bin
drwxr-xr-x 2 example example 4.0K Dec 7 14:42 homes
drwxr-x--- 2 example example 4.0K Dec 14 04:02 logs
drwx------ 6 example example 4.0K Dec 15 11:18 mail
drwxr-x--- 5 example example 4.0K Dec 16 10:38 public_html

Also, these are some errors from suexec.log:

[2008-12-16 13:22:45]: uid: (501/example) gid: (502/502) cmd: php5.fcgi
[2008-12-16 13:22:45]: file has no execute permission: (/home/example/fcgi-bin/php5.fcgi)

But these are old, I no longer get these errors.. i did not add +x to the php5.fcgi, do i need to add this?

Tue, 12/16/2008 - 12:48 (Reply to #36)
Joe
Joe's picture

<div class='quote'>i did not add +x to the php5.fcgi, do i need to add this?</div>

Of course. You want it to execute, don't you? ;-)

Also check to be sure the PHP paths in your php5.fcgi wrapper are correct for your system. The php-cgi binary is often called by different names on different distros. On CentOS, it's just &quot;php&quot; I think, though maybe it's also callable as php-cgi. I dunno. Obviously if you have the path wrong, it will not work.

--

Check out the forum guidelines!

Tue, 12/16/2008 - 13:25
wesleyh

I already installed httpd, mod_fcgid, mod_ssl, httpd_devel from your release packages. I've added the +x to the fcgi file but I'm still getting the 403 forbidden error... (suexec i assume)

About reinstalling it, will that overwrite all config files? e.g. also for dovecot, etc? Really wish there was some kind of config check instead

Tue, 12/16/2008 - 13:45 (Reply to #38)
Joe
Joe's picture

<div class='quote'>About reinstalling it, will that overwrite all config files?</div>

It will modify many config files. And, since this is a GPL installation, it won't fix this particular problem (because mod_fcgid support is not part of GPL...it is being done outside of the control of Virtualmin, in this case).

What's in your suexec_log when you make a request? And the error_log (both the system-wide one in /var/log/httpd and the one for the virtual server in /home/domainname/logs)?

Is suexec pointing to the right place for the docroot? You can make sure with:

/usr/sbin/suexec -V

It should have AP_DOC_ROOT set to &quot;/home&quot;. Since you've installed our httpd package, this should be true...but just to make sure.

--

Check out the forum guidelines!

Tue, 12/16/2008 - 23:15
wesleyh

Yes, suexec is configured correctly:

-D AP_DOC_ROOT=&quot;/home&quot;
-D AP_GID_MIN=100
-D AP_HTTPD_USER=&quot;apache&quot;
-D AP_LOG_EXEC=&quot;/var/log/httpd/suexec.log&quot;
-D AP_SAFE_PATH=&quot;/usr/local/bin:/usr/bin:/bin&quot;
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX=&quot;public_html&quot;

I haven't had any new entries in /var/log/httpd/error_log or /var/log/httpd/suexec.log or /home/example/logs/error_log since yesterday, only thing is in the access_log where it just says that status code 403 was returned.

78.21.xx.xx - - [17/Dec/2008:03:13:37 -0600] &quot;GET / HTTP/1.1&quot; 403 182 &quot;-&quot; &quot;Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_5; nl-nl) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1&quot;

Tue, 12/16/2008 - 23:32
wesleyh

Even with suexec disabled, i still get the forbidden errors..

Do i need to change my permissions for suexec? They are currently: -rw-r--r-- 1

Wed, 12/17/2008 - 00:59
wesleyh

I think I have it working now, lets see...

Wed, 12/17/2008 - 01:27
wesleyh

Ok its &quot;working now&quot;. PHP executes, etc..

