Again php-fpm and custom php.ini

Discussion in 'General' started by leonardo.saracini, Mar 11, 2020.

  1. I read several post on it but cannot understand how do my custom setting on single php-fpm site.
    I have read:
    "The PHP-FPM mode supports custom settings as well, but these are stored inside the pool file and not a php.ini"
    but I do not understand this sentence.
    I have put my custom setting in site option and I see they are put in /var/www/conf/...
    I have understand this file are not for php-fpm but I haven't be able to find where are my custom setting be put form ISPConfig site option interface.
    In /etc/php/7.3/fpm/pool.d/ haven't see noting useful
    in /etc/php/7.3/fpm/conf.d/ are conf file not for single site.

    have to write a empty php.ini file and put in it my custom settings and then save the file in my site webroot like /var/www/clients/client1/web2 ...?

    how ISPConfig do the magic, where are the custom setting write for php-fmp single site?
    If ISPConfig is not enable to do custom setting for fpm, can I do by myself and How?
    Please if someone can help, post an example like where to write memory_limit=512M
    best regards,
    Leonardo
    P.s. Ubuntu 19.10 system ISPConfig 3.1.15p3
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Open the site settings, go to the options tab, and put your custom settings in the "Custom php.ini settings" box.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Use the custom PHP.ini settings field on the options tab of the website. Editing any files is not necessary.

    1) Login to ispconfig.
    2) Go to the settings of that website, switch to options tab.
    3) Paste the line:

    memory_limit=512M

    into the "custom php.ini settings" field and press save. That's all.
     
    leonardo.saracini likes this.
  4. Thank can you tell me how I can check if is working?
    by php.info I cannot see change
    regards
     
  5. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Then the change wasn't effective. Make sure the custom php setting is present, then maybe manually restart you php-fpm daemonand try again. If still a problem, you might have to enable debugging to see what is going on.
     
  6. I have enabled debug log on server
    Code:
    17-03-2020 17:36 gemini.algoritmica.net Debug Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    17-03-2020 17:36 gemini.algoritmica.net Debug Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    
    this log is due to info.php refresh.
    https://www.nextcloud.algoritmica.net/info.php
    in the php.ini setting is a memory limit to 512 but in php.info is to 256
     

    Attached Files:

  7. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    According to that phpinfo, `grep memory_limit /etc/php/7.3/fpm/php.ini` should show your server is running 256M. What does `grep memory_limit /etc/php/7.3/fpm/pool.d/web2.conf` return?

    You seem to not have a correct vhost / php setup, as your phpinfo shows:
    where it should be:
    Ensure all your vhosts use the same ip address (either '*' or the actual ip address, but don't mix), and ensure you have an ssl certificate for this site.
     
    leonardo.saracini likes this.
  8. Thanks a lot.
    Code:
    grep memory_limit /etc/php/7.3/fpm/pool.d/web2.conf
    not exist.
    Code:
    grep memory_limit /etc/php/7.3/fpm/pool.d/www.conf
    give
    Code:
    ;php_admin_value[memory_limit] = 32M
    in
    Code:
    /etc/apache2/sites-enabled/100-nextcloud.algoritmica.net.vhost
    is **not** present user
    Code:
    www-data
    but in
    Code:
    /etc/php/7.3/fpm/pool.d/www.conf
    there are this row:

    Code:
    ; Unix user/group of processes
    ; Note: The user is mandatory. If the group is not set, the default user's group
    ;       will be used.
    user = www-data
    group = www-data
    
    All vhost have
    Code:
    *.port
    I have install Let's Encrypt by hand and is working well. I have see later ISPConfig is handle this certificate configuration by itself.

    Can you help :)
    best regards,
    Leonardo
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Doing this disables the ability to manage the website in ISPConfig, so if you did that, you can't use ISPConfig anymore to manage the site or change settings like PHP settings etc.
     
  10. Yes Till, thanks. I have see ISPConfig let's encrypt capability too later.
    If I uninstall all let's encrypt, can then use ISPConfig to manage it or have to request change for my certificate on let's encrypt site too.

    Is here
    /etc/php/7.3/fpm/pool.d/web2.conf
    where ISPConfig have to save custom php.ini?
    if yes /etc/php/7.3/fpm/pool.d/ is all root permission.

    have any idea?
    best regards,
    Leonardo
     
  11. Steini86

    Steini86 Active Member

    Remove all your manual letencrypt installation.
    Upgrade ispconfig and choose "reconfigure services -> yes" at minimum reconfigure web (apache).
    This will rewrite all apache config (overwrites your local changes). Then activate letsencrypt in ispconfig.
    If you are already on the current ispc version, use this to force upgrade:
    Code:
    cd /tmp
    wget https://www.ispconfig.org/downloads/ISPConfig-3.1.15p3.tar.gz
    tar xvfz ISPConfig-3.1.15p3.tar.gz
    cd ispconfig3_install/install
    php -q update.php
     
