The Perfect Server - Debian 9 (Stretch) - Add PHP 5.3?

Hello,

I'm in the process moving from really old Ubuntu server to new Debian 9 and I got VM from this tutorial https://www.howtoforge.com/tutorial...-stretch-apache-bind-dovecot-ispconfig-3-1/2/
Got everything working so far but I'm stuck now on version, because PHP 7 is installed and I have one very old site that only works with up to PHP 5.3 and I have to have that old PHP version and the website will be read only (archive).
I cannot figure out how to add PHP 5.3 so that its selectable in ISPconfig?

TIA

 

it can be done with some hefty patching, however you might loose some Openssl functionality ( or have to code unavail functions ).

edit: deleted potentially dangerous stuff which has been superseeded by
https://www.howtoforge.com/communit...bian-9-stretch-add-php-5-3.77549/#post-366596

 

Thanks for the reply!
Can point me to any tutorial or help me achieve this ?
I have inmotion hosting account for one of the critical website and they do it via .htaccess file PHP 5.3 together with PHP 7 http://www.inmotionhosting.com/supp...ation/using-multiple-php-versions-one-account
I understand there's much more behind it but thought it might useful.

 

All they do is loading several mod_php versions and using different names + allow customers to set what handler to be used for serving .php files.
You'd still need to build these modules for apache in that case.

Regarding compiling php 5.3 - I don't know wether there's much help out there, it'd be time consuming to put all the pieces together :/
Only place I actually found ready made .deb is https://www.liveconfig.com/wiki/de/multiphp
Depending on how much trust you have on running these binarys, it might be a solution or not.

 

Thank you so much for taking time to post this!
I will look into this.

 

Ok, thanks for taking time to look into this. I came across this thread and last post explains a workaround, maybe ?https://unix.stackexchange.com/questions/379215/installing-php-5-3-on-debian-stretch-9

How about installing different OS on a different VM? I'm just looking to minimize errors and make it simple install process.
ie. https://www.howtoforge.com/how-to-u...pm-and-fastcgi-with-ispconfig-3-debian-wheezy

I would love if Florian could make it work but if another option is more simply and takes less time I would not bother him to waste his time. I'm open to any other options.

 

depends on your hardware, sure you _can_ setup a chroot debootstrap for example letting php-fpm run and let your site connect to it via TCP
this puts some extra load onto your system on the other hand but with a decent system this should be neglible

 

however, you'd need to use some quirks like you can't use ISPConfig to manage php for that instance that easy and you would need to make sure (somehow) php-fpm can access the files as expected and the php-files which uses file operations aswell ...
it can be done, but it won't be nice, but I doubt you need to change much for such an old piece of software if it runs as needed I guess.
personally I doubt the prebuild debs from liveconfig contain malicious code, would be bad for their business - up to you however

 

last thought, ha yeah it's mentioneing running the complete web in a chroot with its own webserver and use same principle as how nodejs and such stuff works by using proxypass on a configured website - that'd be pretty easy to do

 

Never used debootstrap, it runs inside/under Debian sort of like VM?

 

So I tested that old website with PHP 5.6 and it works!
Started searching and came across this:
http://www.linuxcompatible.org/news/story/php_5_6_30_packages_for_debian_9_available.html
Is it simple as doing this:
https://stackoverflow.com/questions/46378017/install-php5-6-in-debian-9
Finding it hard to believe its that easy

Edit: I made a mistake because I thought I was testing in PHP 5.6 but it was actually PHP 5.5
Even in that version it works sort of but its throwing some error.

 

yes, debootstrap is some kind of VM .... however it won't automatically "boot" on startup, it's more like running applications in a different context of the host system. That's where docker comes into play, docker uses images of such directories which are started automatically, oh btw. you could use proxmox and setup an "old" server with debian jessie - much overhead but easy to achieve.

for completeness, example using debootstrap ( I didn't cover installation of apc or configure apache or symlink, more to that at the end of this post )

