Debian 9: mpm_worker, php-fpm ( roundcube, enigma, munin, phpmyadmin aliases fix )

I'm not going too much into detail on how to enable some plugins or edit the config for those, so please bring a cup of coffee if you don't know what it is all about

if you don't want to use mod_php because of apache mpm_prefork sucks you need to watch out
roundcube / phpmyadmin / munin won't work that easy

you could install it as ispapps with some hazzle or symlink to ispconfig web-folder but... that's not nice

create a website in ispconfig with your hostname ( fqdn ) and enable letsencrypt/ssl + cgi + php-fpm for that.

Add custom apache config to that website

phpmyadmin

Code:

Alias /phpmyadmin /usr/share/phpmyadmin
Directory /usr/share/phpmyadmin/setup>
    <IfModule mod_authz_core.c>
        <IfModule mod_authn_file.c>
            AuthType Basic
            AuthName "phpMyAdmin Setup"
            AuthUserFile /etc/phpmyadmin/htpasswd.setup
        </IfModule>
        Require valid-user
    </IfModule>
</Directory>

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
    Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
    Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/setup/lib>
    Require all denied
</Directory>

roundcube

Code:

Alias /webmail /var/lib/roundcube

<Directory /var/lib/roundcube/>
  Options +FollowSymLinks
  # This is needed to parse /var/lib/roundcube/.htaccess. See its
  # content before setting AllowOverride to None.
  AllowOverride All
  <IfVersion >= 2.3>
    Require all granted
  </IfVersion>
  <IfVersion < 2.3>
    Order allow,deny
    Allow from all
  </IfVersion>
</Directory>

# Protecting basic directories:
<Directory /var/lib/roundcube/config>
        Options -FollowSymLinks
        AllowOverride None
</Directory>
<Directory /var/lib/roundcube/temp>
        Options -FollowSymLinks
        AllowOverride None
        <IfVersion >= 2.3>
          Require all denied
        </IfVersion>
        <IfVersion < 2.3>
          Order allow,deny
          Deny from all
        </IfVersion>
</Directory>

<Directory /var/lib/roundcube/logs>
        Options -FollowSymLinks
        AllowOverride None
        <IfVersion >= 2.3>
          Require all denied
        </IfVersion>
        <IfVersion < 2.3>
          Order allow,deny
          Deny from all
        </IfVersion>
</Directory>

munin

Code:

Alias /munin /var/cache/munin/www
<Directory /var/cache/munin/www>
   AuthType Basic
   AuthName "Members Only"
   AuthUserFile /etc/munin/munin-htpasswd
   <limit GET POST>
        require valid-user
    </limit>
        Options None
</Directory>

ScriptAlias /munin-cgi/munin-cgi-graph /var/www/<yourFQDN>/cgi-bin/munin-cgi-graph
<Location /munin-cgi/munin-cgi-graph>
   AuthType Basic
   AuthName "Members Only"
   AuthUserFile /etc/munin/munin-htpasswd
   <limit GET POST>
       require valid-user
    </limit>
        <IfModule mod_fcgid.c>
            SetHandler fcgid-script
        </IfModule>
        <IfModule !mod_fcgid.c>
            SetHandler cgi-script
        </IfModule>
</Location>

change <yourFQDN> to your fqdn!
copy /usr/lib/munin/cgi/munin-cgi-graph to /var/www/<yourFQDN>/cgi-bin/munin-cgi-graph ( check for updates when upgrading sys )
give the cgi the owner/group ( webx/clienty ) of that domain and $chmod 550 munin-cgi-graph
If you followed the tutorial for munin, you should have setup an password in /etc/munin/munin-htpasswd using htpasswd command...


change links in ispconfig settings accordingly ( https://fqdn/phpmyadmin .... )

don't forget to disable the configs in /etc/apache2/conf-enabled ( phpmyadmin, roundcube... )

