Always match slashes! ProxyPass / "fcgi://127.0.0.1:9000/"
2017-04-13 21:27 GMT+02:00 Frank <thu...@apache.org>: > > > On 13/04/17 02:18 PM, John Iliffe wrote: > >> I'm still trying to figure out what is actually happening here and I >> have a result that is truly confusing now. >> >> I decided to just route everything to php-fpm, mainly to check that it >> is actually active, and I used a file that would have been routed there >> by ProxyPass/ProxyPassMatch anyhow, so I would have expected php-fpm to >> run and give me an html page as output. >> >> Here's what happened: >> >> I set the ProxyPass directive to: >> >> ProxyPass / "fcgi://127.0.0.1:9000" enablereuse=on >> >> and got the response: >> >> Proxy Error >> >> The proxy server received an invalid response from an upstream server. >> The proxy server could not handle the request GET /testfcgi.php >> <http://192.168.1.6/testfcgi.php>. >> >> >> Reason: DNS lookup failure for: 127.0.0.1:9000testfcgi.php >> >> So, we know two things (I thought) - first that php-fpm is actually >> working, and second that we need a / after the socket number to separate >> the php file name. This should have gone to the root directory given in >> the php-fpm configuration, ( chdir=/httpd/iliffe ) not to the DNS, right? >> >> So, I changed the ProxyPass directive >> >> ProxyPass / "fcgi://127.0.0.1:9000/" enablereuse=on >> >> and I get: >> >> File not found. >> >> With the Loglevel set to debug in Apache and all incoming requests being >> proxied to php-fpm, I get: >> >> No input file specified. >> >> from the browser with a log entry of >> >> [Thu Apr 13 13:04:36.552776 2017] [proxy_fcgi:error] [pid 22944:tid >> 139858336442112] [client 192.168.1.10:48876] AH01071: Got error 'Unable >> to open primary script: /httpd/iliffe/testfcgi.php (No such file or >> directory)\n' >> >> I didn't paste all the other entries as they are irrelevant to this >> situation. >> >> BUT: >> >> [root@prod04 John]# ls -al /proc/22943/root/httpd/iliffe/test* >> >> -rw-rw-r--. 1 John John 5740 Apr 12 16:40 >> /proc/22943/root/httpd/iliffe/testfcgi.php >> >> So httpd's path includes the php file that I called. >> >> So, tried php-fpm to see if it couldn't find the proper path: >> >> [root@prod04 John]# ps -ef | grep php >> >> root 22100 1 0 12:16 ? 00:00:00 php-fpm: master process >> (/usr/php-7.1.3/etc/php-fpm.conf) >> >> phpfpm 22101 22100 0 12:16 ? 00:00:00 php-fpm: pool www >> >> phpfpm 22102 22100 0 12:16 ? 00:00:00 php-fpm: pool www >> >> [root@prod04 John]# ls -al /proc/22100/root/httpd/iliffe/test* >> >> -rw-rw-r--. 1 John John 5740 Apr 12 16:40 >> /proc/22100/root/httpd/iliffe/testfcgi.php >> >> So php-fpm can also see the php file. >> >> I have no idea why either php-fpm or httpd, whichever is throwing the >> error, can't find the file. >> >> It seems that this problem is fairly common, for example: >> >> https://serverfault.com/questions/450628/apache-2-4-php-fpm- >> proxypassmatch >> >> But this is from 2013, and they resolved it with rewrite rules. With all >> the web sites on the Internet using Apache I'm sure that there is a >> current solution that actually works! >> >> Has anyone got any ideas? >> >> Thanks, >> >> John >> >> ========================================== >> >> On Thursday 13 April 2017 11:10:47 you wrote: >> >> On Wednesday 12 April 2017 22:24:03 Frank wrote: >>> >> >> > On 12/04/17 08:36 PM, John Iliffe wrote: >>> >> >> > > See below. >>> >> >> > > >>> >> >> > > On Wednesday 12 April 2017 20:02:10 Frank wrote: >>> >> >> > >> On 12/04/17 05:34 PM, John Iliffe wrote: >>> >> >> > >>> I am converting my web pages from mod_php to php-fpm, following >>> >> >> > >>> the directions found at: https://wiki.apache.org/httpd/PHP-FPM >>> >> >> > >>> Testing to date indicates that on this server all scripts work >>> >> >> > >>> properly under mod_php. >>> >> >> > >>> >>> >> >> > >>> Both