I'm not quite sure how to describe the problem, but I guess it has something to do with the settings in the ISPConfig-Backend concerning PHP and open_basedir. For instance, I get the following messages when performing filesystem-operations: Code: //creating a directory mkdir(): Permission denied //writing a file file_put_contents(..filename..): failed to open stream: Permission denied //reading a directory opendir(...path...): failed to open dir: Permission denied //using curl curl_setopt(): CURLOPT_FOLLOWLOCATION cannot be activated when safe_mode is enabled or an open_basedir is set In ISPConfig, PHP is set to Fast-CGI and open_basedir contains the following entries: My applipaction is running in /var/www/clients/client1/web5/web/my_application/ So, how can I configure ISPConfig to let PHP read/write to the filesystem? Is it possible (or wise) do disable open_basedir or safe_mode? Or is this not the problem? Thanks in advance!
Does your application write to /var/www/clients/client1/web5/web/my_application/ or to some directory outside open_basedir? If it writes to /var/www/clients/client1/web5/web/my_application/: are the permissions/ownerships of /var/www/clients/client1/web5/web/my_application/ ok?
Ensure that you enabled the suexec checkbox in the site settings, without suexec you cant write to the file system of the site.
@falko > Does your application write to /var/www/clients/client1/web5/web/my_application/ or to some directory outside open_basedir? - No, it just writes to .../my_application. > If it writes to /var/www/clients/client1/web5/web/my_application/: are the permissions/ownerships of /var/www/clients/client1/web5/web/my_application/ ok? - I think so, they are set to drwx--x--- - which seems quite normal to me, I guess. @till > Ensure that you enabled the suexec checkbox in the site settings... - Yep, it is checked. What might me interesting though: From an ISPConfig-perspective, I have several sites (web3, web4, web5) of one client (client1). All the sites share one web-directory with the my_application/-folder in it (web1). So my actual filestructure is: But since both web1 and web5 belong to the same group (client1), there should be no problem, right? I have also tried adding /var/www/clients/client1/web1/web: to the open_basedirs, but that did not help either.
This explains the problem, each site runs under its own user, so you can not share a directory if a script shall be able to write to the filesystem. The files and folders have to be owned by the user of the website that runs the script, not the group. The group exists only for the apache server to get read access to server images and plain html files without scripts.
@till Thanks for the clarification. But is there no way to make this setup run anyway? I want all my sites to use this one application and I want it to be in one common directory, so I don't have to deploy changes to the web-directory of each site. Can't I just turn off the open_basedir restrictions somehow? Or would that tear a big security hole in my server?
The problem is not the open_basedir restriction, the problem are the file permissions which do not allow the scripts to write to the filesystem. What you can try is this, it is not secure and I wont use it on my servers: 1) Change php mode to mod_php 2) Change the "web" directory and subdirectorys were all files of this site are stored to the user and group of the apache server, e.g. www-data on a debian or ubuntu system. 3) Add the directory were the files are stored to the open_basedir setting of all sites. 4) Disable the option that permissions of sites get set on update under System > server config > web I wont disable it on a server that is connected to the internet.
@Till Thank you very much for your elaboration! I guess I understand your approach to make it work and why this would be a security risk. Since my server sure is connected to the internet and - even worse - dealing with sensistive customer data, this probably would not be an appropriate solution in my case. So, basically, there is no way of dealing with different top-level-domains and an application outside of their own web-folder in ISPConfig (except at the expense of security), right? That's way too bad... And it's really hard to believe that I'm the only/first one who bumped into this problem Thank you very much for your effort!
Thats right, but not limited to ispconfig. Every server controlpanel that would allow you the configuration that you wanted to do has the same security risks then the setup that I described above, so this is not ispconfig specific. The only difference to other panels is is that ispconfig tries to enforce a secure setup out of the box while other panels might allow you the above configuration without informing you about the risks. If you want to use several domains on the same cms system, you would use a aliasdomain in ispconfig and dont create a new website.
@Till Thanks, that actually makes sense To be honest, I wasn't quite aware of your suggested option of creating aliases for a website. But after a closer look at it, this looks like a step in the right direction! But: I have an SSL-certificate for each domain. Will it be possible (or necessary after all) to install SSL-certificates for the aliasdomains of my main website/domain? Will it have any effect on sending/receiving emails to/from those separate domains?
If you use aliasdomains, the ssl certificate has to be a multidomain ssl cert as avhost in apache can only have one ssl cert. No.
@Till Thank you so much, you definitely saved my day! This was bothering me way too long, so thanks again for putting the finger on the actual problem!
