# FreeBSD 12.1 + Apache 2.4.x + PHP 7.2.x (Multiple TLD's + Multiple Sub-domains) w/ httpd.conf



## StreetDancer (Feb 28, 2020)

FreeBSD 12.1 + Apache 2.4.x (Multiple TLD's + Multiple Sub-domains) w/ httpd.conf -- won't connect error (sub-domain)

Problem at hand: Sub-domain receiving a "won't connect" in browser. I cannot even receive an error message on either Apache or Web Browser (Firefox).

The domain: sharpenyoursword.org is TLD #1 && subdomain.sharpenyoursword.org is on it's own STATIC IP (I am trying to achieve the following):

TLD #1: Unique Static IP
TLD #2: Unique Static IP
TLD #3: Unique Static IP
TLD #4: Unique Static IP
TLD #5: Unique Static IP

TLD #1 Subdomains: Unique Static IP (Shared IP across *.sharpenyoursword.org)
TLD #2 Subdomains: Unique Static IP (Shared IP accross *.TLD #2)
TLD #3 Subdomains: Unique Static IP (Shared IP accross *.TLD #3)
TLD #4 Subdomains: Unique Static IP (Shared IP accross *.TLD #4)
TLD #5 Subdomains: Unique Static IP (Shared IP accross *.TLD #5)


Current httpd.conf:


```
ServerRoot "/usr/local"
LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
Listen SERVER-IP(Same as TLD #1):80

# LOGGING - MAIN APACHE

ErrorLog "/usr/local/www/apache24/logs/error/apache24-main-error.log"

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /usr/local/www/apache24/logs/access/apache24-access_log common

# ALT APACHE MODES (NON-PHP-FPM)

#LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so

# BARE MINIMUM - REQUIRED

LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
LoadModule version_module libexec/apache24/mod_version.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
LoadModule dir_module libexec/apache24/mod_dir.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
LoadModule mime_module  libexec/apache24/mod_mime.so
LoadModule actions_module libexec/apache24/mod_actions.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule proxy_module libexec/apache24/mod_proxy.so
LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so

# CHOSEN MODULES - EXTENDABLES

LoadModule authz_user_module libexec/apache24/mod_authz_user.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
LoadModule autoindex_module libexec/apache24/mod_autoindex.so

LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so


# MOD SECURITY V2

LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule security2_module libexec/apache24/mod_security2.so
Include /usr/local/etc/modsecurity/*.conf

# OWASP3 CORE BASE RULES FOR MOD SECURITY V2

Include /usr/local/etc/apache24/OWASP3/rules/*.conf

# MOD SECURITY V3

#LoadModule security3_module modules/mod_security3.so

# THIRD PARTY MODULES

#IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf

<IfModule unixd_module>

User www
Group www

</IfModule>

## Apache 2.4 Daemon Hardening

# Prevent Apache from sending identifying information to a Client
ServerTokens Prod
ServerSignature Off

## Vhosts-Enabled Directory - Custom

#IncludeOptional etc/apache24/Vhosts-Enabled/*.conf

# REMAINDER ROOT SERVER CONFIG

<IfModule alias_module>

    ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"

</IfModule>

<IfModule cgid_module>

</IfModule>

<Directory "/usr/local/www/apache24/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule headers_module>

</IfModule>

<IfModule mime_module>

    TypesConfig etc/apache24/mime.types

    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

</IfModule>

<IfModule proxy_html_module>
Include etc/apache24/extra/proxy-html.conf

</IfModule>

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Include etc/apache24/Includes/*.conf
Include etc/apache24/Vhosts-Enabled/*.conf
```

Current VHOST Example of TLD #1 (Unique STATIC IP Subdomain of sharpenyoursword.org ; which sharpenyoursword.org has a different Unique STATIC IP)

Vhost Configuration Folder: (/Vhosts-Enabled)