of the following were tried within a <VirtualHost> container >>> >> >> > >>> for the default virtual host. >>> >> >> > >>> >>> >> >> > >>> If I use the "simple" approach from the Wiki: >>> >> >> > >>> ProxyPass "/*.php/" "fcgi://127.0.0.1:9000" enablereuse=on >>> >> >> > >>> >>> >> >> > >>> then the page SOURCE is displayed, PHP never executes. Adding a >>> >> >> > >>> first line of #! /path-to-php-executable doesn't accomplish >>> >> >> > >>> anything. Neither way leads to any errors showing in the php-fpm >>> >> >> > >>> log. >>> >> >> > >>> >>> >> >> > >>> >>> >> >> > >>> Using the "more flexible" approach: >>> >> >> > >>> >>> >> >> > >>> ProxyPassMatch ^/(.*\.php(/.*)?)$ >>> >> >> > >>> fcgi://127.0.0.1:9000/httpd/iliffe/$1 >>> >> >> > >>> >>> >> >> > >>> enablereuse=on >>> >> >> > >>> >>> >> >> > >>> Gives me a "No Input File Specified" error. This line was cribbed >>> >> >> > >>> from the Wiki example and the path /httpd/iliffe/ is precisely >>> >> >> > >>> where the php script lives, based on the server root and not the >>> >> >> > >>> document root as noted in the Wiki article. >>> >> >> > >>> >>> >> >> > >>> There is no php-fpm error message issued in either case and the >>> >> >> > >>> Apache error entry for the ProxyPassMatch case is: >>> >> >> > >>> >>> >> >> > >>> [Wed Apr 12 16:50:28.688837 2017] [proxy_fcgi:error] [pid >>> >> >> > >>> 13574:tid 140145512003328] [client 192.168.1.10:45240] AH01071: >>> >> >> > >>> Got error 'Unable to open primary script: >>> >> >> > >>> /httpd/iliffe/testfcgi.php (No such file or directory)\n' >>> >> >> > >>> >>> >> >> > >>> I am using mostly the defaults in the php-fpm config and pool >>> >> >> > >>> config files. The default path to the php executable has been >>> >> >> > >>> updated to point to where it really is. >>> >> >> > >>> >>> >> >> > >>> Can anybody see what I might have missed? >>> >> >> > >>> >>> >> >> > >>> Thanks in advance. >>> >> >> > >>> >>> >> >> > >>> John >>> >> >> > >>> ========================================= >>> >> >> > >>> >>> >> >> > >>> ------------------------------------------------------------------ >>> >> >> > >>> -- - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >>> >> >> > >>> For additional commands, e-mail: users-h...@httpd.apache.org >>> >> >> > >> >>> >> >> > >> 1) ProxyPass doesn't use PCRE (the wiki does not use PCRE with >>> >> >> > >> ProxyPass, either). You need to use ProxyPassMatch to parse PCRE. >>> >> >> > > >>> >> >> > > I'm not sure what you are saying here. When I used only ProxyPass >>> >> >> > > using the default configuration in the Wiki, the correct page was >>> >> >> > > displayed, it just didn't execute the PHP script and adding the >>> >> >> > > bang-path didn't change anything. The source code was displayed as >>> >> >> > > the page. >>> >> >> > > >>> >> >> > > While it is possible that the ProxyPath directive didn't match >>> >> >> > > anything and Apache tried to handle the script file as a static >>> >> >> > > page, I have been unable to prove that conjecture. The page IS in >>> >> >> > > Apache's document root for this virtual host, so I suppose that is >>> >> >> > > possible. There is no SetHandler directive to handle the .php >>> >> >> > > extension, and my understanding of the documentation is that one >>> >> >> > > should not be required since Apache is not actually running the >>> >> >> > > script. >>> >> >> > > >>> >> >> > >> 2) /httpd/iliffe/testfcgi.php would need to exist on your >>> >> >> > >> filesystem or php-fpm chroot. The requested URI is literally >>> >> >> > >> appended to the path in the ProxyPassMatch directive. >>> >> >> > > >>> >> >> > > Yes, that's what I had expected to happen. php-fpm does not chroot; >>> >> >> > > the true path /httpd/iliffe/testfcgi.php exists in the file system >>> >> >> > > and is visible to php-fpm, based on the simpler configuration. >>> >> >> > > That's