==== this probably doesnt work anymore: ===

if you want to run enigma-plugin ( pgp ) in roundcube on debian stretch you need to get some packages, preferable this way:
modify /etc/apt/preferences , it could look like that ( I added additional repo for php 5.6, you can ignore sury.org )

Code:

Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=testing
Pin-Priority: 499

Package: *
Pin: origin packages.sury.org
Pin-Priority: 498

aswell as add buster to your /etc/apt/sources.list

Code:

deb http://ftp.de.debian.org/debian/ stretch main contrib non-free
deb-src http://ftp.de.debian.org/debian/ stretch main contrib non-free

deb http://ftp.de.debian.org/debian/ buster main contrib non-free
deb-src http://ftp.de.debian.org/debian/ buster main contrib non-free

deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free

# stretch-updates, previously known as 'volatile'
deb http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free
deb-src http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free

now you can
$apt-get update
and
$apt-get install php-crypt-gpg gpg gpgv2
( sorry, either gpg or gpgv2 should work, would have to double check now, both might work aswell )

this is b/c crypt-pgp is not in stretch and the gpg version in stretch is broken.

now edit /usr/share/roundcube/plugins/enigma/lib/enigma_driver_gnupg.php
there's a require-line, which needs an addition, should look like that

Code:

...
require_once 'Crypt/GPG.php';
require_once 'Crypt/GPG/KeyGenerator.php';

class enigma_driver_gnupg extends enigma_driver
...

now configure enigma as it should be... oh yeah enigma uses a home-directory, it needs r/w access for the web/client the php-fpm is running at, shouldn't be accessable by anyone else!
I filed a bug report on debian mailing list for that but.. seems to take a while though.

Besides, if you want to use message-hightlight ( I guess that was the plugin ) and it's not working, don't give up, it's probably just a missing symlink from /var/lib/roundcube/plugins/pluginname to /usr/share/roundcube/plugins/pluginname


Be also aware of if you use phpmyadmin feature to import/export databases to a folder on the server and you're using a shared environment .... well yeah, you shouldn't use the same folder configured for all users, doh

hope I didn't miss something, have a nice day



edit: uhm sorry falko, wasn't sure where to put it, should've read your post before that, so sorry didn't see, eating my carrot - hoping to improve my eyesight *hug

If you use php trough fpm only ( the fcgi ispconfig not included ) and use sury / happened to have php 7.2 as default on debian 9
a2disconf php*-fpm except for php7.1-fpm since roundcube may fail with 7.2

also make sure you have one pool.d/www.conf for every php-fpm listening on sockets at different location so they startup and ISPConfig does not get issues with expected but not started daemons.
https://www.howtoforge.com/community/threads/debian-9-php-5-6-7-2-with-sury-and-isp.79528/

 

Thanks for this howto! It is exactly where I was looking for.

 

On my vps with ISP installed from Perfect Server tutorial. I did http/2. About http/2 implementation:

Code:

a2enconf php7.0-fpm
systemctl reload apache2
a2dismod php7.0
systemctl restart apache2
a2dismod mpm_prefork
a2enmod mpm_event
systemctl restart apache2

I have problem with roundcube and phpmyadmin (and if I would have munin then with this one too) but maybe your hacks will help in implement http/2 on servers with this also, because these require mpm_event. Roundcube's script tries download and phpmyadmin after open shows only words, without any functionality.

 

#1 of all: At least until including debian stretch I can't recommend mpm_event, sure, 99,9% of the time it operates amazing but I guess due to a bug or something it can stop serving requests. Long research and almost no useful input ( someone blamed threading model and thought he "hacked" it by special calculated config ) I went back to _worker, still threaded, still good enough.
Maybe someone thinks he knows the issue and has a solution, I'd like to learn from you

@Poliman php-fpm is not automatically used for default alias-configs for debians implementation of roundcube/phpmyadmin.... setups.
You could symlink the folders on your filesystem as subdirectory of the ispconfig web-root,

define a virtualhost and add the alias needed to the extra http options ( and create a free letsencrypt cert for your servers mail,ispconfig,ftp.. - use hostname for virtualhost - ),

or modify the conf-files to parse .php with fpm-interpreter



Edit: I'm not sure if this hack still works, please test it before messing your live system

 

Sure, before production I always destroy virtual machines.

