# php-fpm apache - Service Unavailable - black magic !



## bryn1u (Nov 17, 2017)

Hello guys,

Someone can tell if there is any in FreeBSD black magic during configuration php-fpm and apache or nginx in jail ?

I can't show website like wordpress or joomla or everything. I have been trying on Centos many times. I have the same config files. On Centos works like a charm even with Selinux enabled. On FreeBSD it doesn't work !!!
The funny thing is that when i put info.php to show settings there exist FPM/FastCGI but when i download for example wordpress i got issue:

```
Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
```

Im looking into error.log

```
root@proton:/var/log # cat error.log
[Fri Nov 17 00:54:18.955135 2017] [proxy_fcgi:error] [pid 66312] [client 94.254.163.126:48249] AH01067: Failed to read FastCGI header, referer: http://proton.edu.pl/wordpress/
[Fri Nov 17 00:54:18.955237 2017] [proxy_fcgi:error] [pid 66312] (70014)End of file found: [client 94.254.163.126:48249] AH01075: Error dispatching request to : , referer: http://proton.edu.pl/wordpress/
root@proton:/var/log #
```

php-fpm

```
[bryn1u]
pm = dynamic
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_children = 10
pm.max_spare_servers = 10
php_admin_value[display_errors] = stderr
php_admin_value[log_errors] = On
listen = 127.0.0.1:9001
listen.mode = 0660
listen.owner = bryn1u
user = bryn1u
chdir = /
```

vhost apache:

```
<VirtualHost *:80>
   ServerName proton.edu.pl 
   ServerAlias www.proton.edu.pl 
   DocumentRoot /usr/local/www/apache24/data
   ServerAdmin bryn1u@proton.edu.pl
        AddDefaultCharset off
   CustomLog /var/log/access.log combined
   ErrorLog /var/log/error.log
 <LocationMatch "^/(.*\.php(/.*)?)$">
        SetHandler "proxy:fcgi://127.0.0.1:9000"
    </LocationMatch>
</VirtualHost>

<VirtualHost *:80>
   ServerName bryn1u.proton.edu.pl 
   ServerAlias www.bryn1u.proton.edu.pl
   DocumentRoot /home/bryn1u/domains/bryn1u.proton.edu.pl
   ServerAdmin bryn1u@proton.edu.pl
   DirectoryIndex index.php index.html
   CustomLog /home/bryn1u/logs/bryn1u.proton.edu.pl-access combined
   ErrorLog /home/bryn1u/logs/bryn1u.proton.edu.pl-error
   AddDefaultCharset off
    <LocationMatch "^/(.*\.php(/.*)?)$">
        SetHandler "proxy:fcgi://127.0.0.1:9001"
    </LocationMatch>

    <Directory "/home/bryn1u/domains/bryn1u.proton.edu.pl">
       Options +Indexes +ExecCGI +Includes
       AllowOverride None
       Require all granted
    </Directory>
</VirtualHost>
```
I don't see any issues in configurations and as i said before it works like a charm on Centos !
This is inside a jail. Someone can tell me what is wrong with it ?? I was trying to do based on many tutorials, documentation, examples and nothing has worked.[/code]

# Edit
I forgot add note that it works when i use apache24 with php71 but doesn't want to work with php-fpm.


----------



## ShelLuser (Nov 17, 2017)

What happens if you try this setup on the main host, so outside the jail? If things start to work like normal then you can safely conclude that it is the jail which is limiting some services. Solely basing myself on the errors I can't help wonder if this is simply an issue of (too much) separated processes.


----------



## bryn1u (Nov 17, 2017)

ShelLuser said:


> What happens if you try this setup on the main host, so outside the jail? If things start to work like normal then you can safely conclude that it is the jail which is limiting some services. Solely basing myself on the errors I can't help wonder if this is simply an issue of (too much) separated processes.



I have checked again on host and jail. Fast based configuration, exactly the same  host and jail. On the host works perfectly but in the jail, issue shows the same.
My jail.conf

```
Proton {
        path = /Proton;
        enforce_statfs=1;
        allow.quotas;
        mount.devfs;
        exec.clean;
        exec.consolelog = "/var/log/jail_Proton_console.log";
        devfs_ruleset = 50;
        #mount.nodevfs;
        mount += "dev /Proton/dev devfs rw,ruleset=50";
        mount += "fdesc /Proton/dev/fd fdescfs rw", "proc /Proton/proc procfs rw";
        allow.socket_af
        mount;
        host.hostname = proton.edu.pl;
        ip4.addr = 79.137.56.144;
        interface = em0;
        securelevel = 3;
        exec.start = "/bin/sh /etc/rc";
        exec.stop = "/bin/sh /etc/rc.shutdown";
}
```

In this case i got blank white page.  So how can i use apache or nginx with php-fpm in jail. I don't belive it can't be done


----------



## SirDice (Nov 17, 2017)

bryn1u said:


> This is inside a jail. Someone can tell me what is wrong with it ??