But I'm trying to do the same ab command I did successfully with mod_php:

ab -n 10000 -c 100 http://www.example.com/
This is ApacheBench, Version 2.0.40-dev &lt;$Revision: 1.146 $&gt; apache-2.0
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright 2006 The Apache Software Foundation, http://www.apache.org/

Benchmarking www.example.com (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
apr_poll: The timeout specified has expired (70007)
Total of 7422 requests completed

And it times out.. ?

Then I get a bunch of emails from LFD

Onderwerp: lfd on server.example.com: Excessive processes running under user example

Time: &Acirc;&nbsp;&Acirc;&nbsp;&Acirc;&nbsp;&Acirc;&nbsp;&Acirc;&nbsp;&Acirc;&nbsp;&Acirc;&nbsp;&Acirc;&nbsp;&Acirc;&nbsp;Wed Dec 17 05:08:48 2008 -0600
Account: &Acirc;&nbsp;&Acirc;&nbsp;&Acirc;&nbsp;&Acirc;&nbsp;&Acirc;&nbsp;&Acirc;&nbsp;example
Process Count: 61 (Not killed)

Process Information:

User:example PID:4515 Run Time:51(secs) Memory:181096(kb) exe:/usr/bin/php-cgi cmd:/usr/bin/php-cgi
User:example PID:4516 Run Time:51(secs) Memory:181096(kb) exe:/usr/bin/php-cgi cmd:/usr/bin/php-cgi
User:example PID:4517 Run Time:51(secs) Memory:181084(kb) exe:/usr/bin/php-cgi cmd:/usr/bin/php-cgi
User:example PID:4518 Run Time:51(secs) Memory:181092(kb) exe:/usr/bin/php-cgi cmd:/usr/bin/php-cgi
User:example PID:4523 Run Time:50(secs) Memory:181084(kb) exe:/usr/bin/php-cgi cmd:/usr/bin/php-cgi
User:example PID:4524 Run Time:50(secs) Memory:181096(kb) exe:/usr/bin/php-cgi cmd:/usr/bin/php-cgi
User:example PID:4525 Run Time:50(secs) Memory:181092(kb) exe:/usr/bin/php-cgi cmd:/usr/bin/php-cgi
User:example PID:4526 Run Time:50(secs) Memory:181084(kb) exe:/usr/bin/php-cgi cmd:/usr/bin/php-cgi
User:example PID:4527 Run Time:50(secs) Memory:181084(kb) exe:/usr/bin/php-cgi cmd:/usr/bin/php-cgi
User:example PID:4528 Run Time:50(secs) Memory:181088(kb) exe:/usr/bin/php-cgi cmd:/usr/bin/php-cgi
User:example PID:4540 Run Time:50(secs) Memory:181092(kb) exe:/usr/bin/php-cgi cmd:/usr/bin/php-cgi

(and about 50 more such lines)

Also a ton of these emais:

Onderwerp: lfd on server.example.com: Excessive resource usage: example (8269)

Time: Wed Dec 17 05:09:58 2008 -0600
Account: example
Resource: Virtual Memory Size
Exceeded: 176 &gt; 100 (MB)
Executable: /usr/bin/php-cgi
Command Line: /usr/bin/php-cgi
PID: 8269
Killed: No

So what's going on here? Any ideas? I knew fastcgi would use more memory.. but this?

Wed, 12/17/2008 - 04:19
wesleyh

Also, suexec is set up correctly, yet it still allows a file that I created as root &quot;test.php&quot;?

Wed, 12/17/2008 - 05:34
wesleyh

If I remove the PHP_FCGI_CHILDREN directive I no longer get these timeouts, but there is still something going on with this:

[root@server ~]# ab -n 10000 -c 100 http://www.example.com/
This is ApacheBench, Version 2.0.40-dev &lt;$Revision: 1.146 $&gt; apache-2.0
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Copyright 2006 The Apache Software Foundation, http://www.apache.org/

Benchmarking www.example.com (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Finished 10000 requests