 

in fact I had an issue with my php7 recently where the solution was to remove my priority setting for sury ...
real people use real hardware to destroy If it doesn't work you can kick it - all anger pointed to the right direction

 

I am real but destroy only virtual/testing machines. I am going to test the fix from your 1st post and I will know all things will blow up or no.

PS
What do you think about Kwun's last comment here:
https://www.howtoforge.com/community/threads/how-to-enable-http2-in-ispconfig3.77683/

 

You must also installled and enable these 2 apache2 modules:
proxy
proxy_fcgi

mpm_event will be working flawlessly!

 

Why they are needed?

 

I am not a programmer. So I can't explain the reason. When I searched for a solution to make mpm_event to work, I read an article on apache2 official documentation mentioning this 2 modules. After I have enabled them, roundcube begins to work and doesn't show the php text files any more. Believe it or not?

 

without them php-fpm won't start working - since newer apache the mod_fastcgi has been replaced ( 2nd time ^^ ) and that's why we are using proxy_fcgi to proxy requests trough php-fpm

@concept21 you've read https://www.howtoforge.com/community/threads/choice-between-mpm_event-and-nginx.79147/#post-374531 and still advertising mpm_event haha well it's usually good enough, fails like a sneaky bastard.

 

I will check I have on my VPS these two mods enabled. If would be that easy we won't need @ztk.me tutorial, is that right @ztk.me @concept21 ?

 

It is because you missed a crucial step of deploying mpm_event. Agree?

 

OK.
One more step to conclude the implementation of mpm_event.
To prevent the snail sucker mpm_prefork from being loaded again upon php software updating, uninstall this module altogether:
apt purge libapache2-mod-php7.0

I remind you guys. Never read anything from the Stuckflow site. I have never found any article on it which helps. They curse mpm_event and are very desperate and crasy to make it work. Some even say it is very difficult to make mpm_event and php working together.

However, the fact is, as you know, to me, it is very ........

 

I wonder which that might be. If you know more than I please teach me, I'd love to use _event, tried for some years every now and then but always fails ( rare conditions, but surely all the same reason ) ... rendering not useable for my debian lamp stack

for me, no need since I never installed it, the issue is a little more in depth :/

 

I have tested it yesterday. It worked but I had to do something in right order, because turning on proxy and proxy_fcgi turn on also mpm_prefork, which automatically turn off http2. I should do:

Code:

a2enmod proxy
a2enmod proxy_fcgi
systemctl restart apache2
a2dismod mpm_prefork //again disable it
a2enmod mpm_event
systemctl restart apache2

After this roundcube and phpmyadmin work perfect.

PS
@concept21 And yes, in my experience stuckoverflow does not help many times, because many times in threads people, who don't understand very good some subject, try to help and say some very harm advices.

 

Wonderful!!! mpm_event is so much faster!

 

ztk,
Please observe that you must enable these 2 apache2 modules:
proxy
proxy_fcgi

It is part of the apache2 log of my Ubuntu 16.04.4. It also mention the need for mod_fastcgi and mod_fcgid. Believe it or not?

============
[mpm_event:notice] AH00489: Apache/2.4.18 (Ubuntu) mod_fastcgi/mod_fastcgi-SNAP-0910052141 OpenSSL/1.0.2g mod_fcgid/2.3.9 configured -- resuming normal operations

 

Few commands mentioned in my earlier post turn on easly http2 and don't break roundcube and phpmyadmin.

 

my issue is more _like_ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872036 ( see upstream https://bz.apache.org/bugzilla/show_bug.cgi?id=53555 where this iisue seems 2b fixed) I assume

edit: probably was that bug which followed me over 5 years ^^ likely fixed in debian buster
2ndedit: however, if you're fine or your watchdogD is doing his job in recovering apache, you can use _event for low memory vservers for example.