File:
subdomain_SYSorg_001_genesis.sharpenyoursword.org.conf

File Contents: (subdomain_SYSorg_001_genesis.sharpenyoursword.org.conf):


```
# TLD - SHARPENYOURSWORD.ORG

<VirtualHost 104.36.17.19:80>

ServerAdmin admin@sharpenyoursword.org

ServerName 104.36.17.19:80

DocumentRoot "/usr/local/www/apache24/data/sys_GENESIS/"

<Directory "/usr/local/www/apache24/data/sys_GENESIS/">

    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html index.php
</IfModule>
<Files ".ht*">
    Require all denied
</Files>

ErrorLog "/usr/local/www/apache24/logs/error/subdomain_SYSorg_001_apache24-genesis.sharpenyoursword.org-error.log"

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /usr/local/www/apache24/logs/access/subdomain_SYSorg_001_apache24-genesis.sharpenyoursword.org-access_log common


LogLevel warn

<IfModule log_config_module>

    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
    </IfModule>

</IfModule>

<FilesMatch "\.php$">
    SetHandler  "proxy:fcgi://127.0.0.1:9001"
</FilesMatch>

</VirtualHost>
```

*The exact Web Browser Error is :*

"Problem loading page"

Contents: "Unable to connect"


Thank you ahead of time if anyone knows what is causing this!

Best Regards,

Brandon Kastning


----------



## VladiBG (Feb 28, 2020)

you have
#IncludeOptional etc/apache24/Vhosts-Enabled/*.conf

remove the commend in front so all *.conf file from this directory are loaded.

Include /usr/local/etc/apache24/Vhosts-Enabled/*.conf


----------



## StreetDancer (Feb 28, 2020)

VladiBG said:


> you have
> #IncludeOptional etc/apache24/Vhosts-Enabled/*.conf
> 
> remove the commend in front so all *.conf file from this directory are loaded.
> ...


VladiBG,

I removed the hash tag; restarted apache and still the same results.

Unless I need to restart the server for some reason.

Thank you for pointing that out. Too bad it didn't fix the problem though. The Vhost configuration files within /Vhosts-Enabled have been loading in HTML.


----------



## VladiBG (Feb 28, 2020)

do you see your custom log files for each vhost? if not then your vhost*.conf files are not loaded most likely because your path is incorrect
Include etc/apache24/Includes/*.conf
Include etc/apache24/Vhosts-Enabled/*.conf

must be the full path with leading root /
/usr/local/etc/apache24/.....


----------



## anlashok (Feb 28, 2020)

Do your mod_security settings deny all directory access by default?

add Require all granted or Require valid-user (if using authentication) to the virtualhost <Directory> block

I'd also not set your ServerRoot "/usr/local/". A misconfiguration would give access to all your server configuration folders


----------



## StreetDancer (Feb 28, 2020)

VladiBG said:


> do you see your custom log files for each vhost? if not then your vhost*.conf files are not loaded most likely because your path is incorrect
> Include etc/apache24/Includes/*.conf
> Include etc/apache24/Vhosts-Enabled/*.conf
> 
> ...



VladiBG,

They sure are! 

*Output for /usr/local/www/apache24/logs/access:*


```
root@sharpenyoursword:/usr/local/www/apache24/logs/access # ls
001_apache24-sharpenyoursword.org-access_log
002_apache24-sharpenyoursword.net-access_log
003_apache24-thewarriorsdojo-access_log
004_apache24-wethepeopleonline-access_log
005_apache24-uscaselaw-access_log
apache24-access_log
subdomain_SYSorg_001_apache24-genesis.sharpenyoursword.org-access_log
subdomain_WTPO_047_apache24-washington.wethepeopleonline.com-access_log
```


----------



## StreetDancer (Feb 28, 2020)

anlashok said:


> Do your mod_security settings deny all directory access by default?
> 
> add Require all granted or Require valid-user (if using authentication) to the virtualhost <Directory> block
> 
> I'd also not set your ServerRoot "/usr/local/". A misconfiguration would give access to all your server configuration folders



anlashok,

Regarding mod_security I am not sure. I ran into difficulties trying to configure it based on internet guides on blogs and mod_security installations. I attempted V3 first; and then I installed Mod Security V2. I was receiving the following error because I did not set it up correctly. 