Server Software: Apache
Server Hostname: www.example.com
Server Port: 80

Document Path: /
Document Length: 6724 bytes

Concurrency Level: 100
Time taken for tests: 51.277226 seconds
Complete requests: 10000
Failed requests: 20
(Connect: 0, Length: 20, Exceptions: 0)
Write errors: 0
Non-2xx responses: 20
Total transferred: 69465480 bytes
HTML transferred: 67116200 bytes
Requests per second: 195.02 [#/sec] (mean)
Time per request: 512.772 [ms] (mean)
Time per request: 5.128 [ms] (mean, across all concurrent requests)
Transfer rate: 1322.95 [Kbytes/sec] received

Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.4 0 7
Processing: 0 489 4464.7 0 51032
Waiting: 0 489 4464.7 0 51032
Total: 0 489 4464.7 0 51032

Percentage of the requests served within a certain time (ms)
50% 0
66% 0
75% 17
80% 18
90% 32
95% 37
98% 67
99% 13000
100% 51032 (longest request)

---

See 99 and 100%, why are those taking so long in comparison to the rest?

Wed, 12/17/2008 - 05:50
wesleyh

I spoke too soon, i still get timeouts every few times. Perhaps because I added MaxRequestsPerProcess 500 to my fcgid.conf .. (recommended for php)

Wed, 12/17/2008 - 05:57
wesleyh

Is it normal that this stuff is so high and so much during an ab test:

Real memory: 3.86 GB total / 1.70 GB free Swap space: 8 GB total / 7.98 GB free

18024 apache <b>866880</b> kB /usr/sbin/httpd.worker
17872 apache 801488 kB /usr/sbin/httpd.worker
17838 apache 801340 kB /usr/sbin/httpd.worker
2669 mysql 419436 kB /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-f ...
18166 apache 409768 kB /usr/sbin/httpd.worker
18164 apache 409756 kB /usr/sbin/httpd.worker
3141 root 240748 kB /usr/bin/python -tt /usr/sbin/yum-updatesd
7528 example <b>223900</b> kB /usr/bin/php-cgi
7520 example 223068 kB /usr/bin/php-cgi
8203 example 215388 kB /usr/bin/php-cgi
8653 example 215388 kB /usr/bin/php-cgi
9550 example 215388 kB /usr/bin/php-cgi
10357 example 215388 kB /usr/bin/php-cgi
10446 example 215388 kB /usr/bin/php-cgi
10895 example 215388 kB /usr/bin/php-cgi
11078 example 215388 kB /usr/bin/php-cgi
11440 example 215388 kB /usr/bin/php-cgi
11702 example 215388 kB /usr/bin/php-cgi
11956 example 215388 kB /usr/bin/php-cgi
12743 example 215388 kB /usr/bin/php-cgi
13009 example 215388 kB /usr/bin/php-cgi
13532 example 215388 kB /usr/bin/php-cgi
13928 example 215388 kB /usr/bin/php-cgi
14436 example 215388 kB /usr/bin/php-cgi
8296 example 215384 kB /usr/bin/php-cgi
8566 example 215384 kB /usr/bin/php-cgi
8739 example 215384 kB /usr/bin/php-cgi
9730 example 215384 kB /usr/bin/php-cgi
10990 example 215384 kB /usr/bin/php-cgi
11746 example 215384 kB /usr/bin/php-cgi
11831 example 215384 kB /usr/bin/php-cgi
12219 example 215384 kB /usr/bin/php-cgi
13100 example 215384 kB /usr/bin/php-cgi
13187 example 215384 kB /usr/bin/php-cgi
13449 example 215384 kB /usr/bin/php-cgi
14095 example 215384 kB /usr/bin/php-cgi
15038 example 215384 kB /usr/bin/php-cgi
15380 example 215384 kB /usr/bin/php-cgi
7684 example 215380 kB /usr/bin/php-cgi
7686 example 215380 kB /usr/bin/php-cgi
7795 example 215380 kB /usr/bin/php-cgi
9188 example 215380 kB /usr/bin/php-cgi
9818 example 215380 kB /usr/bin/php-cgi
9993 example 215380 kB /usr/bin/php-cgi
10626 example 215380 kB /usr/bin/php-cgi
10709 example 215380 kB /usr/bin/php-cgi
11350 example 215380 kB /usr/bin/php-cgi
12306 example 215380 kB /usr/bin/php-cgi
12656 example 215380 kB /usr/bin/php-cgi
13204 example 215380 kB /usr/bin/php-cgi
13838 example 215380 kB /usr/bin/php-cgi
14011 example 215380 kB /usr/bin/php-cgi
14525 example 215380 kB /usr/bin/php-cgi
14859 example 215380 kB /usr/bin/php-cgi
15036 example 215380 kB /usr/bin/php-cgi
15296 example 215380 kB /usr/bin/php-cgi
12044 example 215376 kB /usr/bin/php-cgi
13360 example 215376 kB /usr/bin/php-cgi
7687 example 215264 kB /usr/bin/php-cgi
7690 example 215264 kB /usr/bin/php-cgi
8162 example 215264 kB /usr/bin/php-cgi
9006 example 215264 kB /usr/bin/php-cgi
9371 example 215264 kB /usr/bin/php-cgi
9462 example 215264 kB /usr/bin/php-cgi
10084 example 215264 kB /usr/bin/php-cgi
11612 example 215264 kB /usr/bin/php-cgi
12389 example 215264 kB /usr/bin/php-cgi
12831 example 215264 kB /usr/bin/php-cgi
12920 example 215264 kB /usr/bin/php-cgi
13667 example 215264 kB /usr/bin/php-cgi
14246 example 215264 kB /usr/bin/php-cgi
7691 example 215260 kB /usr/bin/php-cgi
7692 example 215260 kB /usr/bin/php-cgi
7694 example 215260 kB /usr/bin/php-cgi
8833 example 215260 kB /usr/bin/php-cgi
10267 example 215260 kB /usr/bin/php-cgi
11265 example 215260 kB /usr/bin/php-cgi
14260 example 215260 kB /usr/bin/php-cgi
14703 example 215260 kB /usr/bin/php-cgi
15129 example 215260 kB /usr/bin/php-cgi
7685 example 215256 kB /usr/bin/php-cgi
7693 example 215256 kB /usr/bin/php-cgi
7981 example 215256 kB /usr/bin/php-cgi
8070 example 215256 kB /usr/bin/php-cgi
8474 example 215256 kB /usr/bin/php-cgi
8920 example 215256 kB /usr/bin/php-cgi
9098 example 215256 kB /usr/bin/php-cgi
9277 example 215256 kB /usr/bin/php-cgi
10171 example 215256 kB /usr/bin/php-cgi
12484 example 215256 kB /usr/bin/php-cgi
12514 example 215256 kB /usr/bin/php-cgi
13755 example 215256 kB /usr/bin/php-cgi
14349 example 215256 kB /usr/bin/php-cgi
14611 example 215256 kB /usr/bin/php-cgi
14946 example 215256 kB /usr/bin/php-cgi
7688 example 215252 kB /usr/bin/php-cgi
7888 example 215252 kB /usr/bin/php-cgi
8386 example 215252 kB /usr/bin/php-cgi
9640 example 215252 kB /usr/bin/php-cgi
9907 example 215252 kB /usr/bin/php-cgi
10532 example 215252 kB /usr/bin/php-cgi
10806 example 215252 kB /usr/bin/php-cgi
11173 example 215252 kB /usr/bin/php-cgi
11526 example 215252 kB /usr/bin/php-cgi
12134 example 215252 kB /usr/bin/php-cgi
13547 example 215252 kB /usr/bin/php-cgi
15467 example 215252 kB /usr/bin/php-cgi
6842 apache 128268 kB /usr/sbin/httpd.worker
5778 <b>root</b> 128232 kB /usr/sbin/httpd.worker &lt;-- is this normal ?