  12. Thanks,
    I like to know what ISPConfig is doing with custom php.ini option in case of fpm site installation.
    where put this value?
    in which file/files?
    I look in manual and haven't see it.

    best regards,
    Leonardo
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    This depends on the chosen PHP mode:

    mod_php: No custom PHP.inis settings at all as mod_php does not support that.
    php-fcgi, php-cgi and suphp: A custom php.ini file.
    php-fpm: Custom php.ini settings are stored in the fpm pool file.
     
    atle likes this.
  14. Ok let do an example:
    for web2 site on ubuntu, php 7.3 and php-fpm is this the file?
    /etc/php/7.3/fpm/pool.d/web2.conf

    best regards,
    Leonardo
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    The directory depends on the way the additional PHP versions are installed. if the pool files for the additional PHP version are in that directory, then the file will be thare.
     
  16. Ok @till I have do it:
    remove all my stuff on letsencrypt ... and
    Code:
    cd /tmp
    wget https://www.ispconfig.org/downloads/ISPConfig-3.1.15p3.tar.gz
    tar xvfz ISPConfig-3.1.15p3.tar.gz
    cd ispconfig3_install/install
    php -q update.php
    
    and open ISPCionfig interface and click on site to enable letsencrypt and I see the php ini settings is done.

    but now site and ISPConfig certificate are NOT getting the letsencrypt but a self signed certificate create at update time. I try to delete it through ISPConfig setting 'action delete' on SSL tab, but it not delete it.

    on postfix main.cf there is the default:
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    and this are not symbolic link to /etc/letsencrypt/live/...
    and dovecot.conf point to the same certificate
    so mail is not working too.

    can help?
    (I can make work these service by myself but only changing configuration by myself by direct write it, and not using ISPConfig)
     
  17. Steini86

    Steini86 Active Member

  18. till

    till Super Moderator Staff Member ISPConfig Developer

    If your services like postfix were using a LE cert before, then you have to redo the steps to install a LE cert for these services in the same way you installed it the first time.
     
  19. Thank you Till.
    Ok I will set up postfix/dovecoad but for apache2 site I need some explanation.
    On /etc/apache2/sites-available/algoritmica.net.vhost ISPConfig had put at the end this:

    Code:
    <VirtualHost *:443>
    ...
    <IfModule mod_ssl.c>
                    SSLEngine on
                    SSLProtocol All -SSLv2 -SSLv3
                    # SSLCipherSuite        ...  
                    SSLHonorCipherOrder     on
                    # <IfModule mod_headers.c>
                    # Header always add Strict-Transport-Security "max-age=15768000"
                    # </IfModule>
                    SSLCertificateFile /var/www/clients/client1/web2/ssl/algoritmica.net-le.crt
                    SSLCertificateKeyFile /var/www/clients/client1/web2/ssl/algoritmica.net-le.key
                    SSLUseStapling on
                    SSLStaplingResponderTimeout 5
                    SSLStaplingReturnResponderErrors off
    </IfModule>
    </VirtualHost>
    #After virtual host close
    <IfModule mod_ssl.c>
            SSLStaplingCache shmcb:/var/run/ocsp(128000)
    </IfModule>
    
    I do:
    Code:
    ls -l  /var/www/clients/client1/web2/ssl/algoritmica.net-le.crt
    /var/www/clients/client1/web2/ssl/algoritmica.net-le.crt -> /etc/letsencrypt/live/algoritmica.net/fullchain.pem
    
    ls -l /var/www/clients/client1/web2/ssl/algoritmica.net-le.key
    /var/www/clients/client1/web2/ssl/algoritmica.net-le.key -> /etc/letsencrypt/live/algoritmica.net/privkey.pem
    
    now site is working: I think there is some cache I have not erased yesterday... sorry

    There is a last problem: certificate is not working on ISPConfig interface.
    I look at apache conf for ISPConfig and see inside conf:
    Code:
    <VirtualHost _default_:8080>
    ....
      # SSL Configuration
      SSLEngine On
        SSLProtocol All -SSLv3
        SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
      SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
    
    this is not pointing to
    Code:
    /etc/letsencrypt/live/algoritmica.net/fullchain.pem
    
    1 - have I to set it manually to this value?

    2 - On postfix and dovecot after I have well configured by hand the right certificate link, after an system update, have I to write a hook to a script to let the certificate pointing on right value? Or ISPconfig do this?

    best regards,
    Leonardo
     
  20. Steini86

    Steini86 Active Member

    Looks like letsencrypt is not correctly working with ispconfig. You should investigate this, could lead to problems in the future (create a new web/subdomain and try letsencrypt)

    For other services. Maybe this helps:
    https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/

    (Since you hav already changed the default config, you should understand what the howto does and apply only what you need, instead of blindly following it)
     

Share This Page