The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PHP-FPM - Default Settings

Discussion in 'Security' started by qwerty, Jun 13, 2017.

Tags:
  1. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    214
    Likes Received:
    1
    Trophy Points:
    166
    Hi,

    I finally recently decided to upgrade from EA3/suPHP (Cloudlinux servers) to EA4 + PHP-FPM.

    Everything went fine, however one thing was not immediately obvious after the upgrades. Namely certain PHP settings are controlled via PHP-FPM settings such as disable_functions and error_reporting (and many others).

    You may think that your 'disable_functions' are set correctly via php.ini (multiphp editor in WHM) but they're not. PHP-FPM has its own settings.

    To ensure that you have disable_functions actually in place for ALL accounts on the server, you will need to follow these steps:

    1. Create /var/cpanel/ApachePHPFPM/

    ie. "mkdir /var/cpanel/ApachePHPFPM/"

    2. Create /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

    ie. "touch /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml"

    3. Open the above yaml file with your favorite editor

    ie. pico /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

    4. Enter the following line, exit and save.

    php_admin_value_disable_functions : phpinfo,dl,passthru,proc_open,proc_close,shell_exec,system,exec,show_source,popen,allow_url_fopen

    ^^ obviously adjust the list of functions you want to disable.

    5. /scripts/php_fpm_config --rebuild

    That's it...the disable_functions are now in place and actually functional.

    In my system_pool_defaults.yam I have also added

    php_admin_value_error_reporting : E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
    php_admin_flag_allow_url_fopen : off

    The error_reporting in particular drove me crazy for days as some older web sites were breaking (due to strict/deprecated error messages) even though my normal php.ini settings were set to disable strict/deprecated.

    As it turned out, just like the 'disable_functions' issue above, PHP-FPM also uses it's own error_reporting settings.

    PLEASE NOTE: /var/cpanel/ApachePHPFPM/system_pool_defaults.yaml affects all PHP-FPM users on the system. If you want to only modify a particular user, you can, read
    PHP-FPM Code and FileSystem Layout for EasyApache 4 - Documentation - cPanel Documentation

    With that said .. while this whole thing is obviously 'documented' as can be seen above, I think cpanel should excercise some care and advise customers of these major changes in the way PHP is configured especially if they're coming from EA3 and suPHP etc. The easiest way to do that would be to actually have a web based system pools (incl. per user and global settings) PHP-FPM configuration in WHM, maybe in the MultiPHP ??
     
    EneTar likes this.
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I encourage you to vote and add feedback to the existing feature request for this at:

    PHP-FPM Enhanced Configuration

    Thanks!
     
Loading...

Share This Page