Wed, 12/17/2008 - 06:36
wesleyh

after checking the error log and using ab, these are the errors i found:

in /home/example/logs/error_log

[Wed Dec 17 10:29:57 2008] [warn] (104)Connection reset by peer: mod_fcgid: read data from fastcgi server error.
[Wed Dec 17 10:29:57 2008] [error] [client 69.65.x.x] Premature end of script headers: index.php

(multiple times)

in /var/log/httpd/error_log

[Wed Dec 17 10:30:01 2008] [notice] mod_fcgid: call /home/example/public_html/index.php with wrapper /home/example/fcgi-bin/php5.fcgi
[Wed Dec 17 10:30:10 2008] [notice] mod_fcgid: process /home/example/public_html/index.php(7693) exit(normal exit), terminated by calling exit(), return code: 0

(multiple times)

[Wed Dec 17 10:30:10 2008] [warn] mod_fcgid: cleanup zombie process 7693

Wed, 12/17/2008 - 12:52 (Reply to #48)
Joe
Joe's picture

I dunno. ;-)

I'm, by no means, an expert on PHP and performance. I do know that response time under mod_fcgid is similar to mod_php, both in benchmarks in the wild, and my own testing. I kind of expect resource usage to be higher under extremely high load (as your testing indicates). There may be more useful tuning to be done, though, since I have seen benchmarks showing mod_fcgid performing better than mod_php.

A few things I can mentionerd that may be useful:

Memory usage in this circumstance is far lower than you think. Shared memory accounts for a large percentage of all used memory--these process are all nearly identical, and only the data space is &quot;new&quot; between each one, so probably 32k or 64k (depending on your memory limit setting in php.ini) and some extra overhead, is all that sets each of these processes apart.

<div class='quote'>5778 root 128232 kB /usr/sbin/httpd.worker &lt;-- is this normal ? </div>

Is what normal?

I don't see anything <i>ab</i>normal about it, so I guess it's normal. ;-)

Are you asking about the root owned process? Yes. That's the parent, and it spawns children owned by apache (which then uses suexec to spawn children). Apache starts as root so it can bind to port 80.

One thing I will point out is that you seem to have mod_php loaded <i>while</i> testing mod_fcgid, which is giving mod_php a huge advantage. mod_php is part of your apache process, no matter what, if you're loading it...so it's ballooning your Apache up by a large amount, whether you use it or not. Our Apache here at Virtualmin.com, for example, is only 22.5MB, while yours is 128MB. We don't run mod_php (all of our sites run under mod_fcgid and suexec...we eat our own dogfood). Even that could be made smaller. I believe a completely minimized Apache is about 8MB (though I'm not necessarily recommending going crazy with that--but if performance and resource usage is critical, it might be necessary to consider what you can take out).

Oh, I just noticed you're using the worker MPM. This is bad news with PHP. Switch to prefork, per the PHP docs:

http://www.php.net/manual/en/install.unix.apache2.php

This may also contribute to the weirdness you're seeing with failed requests and/or zombies. I dunno. I have no idea what the impact of using a threaded Apache with PHP is. I just know it's a no no, according to the PHP people.

--

Check out the forum guidelines!

Wed, 12/17/2008 - 12:56 (Reply to #49)
Joe
Joe's picture

Actually, scratch that last one. Running in a FastCGI configuration means a threaded model for the parent Apache works fine.

--

Check out the forum guidelines!

Wed, 12/17/2008 - 21:13
wesleyh

Well, I don't have mod_php loaded, infact I already trimmed the fat alot. Here's the modules that are loaded:

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule mime_module modules/mod_mime.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule dir_module modules/mod_dir.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule version_module modules/mod_version.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule logio_module modules/mod_logio.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule actions_module modules/mod_actions.so
LoadModule env_module modules/mod_env.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule fcgid_module modules/mod_fcgid.so