A jail doesn't have 127.0.0.1, so you cannot bind php-fpm to that.


----------



## bryn1u (Nov 17, 2017)

SirDice said:


> A jail doesn't have 127.0.0.1, so you cannot bind php-fpm to that.



It's not realted to. I change ip on ip jail but effect the same/

```
root@FreeBSD:/usr/local/etc/php-fpm.d # sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS   
www      httpd      40989 4  tcp4   *:80                  *:*
www      httpd      40988 4  tcp4   *:80                  *:*
www      httpd      40987 4  tcp4   *:80                  *:*
www      httpd      40986 4  tcp4   *:80                  *:*
www      httpd      40985 4  tcp4   *:80                  *:*
root     httpd      40984 4  tcp4   *:80                  *:*
www      php-fpm    40813 0  tcp4   79.137.56.144:9000    *:*
www      php-fpm    40812 0  tcp4   79.137.56.144:9000    *:*
root     php-fpm    40811 8  tcp4   79.137.56.144:9000    *:*
www      httpd      17419 3  tcp4   79.137.56.144:80      *:*
www      httpd      4254  3  tcp4   79.137.56.144:80      *:*
www      httpd      4186  3  tcp4   79.137.56.144:80      *:*
www      httpd      4185  3  tcp4   79.137.56.144:80      *:*
www      httpd      4184  3  tcp4   79.137.56.144:80      *:*
www      httpd      4183  3  tcp4   79.137.56.144:80      *:*
www      httpd      4182  3  tcp4   79.137.56.144:80      *:*
www      php-fpm    4126  0  tcp4   79.137.56.144:9000    *:*
www      php-fpm    4125  0  tcp4   79.137.56.144:9000    *:*
root     php-fpm    4124  8  tcp4   79.137.56.144:9000    *:*
root     httpd      4117  3  tcp4   79.137.56.144:80      *:*
```
Stil doesn't work. The same shit  Really I did not expect such a thing in jail.


----------



## SirDice (Nov 17, 2017)

When you bind php-fpm to the jail's address did you also modify the handler in the vhost config?


----------



## bryn1u (Nov 17, 2017)

SirDice said:


> When you bind php-fpm to the jail's address did you also modify the handler in the vhost config?



Hey,

I have binded. The funny thing is since I bind to the IP address of jail I don't get error but content of PHP file. You can check http://proton.edu.pl/wordpress/
It looks like PHP is missing.

```
root@proton:/usr/local/etc/apache24/Includes # sockstat
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
www      php-fpm    48154 0  tcp4   79.137.56.144:9000    *:*
www      php-fpm    48153 0  tcp4   79.137.56.144:9000    *:*
root     php-fpm    48152 5  stream -> ??
root     php-fpm    48152 7  stream -> ??
root     php-fpm    48152 8  tcp4   79.137.56.144:9000    *:*
www      httpd      48074 3  tcp4   79.137.56.144:80      *:*
www      httpd      47874 3  tcp4   79.137.56.144:80      *:*
www      httpd      47873 3  tcp4   79.137.56.144:80      *:*
www      httpd      47872 3  tcp4   79.137.56.144:80      *:*
www      httpd      47871 3  tcp4   79.137.56.144:80      *:*
www      httpd      47870 3  tcp4   79.137.56.144:80      *:*
www      httpd      47869 3  tcp4   79.137.56.144:80      *:*
root     httpd      47867 3  tcp4   79.137.56.144:80      *:*
root     cron       47082 4  dgram  -> /var/run/logpriv
smmsp    sendmail   47078 3  dgram  -> /var/run/log
root     sendmail   47075 3  tcp4   79.137.56.144:25      *:*
root     sendmail   47075 4  dgram  -> /var/run/logpriv
root     syslogd    47019 4  dgram  /var/run/log
root     syslogd    47019 5  dgram  /var/run/logpriv
root     syslogd    47019 6  udp4   79.137.56.144:514     *:*
?        ?          ?     ?  tcp4   79.137.56.144:80      78.209.97.172:55958
root@proton:/usr/local/etc/apache24/Includes #
```


```
root@proton:/usr/local/etc/apache24/Includes # cat vhosts.conf
<VirtualHost *:80>
   ServerName proton.edu.pl
   ServerAlias www.proton.edu.pl
   DocumentRoot /usr/local/www/apache24/data
   ServerAdmin bryn1u@proton.edu.pl
   <LocationMatch "^/(.*\.php(/.*)?)$">
        SetHandler "proxy:fcgi://79.137.56.144:9000"
   </LocationMatch>
   CustomLog /var/log/dupa-acces.log combined
   ErrorLog /var/log/dupa-error.log
   AddDefaultCharset off
   DirectoryIndex index.php index.html
       <Directory "/usr/local/www/apache24/data">
       Options +Indexes +ExecCGI +Includes
       AllowOverride None
       Require all granted
    </Directory>
 
</VirtualHost>
```

