Disable certain PHP modules per website

Discussion in 'General' started by variable99, Mar 20, 2024.

  1. variable99

    variable99 Member

    Is it possible to disable PHP modules per website? For example: redis and memcached. I would like to make these modules accessible only for a few selected websites/users.
     
    variable99, Mar 20, 2024
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I don't think that you can disable modules, but you can disable functions in PHP. See php disable_functions setting.
     
    till, Mar 20, 2024
    #2
    ahrasis likes this.
  3. variable99

    variable99 Member

    As per ChatGPT this should disable access:

    disable_functions = memcache_connect, memcache_add, memcache_set, memcache_get, memcache_replace, memcache_delete, redis_connect, redis_pconnect, redis_set, redis_get, redis_del

    but it is not working...
     
    variable99, Mar 20, 2024
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    This should be fine; you should get an error when using these functions now. You must set this in the custom php.ini field of the website and PHP mode must be php-fpm or php-fcgi. And take care that you waited until the changes got applied.
     
    till, Mar 20, 2024
    #4
  5. variable99

    variable99 Member

    Correct. It is PHP-FPM. And test performed by this:

    Code:
    <?php

opcache_reset();

// Redis
$redis = new Redis();
$redis->connect('127.0.0.1', 6379);

if ($redis->ping()) {
    echo "Redis connection successful\n";
} else {
    echo "Failed to connect to Redis\n";
}

// Memcache
$memcache = new Memcache();
$memcache->connect('127.0.0.1', 11211);

if ($memcache->getVersion()) {
    echo "Memcache connection successful\n";
} else {
    echo "Failed to connect to Memcache\n";
}

// Memcached
$memcached = new Memcached();
$memcached->addServer('127.0.0.1', 11211);

if ($memcached->getVersion()) {
    echo "Memcached connection successful\n";
} else {
    echo "Failed to connect to Memcached\n";
}
    And it returns "success" on all instances. Here is pool.d config:

    Code:
    [web233]

listen = 127.0.0.1:9242
listen.allowed_clients = 127.0.0.1

user = web233
group = client269

pm = ondemand
pm.max_children = 10
pm.process_idle_timeout = 10s;
pm.max_requests = 100

chdir = /

env[HOSTNAME] = $HOSTNAME
env[TMP] = /var/www/clients/client269/web233/tmp
env[TMPDIR] = /var/www/clients/client269/web233/tmp
env[TEMP] = /var/www/clients/client269/web233/tmp
env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

php_admin_value[open_basedir] = /var/www/clients/client269/web233/web:/var/www/clients/client269/web233/private:/var/www/clients/client269/web233/tmp:/var/www/domain.tld/web:/srv/www/domain.tld/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom
php_admin_value[session.save_path] = /var/www/clients/client269/web233/tmp
php_admin_value[upload_tmp_dir] = /var/www/clients/client269/web233/tmp
php_admin_value[sendmail_path] = "/usr/sbin/sendmail -t -i -f [email protected]"

php_admin_value[disable_functions] = link,symlink,exec,passthru,proc_close,proc_get_status,proc_open,shell_exec,system,popen,pclose,memcache_connect,memcache_add,memcache_set,memcache_get,memcache_replace,memcache_delete,redis_connect,redis_pconnect,redis_set,redis_get,redis_del,memcached_connect,memcached_add,memcached_set,memcached_get,memcached_replace,memcached_delete,memcache,redis,memcached
php_admin_flag[allow_url_fopen] = On
php_admin_flag[allow_url_include] = Off
php_admin_value[upload_max_filesize] = 512M
php_admin_value[post_max_size] = 256M
php_admin_value[max_input_time] = 300
php_admin_value[max_input_vars] = 15000
php_admin_value[memory_limit] = 768M
php_admin_flag[display_errors] = On
php_admin_value[error_reporting] = 22519
php_admin_flag[short_open_tag] = On
     
    variable99, Mar 20, 2024
    #5
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so ISPConfig configured your system correctly. Check with phpinfo() function if the changes are also shown there and you can use phpinfo also to check if PHP runs with the correct pool and pool config, maybe you sue some custom directive that instruct the web server to use a different socket and pool.
     
    till, Mar 20, 2024
    #6
  7. variable99

    variable99 Member

    Hm, I get this:
    Code:
    PHP-FPM Pool Name: Apache
PHP-FPM Pool Config File: /etc/php/8.3/fpm/php.ini
     
    variable99, Mar 20, 2024
    #7
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    The php.ini path is fine, as that's the global php.ini for all pools. What about the disable_functions in the phpinfo output?
     
    till, Mar 20, 2024
    #8
  9. variable99

    variable99 Member

    Here it is, seems fine:
    [​IMG]
     
    variable99, Mar 20, 2024
    #9
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so the values got applied correctly and there is no issue with the configuration. Your test script uses the object-oriented versions of the drivers while disable_functions disables the classic functions, so that's likely the reason why it still works. So you should search if the driver objects can be disabled like this too or how the syntax for disabling them is.
     
    till, Mar 20, 2024
    #10
    variable99 likes this.
  11. variable99

    variable99 Member

    According to cGPT, there is no foolproof method to disable access to those services aside of removing PHP modules. Well, I tried :) Thanks Till for help and patience!
     
    variable99, Mar 20, 2024
    #11
  12. michelangelo

    michelangelo Active Member

    This is just a theoretical approach, but I think it should be possible to duplicate an existing PHP-FPM service and configure that, so it suits your needs and then add that service as an additional PHP version in ISPConfig.
     
    michelangelo, Mar 20, 2024
    #12

Share This Page