Enabling PHP-FPM forces disable_functions

[AndyX]

WHM 60.0 (build 35)
PHP Version: ea-php71

When I enable PHP-FPM



When I disable PHP-FPM



Is there any way to enable PHP-FPM without disabling the following functions:

exec,passthru,shell_exec,system

 

[sparek-3]

I'm not entirely sure that cPanel's PHP-FPM adaption is ready for primetime.

You will want to read through:

PHP-FPM and EasyApache 4 - Documentation - cPanel Documentation

cPanel's PHP-FPM is adding those disabled functions by default. You can adjust this, system-wide by modifying/creating the file at:

/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

Or you can set this per VirtualHost using the file:

/var/cpanel/userdata/[user]/[domain].php-fpm.yaml

and adjust the disable_functions for that specific pool.

All of this gets exceedingly complicated in a per VirtualHost pool setup. I have real reservations over whether cPanel's decision to use a per-VirtualHost FPM pool is the way to go. I think a per-user FPM pool would be a lot simplier. And the system for doing this is all a bit convoluted at this stage.

Perhaps the cPanel PHP-FPM system will all come together at some point. Perhaps a per-VirtualHost FPM pool will make more sense then. But the system as it stands right now, to me, leaves a bit to be desired.

 

[AndyX]

cPanel's PHP-FPM is adding those disabled functions by default. You can adjust this, system-wide by modifying/creating the file at:

/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

Hi sparek-3,

Thank you for your help.

Sounds like I will need to create a folder called ApachePHPFPM located here:

/var/cpanel/ApachePHPFPM

Then create a file called:

/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

Then in that file enter:

disable_functions =

Is this all correct?

 

[AndyX]

Found the documentaion:

PHP-FPM and EasyApache 4 - Version 60 Documentation - cPanel Documentation

and

PHP-FPM and EasyApache 4 - Documentation - cPanel Documentation

 

[AndyX]

I tried creating the file as I outlined in post #3, but that caused problems, when I switched to PHP-FPM is would no longer show my domain at the bottom of the page.

 

[sparek-3]

I believe it should be:

---
php_admin_value_disable_functions = { present_ifdefault: 0 }

Keep in mind though, this is going to enable all functions for every account that uses PHP-FPM

Sorry, think my original post was wrong, I think this is right. I have edited this post.

 

[AndyX]

I believe it should be:

---
php_admin_value_disable_functions = { present_ifdefault: 0 }

Keep in mind though, this is going to enable all functions for every account that uses PHP-FPM

Sorry, think my original post was wrong, I think this is right. I have edited this post.

When I put that code into the system_pool_defaults.yaml file and enabled PHP-FPM I got the following error when I reloaded my XenForo forum:

 

[AndyX]

I found the link which explains the php_admin_value_disable_functions.

Configurations Values of PHP-FPM - Documentation - cPanel Documentation

However I'm not able to make this work.

 

[AndyX]

@sparek-3

In the code you posted, you have --- on the fist line, is by accident or is it needed?

 

[cPanelMichael]

Hello,

The following document includes information on how to change the default configuration values with PHP-FPM on EA4:

PHP-FPM and EasyApache 4 - Documentation - cPanel Documentation

In particular, this is the file path to edit for a specific domain name:

/var/cpanel/userdata/[user]/[domain].php-fpm.yaml

Otherwise, review the paths under "Optional files" if you wish to to change the default parameters. Also, the following document provides information about how to formulate the custom entries:

Configurations Values of PHP-FPM - Documentation - cPanel Documentation

After making those changes to the YAML file on a specific domain name, run the following command:

/scripts/php_fpm_config --rebuild --domain=domain

This script is documented at:

The php_fpm_config Script - Documentation - cPanel Documentation

Thank you.

 

[AndyX]

After making those changes to the YAML file on a specific domain name, run the following command:

How come when I try to run the command I get "command not found" message?

 

[cPanelMichael]

Hello,

The full path to the script is required in the command:

/scripts/php_fpm_config

Thanks!

 

[AndyX]

Thank you, Michael.

So far so good, I ran the script and my server is still running.



Now I will need to make the changes to the .yaml

/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

and run the script again. I'm still not clear if the first line should have a --- or that was a mistake.

---
php_admin_value_disable_functions = { present_ifdefault: 0 }

 

[cPanelMichael]

I'm still not clear if the first line should have a --- or that was a mistake.

Hello,

Yes, that should be the first line. Information on YAML files is also available at:

YAML - Wikipedia

Thanks!

 

[AndyX]

I followed all the steps:

1) Created a ApachePHPFPM folder and system_pool_defaults.yaml file.



2) The system_pool_defaults.yaml file contains:



3) Ran the script:

/scripts/php_fpm_config --rebuild --domain=example.com

Of course instead of using example.com I used my domain.

4) Applied PHP-FPM



And the result is a server error when I try to view my server in the browser:



Looking at my error_log file I have many lines similar to this:

 

[AndyX]

Looking at the following error.log file:

/opt/ea-php71/root/usr/var/log/php-fpm/error.log



I have never tried setting any pool, could that be the problem?

 

[AndyX]

I was never able to solve this issue.

 

[cPanelMichael]

Hello,

Please revert any modifications you have made and let us know if the steps outlined below are helpful:

1. Create the /var/cpanel/ApachePHPFPM directory:

mkdir /var/cpanel/ApachePHPFPM

2. Create the /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml file:

touch /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

3. Edit /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml using your preferred text editor (e.g. vi, nano) so that it looks exactly like this:

---
php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }

In this example, "passthru,system" are left as disabled functions. No other lines exist before or after this entry in this file.

4. Regenerate the PHP-FPM configuration files via:

/scripts/php_fpm_config --rebuild

5. Restart the Apache PHP-FPM and Apache service:

/scripts/restartsrv_apache_php_fpm
/scripts/restartsrv_httpd

Keep in mind disable_functions works differently compared to most other PHP values with PHP-FPM. When you define a custom disable_functions value in your PHP-FPM configuration, it's allowing you to disable additional functions on top of what's already disabled in the global php.ini file. For instance, let's say the following line is configured for PHP version 7.0 from WHM >> MultiPHP INI Editor >> Editor Mode:

disable_functions = popen,proc_open

If you were to to setup a custom PHP-FPM default value for disable_functions per the example at the top of this post, then the actual disabled functions would include passthru, system, popen, proc_open. Additionally, keep in mind the PHPINFO output on the website will match what you've configured in your custom PHP-FPM configuration file, despite the fact that additional PHP functions are disabled (this is an artifact of how PHP and PHP-FPM work as opposed to how they are implemented with cPanel & WHM).

In summary, while you can add additional entries to the disable_functions PHP value through the use of a custom PHP-FPM configuration file, and customize the disable_functions PHP value for individual PHP-FPM user pools, you can't enable functions for this option that are already disabled in the global php.ini configuration file.

Thank you.

 

[Floyd R Turbo]

'sup @AndyX! Were you able to fix this? I'm hitting the same issue after bumping to php7 and php-fpm

 

[cPanelMichael]

'sup @AndyX! Were you able to fix this? I'm hitting the same issue after bumping to php7 and php-fpm

Do the instructions in my last response to this thread help?

Thank you.