Error with PHP Pages being White since I started to install and configure mod_security on the following file: /var/log/modsec_audit.log

I couldn't get git installed. I manually git cloned to debian and uploaded it to my home directory temperarily (the Core Rule Set); had a problem with OpenSSL and couldn't figure it out.

*modsec_audit.log Contents:*


```
--27790531-F--
HTTP/1.1 500 Internal Server Error
Set-Cookie: 2c9eba53fdcd76efdd52077f96a8c94e=c5sul7o0rckiq8i13s70ujkr1d; path=/; HttpOnly
X-Content-Type-Options: nosniff
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

--27790531-E--

--27790531-H--

Message: Warning. Operator EQ matched 0 at TX. [file "/usr/local/etc/apache24/OWASP3/rules/REQUEST-901-INITIALIZATION.conf"] [line "61"] [id "901001"] [msg "ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions"] [severity "CRITICAL"]

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client HOME_IP] ModSecurity: Warning. Operator EQ matched 0 at TX. [file "/usr/local/etc/apache24/OWASP3/rules/REQUEST-901-INITIALIZATION.conf"] [line "61"] [id "901001"] [msg "ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions"] [severity "CRITICAL"] [hostname "sharpenyoursword.org"] [uri "/"] [unique_id "XlheXTyYRw5ZoXMokoy2CwAAANg"]

Apache-Error: [file "mod_proxy_fcgi.c"] [line 859] [level 3] AH01071: Got error 'PHP message: PHP Warning:  require_once(/usr/local/www/apache24/data/sysorgmain/administrator/components/com_jvld/common/class.payment.php): failed to open stream: No such file or directory in /usr/local/www/apache24/data/sysorgmain/plugins/jvldpayment/offline/offline.php on line 18\\nPHP message: PHP Fatal error:  require_once(): Failed opening required '/usr/local/www/apache24/data/sysorgmain/administrator/components/com_jvld/common/class.payment.php' (include_path='/usr/local/www/apache24/data/sysorgmain/plugins/system/shlib/shl_packages//ZendFramework-1.11.7-minimal/library:.:/usr/local/share/pear') in /usr/local/www/apache24/data/sysorgmain/plugins/jvldpayment/offline/offline.php on line 18\\n'

Apache-Handler: proxy:fcgi://127.0.0.1:9000
Stopwatch: 1582849629937222 459921 (- - -)
Stopwatch2: 1582849629937222 459921; combined=6041, p1=2327, p2=2282, p3=75, p4=174, p5=663, sr=397, sw=5, l=0, gc=515
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--27790531-Z--
```

I do not know if sharpenyoursword.org/index.php is loading and being prevented by installed mod_security. I tried to rule that out before completing what the error page said to do. The only way I could do that is to install git and clone the directory. I took the long way on that and haven't gotten that far just yet.

I did try to edit httpd.conf and # disable mod_security; restarted apache24 and the white pages were still there.

I do not know if there are more "on switches" besides that or if I broke it since the last fix and it turns out not to be mod_security


You said:

I'd also not set your ServerRoot "/usr/local/". A misconfiguration would give access to all your server configuration folders

What would you recommend as far as a secure path within the FreeBSD file system?

Thanks again!


----------



## StreetDancer (Mar 2, 2020)

The logs on php-fpm are showing... path /var/log/ 

Command:

```
# tail -f global-php-fpm.log
```


```
[27-Feb-2020 16:25:06] NOTICE: fpm is running, pid 84554
[27-Feb-2020 16:25:06] NOTICE: ready to handle connections
[02-Mar-2020 14:27:36] NOTICE: [pool sharpenyoursword.org] child 85034 exited with code 0 after 338550.041040 seconds from start
[02-Mar-2020 14:27:36] NOTICE: [pool sharpenyoursword.org] child 76428 started
[02-Mar-2020 15:31:04] NOTICE: Terminating ...
[02-Mar-2020 15:31:04] NOTICE: exiting, bye-bye!
[02-Mar-2020 15:33:10] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

[02-Mar-2020 15:33:10] NOTICE: fpm is running, pid 3546
[02-Mar-2020 15:33:10] NOTICE: ready to handle connections
```

Still white; I even copied over the configuration file and disabled modsecurity in the main one. Still white screen. That's why I am checking the logs on php-fpm. Apache 2.4 also starts without a problem. 