php-fpm.con - I'm using default config installed via pkg. I have changed only IP on  IP's jail. What am I doing wrong or if I doing wrong. Could be impossible to not use php-fpm in jail.


----------



## SirDice (Nov 17, 2017)

https://wiki.apache.org/httpd/PHP-FPM#TCP_socket_.28IP_and_port.29_approach

Because a jail doesn't have a 127.0.0.1 using a file socket might be a better solution: https://wiki.apache.org/httpd/PHP-FPM#unix_domain_socket_.28UDS.29_approach
That way you don't have to have PHP-FPM bound to an externally accessible address.


----------



## bryn1u (Nov 17, 2017)

SirDice said:


> https://wiki.apache.org/httpd/PHP-FPM#TCP_socket_.28IP_and_port.29_approach
> 
> Because a jail doesn't have a 127.0.0.1 using a file socket might be a better solution: https://wiki.apache.org/httpd/PHP-FPM#unix_domain_socket_.28UDS.29_approach
> That way you don't have to have PHP-FPM bound to an externally accessible address.



The same effect. I even tried with nginx and same results. I don't know if even possible too run php-fpm inside jail. When i was using aapache24+php works great.
I added `allow.socket_af` to the jail but didn't help.


----------



## bryn1u (Nov 18, 2017)

SirDice said:


> https://wiki.apache.org/httpd/PHP-FPM#TCP_socket_.28IP_and_port.29_approach
> 
> Because a jail doesn't have a 127.0.0.1 using a file socket might be a better solution: https://wiki.apache.org/httpd/PHP-FPM#unix_domain_socket_.28UDS.29_approach
> That way you don't have to have PHP-FPM bound to an externally accessible address.



@SerDice, ShelLuser
I have resolved a problem.
1) Everything works great on 127.0.0.1 - it doesn't matter for jail which address u are using because jail will bind to the ip  address on which is based.
2) To the jail has to be added options like:

```
sysvmsg = new;
   sysvsem = new;
   sysvshm = new;
   allow.socket_af;
```
Then can apache + php-fpm will work ! I think many people doesn't know about it and this is important recipe. Instead "new", "inherit" option can be used but i don't prefer it because:


> Allow access to SYSV IPC message primitives.  If set to
> ``inherit'', all IPC objects on the system    are visible to this
> jail, whether they    were created by    the jail itself, the base sys-
> tem, or other jails.


Link: `https://www.freebsd.org/cgi/man.cgi?jail` -> sysvmsg, sysvsem, sysvshm, allow.socket_af.
Normal installation for apache24 + php71 + mod_php71 dosen't need these options.
My jail.conf might help someone.

```
root@HardenedBSD:~ # cat /etc/jail.conf
Proton {
        path = /root/Proton;
        enforce_statfs=2;
        allow.quotas;
        mount.devfs;
        mount;
        exec.clean;
        exec.consolelog = "/var/log/jail_Proton_console.log";
        devfs_ruleset = 50;
        sysvmsg = new;
        sysvsem = new;
        sysvshm = new;
        allow.socket_af;
        mount += "dev /root/Proton/dev devfs rw,ruleset=50";
        mount += "fdesc /root/Proton/dev/fd fdescfs rw";
        mount +=  "proc /root/Proton/proc procfs rw";
        host.hostname = proton.edu.pl;
        ip4.addr = 79.137.56.144;
        interface = em0;
        securelevel = 3;
        exec.start = "/bin/sh /etc/rc";
        exec.stop = "/bin/sh /etc/rc.shutdown";
}
```


----------