On your host-system do

Code:

export MY_CHROOT=/jessie-chroot
mkdir -p $MY_CHROOT
debootstrap jessie $MY_CHROOT http://httpredir.debian.org/debian/

echo "proc $MY_CHROOT/proc proc defaults 0 0" >> /etc/fstab
mount proc $MY_CHROOT/proc -t proc

echo "sysfs $MY_CHROOT/sys sysfs defaults 0 0" >> /etc/fstab
mount sysfs $MY_CHROOT/sys -t sysfs

cp /etc/hosts $MY_CHROOT/etc/hosts
chroot $MY_CHROOT /bin/bash

within chroot do

Code:

apt-get update
apt-get install locales bzip2
dpkg-reconfigure tzdata locales

mkdir /opt/php-5.3.29
mkdir /usr/local/src/php5-build
cd /usr/local/src/php5-build
wget http://de.php.net/get/php-5.3.29.tar.bz2/from/this/mirror -O php-5.3.29.tar.bz2
tar jxf php-5.3.29.tar.bz2
apt-get install libbz2-dev libxml2-dev libcurl4-openssl-dev libjpeg-dev libpng-dev libxpm-dev libfreetype6-dev libc-client2007e-dev libkrb5-dev libmcrypt-dev libpq-dev libmysqlclient-dev build-essential

mkdir /usr/include/freetype2/freetype
ln -s /usr/include/freetype2/freetype.h /usr/include/freetype2/freetype/freetype.h
ln -s /usr/lib/libc-client.a /usr/lib/x86_64-linux-gnu/libc-client.a

cd php-5.3.29/
./configure --prefix=/opt/php-5.3.29 --with-pdo-pgsql --with-zlib-dir --with-freetype-dir --enable-mbstring --with-xpm-dir=/usr --with-libxml-dir=/usr --enable-soap --enable-calendar --with-curl --with-mcrypt --with-zlib --with-gd --with-pgsql --disable-rpath --enable-inline-optimization --with-bz2 --with-zlib --enable-sockets --enable-sysvsem --enable-sysvshm --enable-pcntl --enable-mbregex --with-mhash --enable-zip --with-pcre-regex --with-mysql --with-pdo-mysql --with-mysqli --with-jpeg-dir=/usr --with-png-dir=/usr --enable-gd-native-ttf --with-openssl --with-fpm-user=www-data --with-fpm-group=www-data --with-libdir=/lib/x86_64-linux-gnu --enable-ftp --with-imap --with-imap-ssl --with-kerberos --with-gettext --enable-fpm
make
make install

Now you have different options:

1. Run php-fpm in that chroot using tcp listener ( configure additional php version in ispconfig, you'd need to link the pool.d / conf.d / php.ini folder to host system where ISPConfig can place webxy.conf .... and uhm add some fake stop/start script, maybe you need to manually reload or hack some stuff together)
however you would need to link the /var directory into that chroot and copy the corresponding web/client user passwd/group entries into that chroot aswell ( theory I might still have missed something )

2. install apache with mod_fastcgi and mpm_worker ( recommended ) or use mod_fcgi ( doesn't need patched mod_fastcgi be compiled by yourself, however performance is better with mod_fastcgi ) and set apache port to listen on some differen port and add proxypass config in ISPConfig for that website ( no need to configure PHP on ISPConfig, but changing configs/reloading webserver needs to be done in chroot )

3. use real virtualization like lxc ct-chroot container ( best performance ) or quemu or docker or setup admin interface to manage your servers using proxmox.

 

yeah screw that, I patched halfway trough openssl.c to make it compatible with 1.1 but uhm yeah didn't even start to test that yet ... soo if you really need that, go for @till 's suggestion and get a quote - or ask liveconfig support what they did .... where I guess they just disabled imap and openssl - support.

however, I'm going to go the same way I likely did it the last time, since my linked build-package doesn't contain much patched files I'm going to use openssl 1.0.1 and maybe patch curl which might be easier or whatever is needed to get the job done fast

nice lecture for that topic btw. https://github.com/bukka/php-src/compare/openssl_aead_with_error_store...bukka:openssl_1_1_port

 

done
if you need postgresql-support, additional steps needs to be done ( compile libpsql with openssl 1.0.2 )
change the -j4 at make commands to approximal your cpu cores

Code:

apt-get install libbz2-dev libxml2-dev libcurl4-openssl-dev libjpeg-dev libpng-dev libxpm-dev libfreetype6-dev libc-client2007e-dev libkrb5-dev libmcrypt-dev libpq-dev libmariadbclient-dev-compat build-essential libxml2-dev libcurl4-openssl-dev libpcre3-dev libbz2-dev libjpeg-dev libpng-dev libfreetype6-dev libmcrypt-dev libmhash-dev freetds-dev libmariadbclient-dev-compat unixodbc-dev libxslt1-dev libfcgi-dev libfcgi0ldbl libmcrypt-dev libssl-dev