Good puzzle here.


----------



## StreetDancer (Mar 3, 2020)

I just got done removing php72.x and installed php 7.4 latest. Removed mod_security3, mod_security2 and reinstalled mod_security2. 

Apache 2.4 is loading fine. Startup is perfect; even with php-fpm.

The logs are showing good and "ps aux" outputs the following php-fpm pool daemon's running and I can't seem to process .php pages. 

White page; no error.

# ps aux


```
www     91032   0.0  1.4  205296  44148  -  I    17:52   0:00.73 php-fpm: pool sharpenyoursword.org (php-fpm)

www     91273   0.0  1.1  202944  35544  -  I    17:52   0:00.00 php-fpm: pool sharpenyoursword.org (php-fpm)

www     91790   0.0  1.1  202944  35544  -  I    17:52   0:00.00 php-fpm: pool genesis.sharpenyoursword.org (php-fpm)
```

So now the current build is 

# freebsd-version -k:

```
12.1-RELEASE
# uname -mrs
```
FreeBSD 12.1-RELEASE amd64
[/CODE]
# httpd -v:

```
Server version: Apache/2.4.41 (FreeBSD)
```
[/CODE]
# php -v:

```
PHP 7.4.3 (cli) (built: Mar  2 2020 17:27:23) ( NTS DEBUG )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.3, Copyright (c), by Zend Technologies
```


----------



## StreetDancer (Mar 3, 2020)

The mod_security from ports /www/mod_security 2.9.3 current installed and configured. Everything that I can see is configured properly. I updated to PHP 7.4 like I said earlier and I also re-mapped the PHP-FPM pools and matched to the Vhosts-Enabled/*.conf's for the multiple domain.TLD configurations. 

Mod Security modsec_audit.log is producing the following when I am trying to load the main domain.TLD


```
--4d3ffc18-A--
[02/Mar/2020:19:47:17 --0800] Xl3TRR8SjLGdHG2oHRVkiAAAAJg HOMEIP 48124 104.36.16.72 80
--4d3ffc18-B--
GET /index.php HTTP/1.1
Host: sharpenyoursword.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __test=f50a0d1177af10c474dab772f80effaa; 2c9eba53fdcd76efdd52077f96a8c94e=ikbftof2k6khh1gamuivlfeb6e
Connection: keep-alive
Upgrade-Insecure-Requests: 1

--4d3ffc18-F--
HTTP/1.1 500 Internal Server Error
X-Content-Type-Options: nosniff
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

--4d3ffc18-E--

--4d3ffc18-H--
Apache-Error: [file "mod_proxy_fcgi.c"] [line 859] [level 3] AH01071: Got error 'PHP message: PHP Warning:  require_once(/usr/local/www/apache24/data/sysorgmain/administrator/>
Apache-Handler: proxy:fcgi://127.0.0.1:9000
Stopwatch: 1583207237807228 38376 (- - -)
Stopwatch2: 1583207237807228 38376; combined=1938, p1=497, p2=1092, p3=62, p4=157, p5=124, sr=151, sw=6, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache
Engine-Mode: "DETECTION_ONLY"
```

Different Domain w/ a standard info.php (This one is just a standard info.php) -- Still white page w/ the following /var/log/modsec_audit.log entry:


```
--50f40413-A--
[02/Mar/2020:19:53:42 --0800] Xl3UxphFCsSp96m4o1GBrwAAAJY HOMEIP 48230 104.36.16.72 80
--50f40413-B--
GET /info.php HTTP/1.1
Host: thewarriorsdojo.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: 02960cc0cd3fe42706f1b8455e0f15ab=mjof8rjrfbl69h68p00clo74ac
Connection: keep-alive
Upgrade-Insecure-Requests: 1

--50f40413-F--
HTTP/1.1 500 Internal Server Error
X-Content-Type-Options: nosniff
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

--50f40413-H--
Apache-Handler: proxy:fcgi://127.0.0.1:9003
Stopwatch: 1583207622658159 75490 (- - -)
Stopwatch2: 1583207622658159 75490; combined=1844, p1=724, p2=964, p3=0, p4=0, p5=150, sr=308, sw=6, l=0, gc=0
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--50f40413-Z--
```


----------



## richardtoohey2 (Mar 3, 2020)

Could you simplify the set-up to just deliver HTML for now?

