Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposition de changement de présentation dasn l'interface + corr bugs #5

Open
quenenni opened this issue May 20, 2019 · 1 comment
Open

Proposition de changement de présentation dasn l'interface + corr bugs #5

quenenni opened this issue May 20, 2019 · 1 comment

Comments

@quenenni
Copy link

Quelques améliorations, corrections de bugs et une proposition de changement de présentation des options fpm dan l'interface Alternc.

Les propositions de changements liés à l'interface Alternc sont ici: AlternC/AlternC#351

Du côté du paquet alternc-php-fpm:

  1. J'ai ajouté à chaque template apache2 les versions http, https et both dans le cas où on utilise alternc-certbot
    Exemple pour php7.0-fpm
  • php70-fpm-http.conf
# %%fqdn%%
<Virtualhost *:443>
  ServerName %%fqdn%%
  AssignUserId #%%UID%% #%%GID%%
  SetEnv LOGIN "%%UID%%-%%LOGIN%%"
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
  KeepAlive Off

  <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php7.0-%%LOGIN%%.sock|fcgi://localhost"
  </FilesMatch>

  RewriteEngine On
  RewriteCond %{REQUEST_FILENAME} !/cgi-bin/
  RewriteCond %{REQUEST_FILENAME} !/.well-known/acme-challenge/
  RewriteRule ^/(.*)$ http://%%fqdn%%/$1 [R=301,L]

  SSLEngine On
  SSLCertificateFile %%CRT%%
  SSLCertificateKeyFile %%KEY%%
  %%CHAINLINE%%

</Virtualhost>
<VirtualHost *:80>
  ServerName %%fqdn%%
  DocumentRoot "%%document_root%%"
  AssignUserId #%%UID%% #%%GID%%
  SetEnv LOGIN "%%UID%%-%%LOGIN%%"
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

  <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php7.0-%%LOGIN%%.sock|fcgi://localhost"
  </FilesMatch>

  RewriteEngine on
  RewriteCond %{QUERY_STRING} (%2d|-)d.*auto_prepend  [NC]
  RewriteRule .? - [F,L]

  <Directory "%%document_root%%">
    require all granted
    Options +MultiViews -FollowSymLinks +SymLinksIfOwnerMatch
    AllowOverride AuthConfig FileInfo Limit Options Indexes
    php_admin_flag engine off
  </Directory>
</VirtualHost>
  • php70-fpm-https.conf
# %%fqdn%%
<Virtualhost *:80>
  ServerName %%fqdn%%
  AssignUserId #%%UID%% #%%GID%%
  SetEnv LOGIN "%%UID%%-%%LOGIN%%"
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
  KeepAlive Off

  <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php7.0-%%LOGIN%%.sock|fcgi://localhost"
  </FilesMatch>

  RewriteEngine On
  RewriteCond %{REQUEST_FILENAME} !/cgi-bin/
  RewriteCond %{REQUEST_FILENAME} !/.well-known/acme-challenge/
  RewriteRule ^/(.*)$ https://%%fqdn%%/$1 [R=301,L]

</Virtualhost>
<VirtualHost *:443>
  ServerName %%fqdn%%
  DocumentRoot "%%document_root%%"
  AssignUserId #%%UID%% #%%GID%%
  SetEnv LOGIN "%%UID%%-%%LOGIN%%"
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

  <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php7.0-%%LOGIN%%.sock|fcgi://localhost"
  </FilesMatch>

  RewriteEngine on
  RewriteCond %{QUERY_STRING} (%2d|-)d.*auto_prepend  [NC]
  RewriteRule .? - [F,L]

  <Directory "%%document_root%%">
    require all granted
    Options +MultiViews -FollowSymLinks +SymLinksIfOwnerMatch
    AllowOverride AuthConfig FileInfo Limit Options Indexes
    php_admin_flag engine off
  </Directory>

  SSLEngine On
  SSLCertificateFile %%CRT%%
  SSLCertificateKeyFile %%KEY%%
  %%CHAINLINE%%

</VirtualHost>
  • php70-fpm-both.conf
# %%fqdn%%
<VirtualHost *:80>
  ServerName %%fqdn%%
  DocumentRoot "%%document_root%%"
  AssignUserId #%%UID%% #%%GID%%
  SetEnv LOGIN "%%UID%%-%%LOGIN%%"
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

  <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php7.0-%%LOGIN%%.sock|fcgi://localhost"
  </FilesMatch>

  RewriteEngine on
  RewriteCond %{QUERY_STRING} (%2d|-)d.*auto_prepend  [NC]
  RewriteRule .? - [F,L]

  <Directory "%%document_root%%">
    require all granted
    Options +MultiViews -FollowSymLinks +SymLinksIfOwnerMatch
    AllowOverride AuthConfig FileInfo Limit Options Indexes
    php_admin_flag engine off
  </Directory>
</VirtualHost>
<VirtualHost *:443>
  ServerName %%fqdn%%
  DocumentRoot "%%document_root%%"
  AssignUserId #%%UID%% #%%GID%%
  SetEnv LOGIN "%%UID%%-%%LOGIN%%"
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

  <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php7.0-%%LOGIN%%.sock|fcgi://localhost"
  </FilesMatch>

  RewriteEngine on
  RewriteCond %{QUERY_STRING} (%2d|-)d.*auto_prepend  [NC]
  RewriteRule .? - [F,L]