Code:

mkdir /usr/local/src/openssl
cd /usr/local/src/openssl
wget https://www.openssl.org/source/openssl-1.0.2l.tar.gz
tar xf openssl-1.0.2l.tar.gz
cd openssl-1.0.2l
./config shared --openssldir=/usr/local/openssl/ enable-ec_nistp_64_gcc_128
make depend
make -j4
make install
ln -s /usr/local/openssl/lib /usr/local/openssl/lib/x86_64-linux-gnu

Code:

mkdir /usr/local/src/curl
cd /usr/local/src/curl
wget https://curl.haxx.se/download/curl-7.56.0.tar.gz
tar xf curl-7.56.0.tar.gz
cd curl-7.56.0
env PKG_CONFIG_PATH=/usr/local/openssl/lib/pkgconfig LDFLAGS=-Wl,-rpath=/usr/local/openssl/lib ./configure --with-ssl=/usr/local/openssl --with-zlib --prefix=/usr/local/curl
make  -j4
make install

Code:

mkdir /usr/local/imap
cd /usr/local/imap
wget http://http.debian.net/debian/pool/main/u/uw-imap/uw-imap_2007f\~dfsg-5.dsc
wget http://http.debian.net/debian/pool/main/u/uw-imap/uw-imap_2007f\~dfsg.orig.tar.gz
wget http://cdn-fastly.deb.debian.org/debian/pool/main/u/uw-imap/uw-imap_2007f~dfsg-5.debian.tar.xz
dpkg-source -x uw-imap_2007f~dfsg-5.dsc
cd uw-imap-2007f~dfsg/
touch {ipv6,lnxok}
## make process will fail, however it generates what we need, still
make slx SSLINCLUDE=/usr/local/openssl/include/ SSLLIB=/usr/local/openssl/lib EXTRAAUTHENTICATORS=gss
mkdir lib include
cp c-client/*.c lib/
cp c-client/*.h include/
cp c-client/c-client.a lib/libc-client.a
ln -s /usr/lib/libc-client.a /usr/lib/x86_64-linux-gnu/libc-client.a

Code:

mkdir /opt/php-5.3.29
mkdir /usr/local/src/php5-build
cd /usr/local/src/php5-build
wget http://de.php.net/get/php-5.3.29.tar.bz2/from/this/mirror -O php-5.3.29.tar.bz2
tar jxf php-5.3.29.tar.bz2

optional suhoshin-patch

Code:

cd /usr/local/src/php5-build
wget https://download.suhosin.org/suhosin-patch-5.3.9-0.9.10.patch.gz
gunzip suhosin-patch-5.3.9-0.9.10.patch.gz
cd php-5.3.29
patch -p 1 -i ../suhosin-patch-5.3.9-0.9.10.patch
## the failed hunks are the visible notes it was build with suhoshin patch, no worries

if you did not patch do

Code:

cd php-5.3.29/

continue

Code:

LDFLAGS="-Wl,-rpath=/usr/local/openssl/lib,-rpath=/usr/local/curl/lib" ./configure --with-config-file-path=/etc/php/5.3/php.ini --with-config-file-scan-dir=/etc/php/5.3/mods-enabled --prefix=/opt/php-5.3.29 --with-zlib-dir --with-freetype-dir --enable-mbstring --with-xpm-dir=/usr --with-libxml-dir=/usr --enable-soap --enable-calendar --with-curl=/usr/local/curl --with-mcrypt --with-zlib --with-gd --disable-rpath --enable-inline-optimization --with-bz2 --with-zlib --enable-sockets --enable-sysvsem --enable-sysvshm --enable-pcntl --enable-mbregex --with-mhash --enable-zip --with-pcre-regex --with-mysql --with-pdo-mysql --with-mysqli --with-jpeg-dir=/usr --with-png-dir=/usr --enable-gd-native-ttf --with-openssl=/usr/local/openssl --with-imap=/usr/local/imap/uw-imap-2007f~dfsg --with-kerberos --with-imap-ssl --with-fpm-user=www-data --with-fpm-group=www-data --with-libdir=lib/x86_64-linux-gnu --enable-ftp --with-gettext --enable-fpm
LDFLAGS="-Wl,-rpath=/usr/local/openssl/lib,-rpath=/usr/local/curl/lib" make -j4
make install

Code:

mkdir -p /etc/php/5.3/fpm/pool.d
mkdir /etc/php/5.3/mods-enabled

be aware that session-id calculation can be pretty easy guessed by attackers under circumstances and the default entropy-length is way to low.
This options have been superseeded in php 7 and are not avail but in 5.3 they're empty / not used by default, double-check.
a value of 32 for entropy_length is known to be too small, it's up to you
session.entropy_file
session.entropy_length