So first step might be better as a few "It worked!" HTML pages.

Once those are working you can move onto the PHP-FPM stuff - once you know that basic HTML delivery is working.

Apologies if you've already tried that or it's not going to help here.


----------



## StreetDancer (Mar 3, 2020)

I have looked over all the configurations over and over.

This is the current tail of modsec_audit.lo


richardtoohey2 said:


> Could you simplify the set-up to just deliver HTML for now?
> 
> So first step might be better as a few "It worked!" HTML pages.
> 
> ...


All taken care of richardtoohey2,



			http://sharpenyoursword.org/index.html
		



			http://sharpenyoursword.net/index.html
		



			http://thewarriorsdojo.com/index.html
		



			http://wethepeopleonline.com/index.html
		

http://uscaselaw.org/index.html
All work great!

These subdomain Vhost's do not cause errors but do not work on index.html even. Never have. Just a no connect. Cannot establish connection. Almost like Apache doesn't see it.



			http://genesis.sharpenyoursword.net/index.html
		



			http://washington.wethepeopleonline.com/index.html
		


I just disabled them to see if it was causing problems to the other sites and the answer is no. No changes with them disabled.

I have looked over all the configurations over and over.

This is the current tail of modsec_audit.log: (Mod_Security 2.9.3 is working along side OWASPV3 Core Set Rules 3.2.0) as follows with the current tail:



```
--11865814-A--
[02/Mar/2020:21:25:43 --0800] Xl3qVwBV34M@yRsmtb3OVwAAANc HOMEIP 49424 104.36.16.72 80
--11865814-B--
GET /index.php HTTP/1.1
Host: wethepeopleonline.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __cfduid=de675588b7e924c4cb4c990d17f027ffe1580654750; a09c59bfacbe5491da19b8ea585f3f3c=j3cdh18t8henkb1k82u90g1d4s
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

--11865814-F--
HTTP/1.1 500 Internal Server Error
X-Content-Type-Options: nosniff
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

--11865814-H--
Apache-Handler: proxy:fcgi://127.0.0.1:9004
Stopwatch: 1583213143120190 76133 (- - -)
Stopwatch2: 1583213143120190 76133; combined=156, p1=129, p2=0, p3=0, p4=0, p5=22, sr=0, sw=5, l=0, gc=0
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache

--11865814-Z--
```

Best Regards,

Brandon Kastning


----------



## anlashok (Mar 3, 2020)

Did you address these errors you were getting?

The first two say that you haven't created a required configuration file for the mod_security settings.
The third one is complaining that a PHP file is not found / missing from the /usr/local/www/apache24/data/sysorgmain/ folders. Is the file it is looking for present or missing? That might stop the whole site working if its a critical one.



StreetDancer said:


> Message: Warning. Operator EQ matched 0 at TX. [file "/usr/local/etc/apache24/OWASP3/rules/REQUEST-901-INITIALIZATION.conf"] [line "61"] [id "901001"] [msg "ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions"] [severity "CRITICAL"]
> 
> 
> Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client HOME_IP] ModSecurity: Warning. Operator EQ matched 0 at TX. [file "/usr/local/etc/apache24/OWASP3/rules/REQUEST-901-INITIALIZATION.conf"] [line "61"] [id "901001"] [msg "ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions"] [severity "CRITICAL"] [hostname "sharpenyoursword.org"] [uri "/"] [unique_id "XlheXTyYRw5ZoXMokoy2CwAAANg"]
> ...



As far as getting a white screen all the time when you are trying to view a PHP file, there is probably an issue with the one or more PHP files in your sites, but I expect you now have settings in the PHP configuration to suppress the display of those errors.