  <Directory "%%document_root%%">
    require all granted
    Options +MultiViews -FollowSymLinks +SymLinksIfOwnerMatch
    AllowOverride AuthConfig FileInfo Limit Options Indexes
    php_admin_flag engine off
  </Directory>

  SSLEngine On
  SSLCertificateFile %%CRT%%
  SSLCertificateKeyFile %%KEY%%
  %%CHAINLINE%%

</VirtualHost>
  1. Modifié les templates apache2 existants (exemple pour fpm-7.0)
# %%fqdn%%
<VirtualHost *:80>
  ServerName %%fqdn%%
  DocumentRoot "%%document_root%%"
  AssignUserId #%%UID%% #%%GID%%
  SetEnv LOGIN "%%UID%%-%%LOGIN%%"
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    
  <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php7.0-%%LOGIN%%.sock|fcgi://localhost"
  </FilesMatch>

  RewriteEngine on
  RewriteCond %{QUERY_STRING} (%2d|-)d.*auto_prepend  [NC]
  RewriteRule .? - [F,L]

  <Directory "%%document_root%%">
    require all granted
    Options +MultiViews -FollowSymLinks +SymLinksIfOwnerMatch
    AllowOverride AuthConfig FileInfo Limit Options Indexes
    php_admin_flag engine off
  </Directory>
</VirtualHost>
  • retiré des options qui se retrouvent dans la config du pool fpm
  1. Modifé les templates fpm (exemple pour fpm-7.0)
[%%LOGIN%%]
user = %%LOGIN%%
group = %%LOGIN%%
listen = /run/php/php7.0-%%LOGIN%%.sock
listen.owner = %%LOGIN%%
listen.group = %%LOGIN%%
pm = ondemand
pm.max_children = 10
pm.process_idle_timeout = 60s
pm.max_requests = 1000
catch_workers_output = yes
php_admin_value[open_basedir] = "%%account_root%%"
php_admin_value[upload_tmp_dir] = %%account_root%%/tmp
env[TMP] = %%account_root%%/tmp
env[TMPDIR] = %%account_root%%/tmp
env[TEMP] = %%account_root%%/tmp
php_admin_value[sys_temp_dir] = %%account_root%%/tmp
php_admin_value[sendmail_path] = '/usr/lib/alternc/sendmail "%%mail_account%%" '
php_admin_flag[mail.add_x_header] = on
  1. Problème de droits sur le dossier /var/run/php.
    Les sockets doivent pouvoir être accédés par tous les utilisateurs alternc.
    0750 sur ce dossier ne permet pas ça.

J'ai changé les droits vers 0755.
Il existe peut-être une meilleure approche. Niveau sécurité, c'est peut-être pas bon de faire comme-ceci.

  1. script php7-fpm appellé par le cron:
while ($db->next_record()) {
      $version=substr($db->f("type"),3,1).".".substr($db->f("type"),4,1);
      $user=$db->f("login");
      $allpools[$version][]=$user;
      if ($force || !is_file("/etc/php/".$version."/fpm/pool.d/".$user.".alternc.conf")) {
          myecho("Creating php $version fpm pool for user $user");
          $content=file_get_contents("/etc/alternc/templates/php/fpm-".$version);
          $content=str_replace("%%LOGIN%%",$user,$content);

          $account_root=ALTERNC_HTML . substr($user, 0, 1) . "/" . $user;
          $content=str_replace("%%account_root%%",$account_root,$content);

          $mail_account=$user."@".$L_FQDN;
          $content=str_replace("%%mail_account%%",$mail_account,$content);

          file_put_contents("/etc/php/".$version."/fpm/pool.d/".$user.".alternc.conf",$content);

          $reload[$version]=$version;
      }
}
  • On doit récupérer plusieurs variables à remplacer dans le template fpm.
// now delete pools we don't need anymore
foreach($allversions as $version) {
    $d=opendir("/etc/php/$version/fpm/pool.d"   );
    while (($c=readdir($d))!==false) {
        if (preg_match('#/?([^\.]*).alternc.conf$#',$c,$mat)) {
            $user=$mat[1];
            if (! isset($allpools[$version]) || !in_array($user,$allpools[$version])) {
                echo("Deleting php $version fpm pool for user $user");
                @unlink("/etc/php/".$version."/fpm/pool.d/".$user.".alternc.conf");
                $reload[$version]=$version;
            }
        }
    }
}
  • ajouté un ? dans le preg_match pour ne pas rendre le / obligatoire (je ne sais pas pourquoi on veut qu'il y ai un / à ce stade où si c'est juste une erreur),
  • "if (! isset($allpools[$version]) || !in_array($user,$allpools[$version])) {" -> rajouté un test isset pour éviter un mail avec un php notice
// now reloads php fpm versions
foreach($reload as $service) {
    passthru("systemctl reload php".$service."-fpm");
}
  • plus sure pour redémarrer les service fpm. On a par exemple pas les scripts dans init.d pour toutes les versions fpm installées, ils n'étaient jamais redémarrés.

Avec tout ça, on a maintenant un php-fpm + certbot fonctionnels et les utilisateurs peuvent choisir la version php qu'ils veulent, c'est vraiment chouette.
@ddeenniiss
Copy link

ddeenniiss commented Jun 18, 2019
edited

Et en image, ça donne ceci

Capture d’écran du 2019-06-18 09-14-49

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@quenenni @ddeenniiss