what's so weird, the same path gets completely different >>> >> >> > > results, depending on the way the script is called. In this case >>> >> >> > > the $1 amounts to a null since there is no passed data in the URL. >>> >> >> > > >>> >> >> > > Before you ask, I expect SELinux problems with these files because >>> >> >> > > of the tagging, but at the moment SELinux is in permissive mode. >>> >> >> > > >>> >> >> > > John >>> >> >> > >>> >> >> > ProxyPass *cannot* understand PCRE. ProxyPassMatch *can*. Hence, do >>> >> >> > *not* use PCRE with ProxyPass. That is all. >>> >> >> > >>> >> >> > Step 1) Make sure that mod_proxy_fcgi is loaded. See apachectl -M >>> >> >> >>> >> [root@prod04 John]# /usr/apache-2.4.25/bin/apachectl -M >>> >> >> Loaded Modules: >>> >> >> core_module (static) >>> >> >> so_module (static) >>> >> >> .......whole lot of modules skipped here..... >>> >> >> >>> >> version_module (shared) >>> >> >> proxy_module (shared) >>> >> >> proxy_connect_module (shared) >>> >> >> proxy_ftp_module (shared) >>> >> >> proxy_http_module (shared) >>> >> >> proxy_fcgi_module (shared) <------ >>> >> >> http2_module (shared) >>> >> >> proxy_http2_module (shared) >>> >> >> >>> >> The necesary support modules for mod_proxy_fcgi (mod_proxy and >>> >> >> mod_proxy_http2) are also verified as being loaded. >>> >> >> >>> >> > As for the "Primary Script Unknown" error, it always means that you >>> >> >> > mapped the request to a non-existent resource on the file system / >>> >> >> > chroot. Verify again. >>> >> >> >>> >> Here is the process root info for php-fpm >>> >> >> >>> >> [root@prod04 John]# ps -ef | grep php- >>> >> >> root 15368 1 0 Apr12 ? 00:00:00 php-fpm: master process >>> >> >> (/usr/php-7.1.3/etc/php-fpm.conf) >>> >> >> phpfpm 15369 15368 0 Apr12 ? 00:00:00 php-fpm: pool www >>> >> >> phpfpm 15370 15368 0 Apr12 ? 00:00:00 php-fpm: pool www >>> >> >> >>> >> [root@prod04 John]# ls -al /proc/15368/root >>> >> >> lrwxrwxrwx. 1 root root 0 Apr 13 10:34 /proc/15368/root -> / >>> >> >> >>> >> Here is the directory for the document root and also the absolute path >>> >> >> that was passed to php-fpm >>> >> >> >>> >> [root@prod04 John]# ls -al /httpd/iliffe/t* >>> >> >> -rw-rw-r--. 1 John John 5740 Apr 12 16:40 /httpd/iliffe/testfcgi.php >>> >> >> >>> >> I had already done all of these checks before I asked for help on this >>> >> >> list. The commands used to invoke both ProxyPass and ProxyPassMatch >>> >> >> were cut and pasted from the Wiki. The only change I made was to put >>> >> >> in the correct base directory path. >>> >> >> >>> >> Also, I did verify that the TCP port (9000) for php-fpm was present and >>> >> >> listening: >>> >> >> >>> >> [root@prod04 John]# ss -a -n | grep 9000 >>> >> >> tcp LISTEN 0 128 127.0.0.1:9000 *:* >>> >> >> tcp LISTEN 0 0 127.0.0.1:9000 *:* >>> >> >> >>> >> While I don't think it is necessary, since the TCP port is on the >>> >> >> loopback interface, I also opened port 9000 on the internal firewall: >>> >> >> >>> >> root@prod04 John]# firewall-cmd --list-ports >>> >> >> ----other open ports not shown-------- >>> >> >> 9000/tcp >>> >> >> >>> >> > The various methods listed on the wiki allow httpd to pass the request >>> >> >> > to a fcgi backend, which will process the php file, and return the >>> >> >> > output. You can use the SetHandler approach instead of ProxyPassMatch >>> >> >> > - it's up to you. >>> >> >> > >>> >> >> > --------------------------------------------------------------------- >>> >> >> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >>> >> >> > For additional commands, e-mail: users-h...@httpd.apache.org >>> >> >> > John, > > What is the full filesystem path, without the chroot? > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- *Daniel Ferradal* IT Specialist email dferradal at gmail.com linkedin es.linkedin.com/in/danielferradal