Temporarily set these settings in one of the domains php-fpm config, restart php-fpm, try to view that domain's php url, see if you get errors reported on screen, then try to resolve those. Reset the config and restart php-fpm whilst you sort out the issues. PHP errors should also be recorded in the php-fpm.log file or in the apache error logs


```
php_admin_value[error_reporting] = "2147483647"
php_admin_flag[display_errors] = On
```


----------



## StreetDancer (Mar 3, 2020)

I have looked over all the configurations over and over.

This is the current tail of modsec_audit.lo


richardtoohey2 said:


> Could you simplify the set-up to just deliver HTML for now?
> 
> So first step might be better as a few "It worked!" HTML pages.
> 
> ...


All taken care of richardtoohey2,



			http://sharpenyoursword.org/index.html
		



			http://sharpenyoursword.net/index.html
		



			http://thewarriorsdojo.com/index.html
		



			http://wethepeopleonline.com/index.html
		



All work great!

These subdomain Vhost's do not cause errors but do not work on index.html even. Never have. Just a no connect. Cannot establish connection. Almost like Apache doesn't see it.



			http://genesis.sharpenyoursword.net/index.html
		



			http://washington.wethepeopleonline.com/index.html
		


I just disabled them to see if it was causing problems to the other sites and the answer is no. No changes with them disabled.

I have looked over all the configurations over and over.

This is the current tail of modsec_audit.log: (Mod_Security 2.9.3 is working along side OWASPV3 Core Set Rules 3.2.0) as follows with the current tail:



```
--11865814-A--
[02/Mar/2020:21:25:43 --0800] Xl3qVwBV34M@yRsmtb3OVwAAANc HOMEIP 49424 104.36.16.72 80
--11865814-B--
GET /index.php HTTP/1.1
Host: wethepeopleonline.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __cfduid=de675588b7e924c4cb4c990d17f027ffe1580654750; a09c59bfacbe5491da19b8ea585f3f3c=j3cdh18t8henkb1k82u90g1d4s
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

--11865814-F--
HTTP/1.1 500 Internal Server Error
X-Content-Type-Options: nosniff
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

--11865814-H--
Apache-Handler: proxy:fcgi://127.0.0.1:9004
Stopwatch: 1583213143120190 76133 (- - -)
Stopwatch2: 1583213143120190 76133; combined=156, p1=129, p2=0, p3=0, p4=0, p5=22, sr=0, sw=5, l=0, gc=0
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache

--11865814-Z--
```

Best Regards,

Brandon Kastning


anlashok said:


> Did you address these errors you were getting?
> 
> The first two say that you haven't created a required configuration file for the mod_security settings.
> The third one is complaining that a PHP file is not found / missing from the /usr/local/www/apache24/data/sysorgmain/ folders. Is the file it is looking for present or missing? That might stop the whole site working if its a critical one.
> ...


anlashok,

While running out of reasons why this hasn't worked. I decided to go back to the original unix socks that you shown me with php-fpm. I went over the configuration and checked everything over.

Restarted the server and php-fpm doesn't return an error. (The entire time I have had this system built) -- I have never seen "service php-fpm status" ever say it is running.

I immediately logged in as super user and ran the following w/ a zero error dmesg boot:

# service php-fpm onestatus

and received:

```
php_fpm is not running.
```

then I ran

# service php-fpm onestart

and received:

```
Performing sanity check on php-fpm configuration:
[03-Mar-2020 11:16:29] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

Starting php_fpm.
[03-Mar-2020 11:16:29] ERROR: unable to bind listening socket for address '127.0.0.1:9000': Address already in use (48)
[03-Mar-2020 11:16:29] ERROR: FPM initialization failed
/usr/local/etc/rc.d/php-fpm: WARNING: failed to start php_fpm
#
```

I believe this may have been the problem all along. Since this has never been resolved and I do not know the cause at this time. I have changed all domains to use unix socket now and all the other lines that I commented out with ;listen = 127.0.0.1:9001 + (no 9000 port).

Perhaps there is a configuration file I am not remembering.