Code:

cd /usr/local/src/php5-build/php-5.3.29
cp php.ini-production php.ini
sed -i 's/^\(short_open_tag\s*=\s*\).*$/\1On/' php.ini
sed -i 's/^\(expose_php\s*=\s*\).*$/\1Off/' php.ini
sed -i 's/^\(default_socket_timeout\s*=\s*\).*$/\110/' php.ini
sed -i 's/^\(;date\.timezone\s*=\s*\).*$/date\.timezone="Europe\/Berlin"/' php.ini
sed -i 's/^\(session\.cookie_httponly\s*=\s*\).*$/\11/' php.ini
sed -i 's/^\(session\.hash_function\s*=\s*\).*$/\11/' php.ini
sed -i 's/^\(session\.hash_bits_per_character\s*=\s*\).*$/\16/' php.ini
sed -i 's/^\(disable_functions\s*=\s*\).*$/\1pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,/' php.ini
cp php.ini /etc/php/5.3/

/etc/php/5.3/fpm/php-fpm.conf ( see attached php-fpm.conf.txt )
/etc/php/5.3/fpm/pool.d/www.conf ( see attached www.conf.txt )
/etc/init.d/php5.3-fpm ( see attached php5.3-fpm.txt )
/lib/systemd/system/php5.3-fpm.service ( see attached php5.3-fpm.service.txt )

optional Install APC

Code:

mkdir /usr/local/src/php5-build/apc
cd /usr/local/src/php5-build/apc
wget http://pecl.php.net/get/APC -O 3.1.13.tar.gz
tar xf 3.1.13.tar.gz
cd APC-3.1.13/
/opt/php-5.3.29/bin/phpize
./configure --with-php-config=/opt/php-5.3.29/bin/php-config
make -j4
make install

/etc/php/5.3/mods-enabled/apc.ini

Code:

extension=/opt/php-5.3.29/lib/php/extensions/no-debug-non-zts-20090626/apc.so
apc.enabled=1
apc.shm_size=128M
apc.ttl=0
apc.gc_ttl=600
apc.enable_cli=1
apc.mmap_file_mask=/tmp/apc.XXXXXX

optional suhoshin extension ( it's not the same as the patch! )

Code:

mkdir /usr/local/src/php5-build/suhoshin
cd /usr/local/src/php5-build/suhoshin
wget https://download.suhosin.org/suhosin-0.9.37.1.tar.gz
tar xf suhosin-0.9.37.1.tar.gz
cd suhosin-0.9.37.1
/opt/php-5.3.29/bin/phpize
./configure --with-php-config=/opt/php-5.3.29/bin/php-config
make
make install
echo "extension=suhosin.so" > /etc/php/5.3/mods-enabled/suhoshin.ini

see https://suhosin.org/stories/configuration.html for options

Code:

ln -s /opt/php-5.3.29/bin/php /usr/bin/php5.3
ln -s /opt/php-5.3.29/sbin/php-fpm /usr/sbin/php-fpm5.3
update-alternatives --install /usr/bin/php php /usr/bin/php5.3 0

Code:

chmod +x /etc/init.d/php5.3-fpm
update-rc.d php5.3-fpm defaults

check/set your default system php

Code:

update-alternatives --config php

Code:

systemctl enable php5.3-fpm.service
systemctl daemon-reload
systemctl restart php5.3-fpm.service

go to System > Additional PHP Versions in ISPConfig and compare to attached Picture No cgi, please don't use cgi!

for TLS usage in this version, there has been a discussion:
https://bugs.php.net/bug.php?id=65329


edit: added suhoshin patch
edit: added suhoshin extension
edit: added some disable_functions
edit: tls hint

 

notify, did some changes, see all "edit" blocks up to tls-hint have a great day

 

Thank you so much for posting these!
I found out today using VM that another application (Centova Cast) will not work properly on Debian 9 Stretch
So in my quest to migrate to a new server it looks like the best option will be to install Debian 8 Jessie.
With Jessie I should be able to install PHP 5.3 https://www.howtoforge.com/how-to-u...pm-and-fastcgi-with-ispconfig-3-debian-wheezy
Correct?

 

Why doesn't it support Debian 9? Does it have issues with the new apache syntax maybe? Anyway,
yes you can install jessie like in the tutorial. Maybe have a look at https://www.proxmox.com/