PHP-FPM, .htaccess Configuration

thowden

Well-Known Member
May 17, 2013
56
6
58
cPanel Access Level
Root Administrator
Hi All

WHM CLOUDLINUX 7.5 xen enterprise hvm v74.0.6

Running PHP 7.2 with PHP-FPM.

Using .htaccess and .htpasswd to restrict site access for test environment.

Using SETENVIF to allow specific URI to be accessed for backend operations while the front end is not public.

The configuration works well if PHP-FPM is turned off and FAILS with PHP-FPM turned on.

I am looking at the configuration of PHP-FPM and suspect that the issue is with the ENV settings not being recognised / passed through to PHP-FPM.

This implies that I need to use the 'clear_env = no' setting for PHP-FPM while the default (assumed to be in absence of an explicit setting) is Yes.

This link
Configurations Values of PHP-FPM - Version 72 Documentation - cPanel Documentation
mentions 'clean_env' which I assume is a typo for 'clear_env' and states it is N/A (which I think would mean Yes as the standard default rather than NULL).

Using that documentation I have added / created a file as:

/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml

with content as:
clear_env:no

But when I try to rebuild the php-fpm I get this error

"Not a reference at /usr/local/cpanel/Cpanel/PHPFPM.pm line 659."

This appears to be just an unhandled exception as changing the syntax of the
/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
'clear_env:no' to 'clear_env: no' (note the space after the colon)
completes the rebuild process without error.

In any case the resulting file
/var/cpanel/userdata/account/website.domain.php-fpm.yaml
shows only the default config for enabled PHP-FPM
---
_is_present: 1

Manually editing the /var/cpanel/userdata/account/website.domain.php-fpm.yaml to include the line clear_env: no or clear_env: 1 and restarting the PHP-FPM service does not make any difference.

So my question is, how do I get PHP-FPM to accept the .htaccess SETENVIF instructions?
 
Last edited by a moderator:

thowden

Well-Known Member
May 17, 2013
56
6
58
cPanel Access Level
Root Administrator
Hi Lauren

Thanks for the reference. I think it covers everything I was doing yesterday.

The question relates to something that is not a php.ini directive but a PHP-FPM directive. Checking the PHP Manual:
FPM uses php.ini syntax for its configuration file - php-fpm.conf, and pool configuration files
clear_env boolean
Clear environment in FPM workers. Prevents arbitrary environment variables from reaching FPM worker processes by clearing the environment in workers before env vars specified in this pool configuration are added. Since PHP 5.4.27, 5.5.11, and 5.6.0. Default value: Yes.
So given that the examples for configuring a php.ini directive have a specific format, like:

php_admin_value_disable_functions: { name: 'php_admin_value[disable_functions]', value: passthru,system }

What would be the correct formatting to set the php-fpm directive of clear_env = No ? and is the .yaml file the correct location for that instruction ?

There is an underlying issue, which is from a script security perspective, if clear_env defaults to Yes, in order to prevent arbitrary ENV variables being pushed to the FPM processes, what is the risk if it is changed?

I think the resource here might be useful for you Tutorial - Managing php.ini directives with PHP-FPM
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,273
313
Houston
Hi @thowden

You mentioned:
This link
Configurations Values of PHP-FPM - Version 72 Documentation - cPanel Documentation
mentions 'clean_env' which I assume is a typo for 'clear_env' and states it is N/A (which I think would mean Yes as the standard default rather than NULL).
There is most definitely a typo and you're correct it should be clear_env - adding clean_env results in a failure to build. It's also confirmed in the php documentation here PHP: Configuration - Manual - I'm opening a documentation case for this.


Also I want to point out I think you're looking in the wrong place for the change.

The change goes into:
Code:
/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
but is reflected in:
Code:
/opt/cpanel/ea-phpXX/root/etc/php-fpm.d/domain.tld.conf
it is not reflected in
Code:
 /var/cpanel/userdata/account/website.domain.php-fpm.yaml
this is where you make domain specific changes

When I add clear_env: no in
Code:
/var/cpanel/ApachePHPFPM/system_pool_defaults.yaml
and rebuild/restart php-fpm and apache I see the following in
Code:
/opt/cpanel/ea-phpXX/root/etc/php-fpm.d/domain.tld.conf
Code:
grep clear_env /opt/cpanel/ea-php71/root/etc/php-fpm.d/mydomain.tld.conf
clear_env = no