Now I am getting 503 Unavailable since switching back to unix sockets.

Thanks again. This is a tough one!


----------



## anlashok (Mar 3, 2020)

```
sockstat -4
```
 will show what else is running on those ports


----------



## StreetDancer (Mar 3, 2020)

anlashok said:


> ```
> sockstat -4
> ```
> will show what else is running on those ports


# sockstat -4

outputted the following:


```
www      php-fpm    58855 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    58643 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    58588 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    58405 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    58197 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    58180 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    58041 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    57997 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    57919 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    57768 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    57600 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    57435 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    57365 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    57187 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    57084 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    57031 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    56912 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    56867 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    56709 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    56590 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    56426 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    56241 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    56042 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    55990 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    55965 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    55817 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    55693 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    55606 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    55444 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    55246 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    55217 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    55019 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    54877 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    54662 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    54588 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    54543 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    54366 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    54243 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    54209 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    54047 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    53998 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53993 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53954 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53845 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53790 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53728 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53517 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53357 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53295 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53120 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53006 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    52886 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    52859 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    52714 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    52551 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    52462 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    52318 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    52241 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    52071 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    51999 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    51871 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    51704 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    51632 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    51456 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    51242 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    51044 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    50905 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    50838 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    50690 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    50649 6  tcp4   127.0.0.1:9000        *:*
root     php-fpm    50444 8  tcp4   127.0.0.1:9000        *:*
root     php-fpm    50444 9  tcp4   127.0.0.1:9001        *:*
root     php-fpm    50444 10 tcp4   127.0.0.1:9003        *:*
root     php-fpm    50444 11 tcp4   127.0.0.1:9004        *:*
root     php-fpm    50444 12 tcp4   127.0.0.1:9005        *:*
root     php-fpm    50444 13 tcp4   127.0.0.1:9002        *:*
root     php-fpm    50444 14 tcp4   127.0.0.1:9006        *:*
```


----------



## anlashok (Mar 3, 2020)

that's showing a lot of php-fpm processes listening on tcp network ports still. If you have switched back over to unix sockets successfully for all hosts, there shouldn't be any showing up there at all. 


```
sockstat | grep php-fpm
```

on my server shows this, which is showing that the php-fpm processes are using unix sockets for connections. There are no instances using tcp4 connections


```
www      php-fpm    63057 6  stream /var/run/example.com-php-fpm.sock
www      php-fpm    63056 6  stream /var/run/example.com-php-fpm.sock
www      php-fpm    63055 5  stream -> /tmp/mysql.sock
www      php-fpm    63055 6  stream /var/run/example2.com-php-fpm.sock
www      php-fpm    63054 6  stream /var/run/example2.com-php-fpm.sock
www      php-fpm    63053 6  stream /var/run/example.org-php-fpm.sock
www      php-fpm    63052 6  stream /var/run/example.org-php-fpm.sock
root     php-fpm    63051 5  stream -> ??
root     php-fpm    63051 7  stream -> ??
root     php-fpm    63051 8  stream /var/run/example.org-php-fpm.sock
root     php-fpm    63051 9  stream /var/run/example.com-php-fpm.sock
root     php-fpm    63051 10 stream /var/run/example2.com-php-fpm.sock
```


----------



## StreetDancer (Mar 3, 2020)

anlashok,

10-4; Rebooting server.



anlashok said:


> that's showing a lot of php-fpm processes listening on tcp network ports still. If you have switched back over to unix sockets successfully for all hosts, there shouldn't be any showing up there at all.
> 
> 
> ```
> ...


hmm... perhaps it's caching the old connections.

The only configuration files I can find is /usr/local/etc/php-fpm.conf (no mention of any ports) && /usr/local/etc/php-fpm.d/www.conf (ports are commented out with ; and just the .sock's are uncommented).


