How to setup ISPconfig3 on system with custom PHP? Hello, I've just put my hands on installing ISPconfig3 in my production environment. I'm not using php from repos, but compiling it by myself. My basic PHP config is 5.5+ with PHP-FPM, so IC3 not working with such setup. In my dedicated setups I'm using predefined fastcgi.conf and each virtualhost has additional conf lines so it can connect to specified FPM socket. What PHP configuration should be used for IC3 to make it run? Generally speaking, I'm interested what compile option should be used for PHP and what config should be enabled in apache. I want to have separate PHP to run ISPconfig which will not be used for service subscribers. It should be maximally secured and hidden from subscribers.
What is IC3, can you post a link to that software that you want to install on your ispconfig 3 server?
IC3 = ISPconfig 3 I'm trying to build ISPconfig setup consisting of 2 dedicated servers. Mostly setup is usual as by tutorials on site and manual. Except fact that i'm not trusting some packages from repos, like php and for sure not going to install phpmyadmin from repo. Blueprint for 2 servers, centos 6.5 x64: 1 "master" server: httpd 2.2 mariadb 5.5 pureftpd bind master jailkit, fail2ban ... php for users: 5.3, 5.4, 5.5 all via php-fpm 2 "slave" server: postfix dovecot mariadb bind slave fail2ban, (roundcube - think it should be install on master server, but it's not problem yet.), ... Everything except PHP and Dovecot will be installed from repos. So everything will run smoothly after someone will help figure out how to compile PHP and setup it in httpd to run ISPconfig3 itself. I can do "php -q install.php". It install successfully, but ofcourse after all I can't open ispconfig page because of my PHP configuration. If it should be only mod_php, or if should support cgi scripts? httpd needs some wrapper for php-cgi?
You have to add at least support for php fastcgi to run the interface and php for shell scripts to run the server part. Regarding php modules, you need at least support for mysql / mysqli and if I remember correctly mcrypt should be available and php has to support openssl. ISPConfig expects all php binaries to be in the default locations of the Linux distribution, in your case centos.
Phpmyadmin iDen, What is the fear of installing PHP and PhpMyAdmin from the repos? For PhpMyAdmin, if you´re afraid of hackers fishing all the various /phpmyadmin, /myphpadmin, /phpadmin, and etc, you are aware that the phpmyadmin.conf file can be modified to change the default /alias to something totally different as to not to be easily found. Me personally, thats what I have done because the logs show people fishing and trying the default variations all the time but get nothing. What is the fear for the php from the repos? I´m just curious as I have been running the ISPConfig3 software since February and I have yet to see anyone hack in past my security measures. So if you´re afraid someone is gonna hack in, then probably should take a second look at your perimeter security. From my point of view, and from what I´ve seen and heard from this forum, is that ISPConfig is a big product in the European area and that many people run it and run it with the repos packages of everything and no has complained about being hacked. I think Till and his team have done a great job in keeping things secure. As a firewall/security engineer, I have gone through great lengths to test different consoles and finally decided on ISPConfig3 and have spent several months testing things and now ready to go production after I solve one other issue (bind issue in a different thread). So I understand your wanting to be secure, Im just a little curious. Thanks.
I dont see a security problem with the system php, more the opposite is the case. You get patches and updates for the system php automatically from the linux distributions, so you are most likely more up to date then compiling php manually over and over again when a new issue is found in php. Additionally the php binaries are owned by root, so no other user would be able to alter them anyway. What makes php secure or insecure are the php.ini settings and there you can specify just a custom php.ini file for ispconfig. so you can e.g. deby exec in the php of your sites while allwing it for the ispconfig server process. On Debian and Ubuntu, the php.ini files for cli,cgi,apache and fpm are separated anyway, centos and opensuse lacks this additional security. But even on centos you can set a custom php.ini for the ispconfig server process by putting it in the directory /usr/local/ispconfig/server/lib/, ispconfig will pick that up automatically.
So according 000-apps.vhost and 000-ispconfig.vhost files. I should have both mod_fcgid.c and mod_php5.c modules for sure, for ISPconfig to run? And it won't run on php binarry compiled with php-fpm support (--enable-fpm), right ?
No, you need just mod_fcgid.c. The mod_php5.c is just a fallback mode in case that the more secure fcgi is missing on a server. yes.
okay okay Lyrics: 1. Installing from repos = installing old software especially on rhel. phpmyadmin from epel is 4.0.10 when recent version is 4.2.7.1 and php is 5.3.3 2. Sorry, I don't want insult someone too much, but IMHO it's too "noobish" to install always and everything from repos. It is solution for testing/developing/learning stage. Or build your own repo. 3. I don't like when packages are smeared across system in different locations. For example phpmyadmin is just simple site which just needs to be extracted from tar and has nothing to do with /usr/bin 4. maybe I'm choosing hard way regarding phpmyadmin - i don't have any additional paranoid thoughts about it's security excepts normal security holes with phpmyadmin it has by default. Back to business: I was able to run ISPconfig with my php compilied with fpm option coz it provides php-cgi. Of course I ran it with mod_fcgid, so fpm option not interfering at this point. Only error was it was trying to find php-cgi in /usr/bin/php-cgi. simple symlink from my /opt/php55/bin/php-cgi - helped. But after first login in panel I was able to change this option in system - server config - fastcgi. And last one i worgot to add index.php to Indexes so i had to enter site explicitly https://ispconfig:8080/index.php Still I'll do this test setup exactly like in tutorial to check this "magic" php setup from repos (copy httpd configs). Regarding php.ini_s - yep, think i'll have some head aches with 'em in near feature. I'm confused with two tabs in System - server-config: server Web/PHP settings and FastCGI [FastCGI php.ini Path] is ini path for ISPconfig itself, as Till told above? [PHP settings] in Web tab are server wide for all users or just for ISPconfig. I'm interested if I have to fill this fields with proper values of my "main" php, while i'm going to have multiple PHP versions.
No. I did not talk about any settings in ispconfig. You cant configure any settings for the ispconfig interface from within the interface. This settings id for fastcgi in websites.