----------



## StreetDancer (Mar 3, 2020)

/var/log/modsec_audit.log (Mod Security V2 log):


```
--409a4c77-A--
[03/Mar/2020:14:52:34 --0800] Xl7fsq6gVR@MUEEu70PLkwAAANY HOMEIP 52800 104.36.16.72 80
--409a4c77-B--
GET /index.php HTTP/1.1
Host: wethepeopleonline.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: a09c59bfacbe5491da19b8ea585f3f3c=tj129hv2mefpb36lio1b2aafbg
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

--409a4c77-F--
HTTP/1.1 503 Service Unavailable
X-Content-Type-Options: nosniff
Content-Length: 299
Connection: close
Content-Type: text/html; charset=iso-8859-1

--409a4c77-H--
Apache-Error: [file "mod_proxy_fcgi.c"] [line 1068] [level 3] AH01079: failed to make connection to backend: httpd-UDS
Apache-Handler: proxy:unix:/var/run/wethepeopleonline.com-php-fpm.sock|fcgi://localhost/
Stopwatch: 1583275954979229 6359 (- - -)
Stopwatch2: 1583275954979229 6359; combined=250, p1=220, p2=0, p3=0, p4=0, p5=25, sr=0, sw=5, l=0, gc=0
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache

--409a4c77-Z--d
```


----------



## StreetDancer (Mar 4, 2020)

I reverted back to ports and it's back to white screen. 

So if I change it back to unix sockets; I get a 503 unavailable.

I also installed NGINX

if you go to http://sharpenyoursword.org:81/index.html you should see a basic HTML for "SharpenYourSword" [NGINX] 

However; when using the following (only seen an example so far on NGINX using ports as opposed to unix sockets):

I configured it to use port 81 for testing and created a new sharpenyoursword.org data folder where I extracted a fresh RT-Joomla-Premium-Template in PHP (Should display the Joomla Installer page).

http://sharpenyoursword.org:81/index.php (White page w/ 200 GET)

/usr/local/etc/nginx/nginx.conf:


```
user  www;
worker_processes  1;

# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
error_log  /var/log/nginx/error.log;
#

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    include       001_sharpenyoursword.org.conf;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;
    access_log /var/log/nginx/access.log;
    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    
        server {
        listen       81;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;
        access_log logs/sharpenyoursword.org.access.log;
        location / {
           #root   /usr/local/www/nginx;
            root   /usr/local/www/nginx/sysorgmain/;
            index index.php index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/local/www/nginx-dist;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
#            root           html;
            root           /usr/local/www/nginx/sysorgmain/;
            fastcgi_pass   127.0.0.1:9001;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
            include        fastcgi_params;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }
}
```


----------



## StreetDancer (Mar 4, 2020)

anlashok,

On your server, when you "service php-fpm onestatus" ; what do you get in return?


----------



## StreetDancer (Mar 4, 2020)

I almost forgot:

inside nginx.conf is an include line which includes sharpenyoursword.org

001_sharpenyoursword.org.conf:


```
server {

  listen 81;
  server_name sharpenyoursword.org; # Replace with your IP or hostname
  root /usr/local/www/nginx/sysorgmain/;
  index index.php index.html index.htm;

  location / {
    try_files $uri $uri/ =404;
  }

  location ~ \.php$ {
    fastcgi_pass 127.0.0.1:9001;
    fastcgi_index index.php;
#    fastcgi_param SCRIPT_FILENAME $document_root               $fastcgi_script_name;
    include fastcgi_params;
  }

}
```


----------



## anlashok (Mar 4, 2020)

mine reports

```
php_fpm is running as pid nnnnn
```


----------



## anlashok (Mar 4, 2020)

StreetDancer

for tcp based proxy in nginx it would be as you have it now

```
fastcgi_pass 127.0.0.1:9001;
```
the unix socket equivalent would be this, just replace the php72-fpm.sock with one of yours

```
fastcgi_pass unix:/var/run/php72-fpm.sock;
```


----------



## StreetDancer (Mar 4, 2020)

anlashok said:


> mine reports
> 
> ```
> php_fpm is running as pid nnnnn
> ```


lucky!


----------



## StreetDancer (Mar 4, 2020)

anlashok said:


> StreetDancer
> 
> for tcp based proxy in nginx it would be as you have it now
> 
> ...


anlashok,

Thank you for the NGINX verification & variation SetHandler.


----------

