FreeBSD 12.1 + Apache 2.4.x + PHP 7.2.x (Multiple TLD's + Multiple Sub-domains) w/ httpd.conf

StreetDancer · Feb 28, 2020

FreeBSD 12.1 + Apache 2.4.x (Multiple TLD's + Multiple Sub-domains) w/ httpd.conf -- won't connect error (sub-domain)

Problem at hand: Sub-domain receiving a "won't connect" in browser. I cannot even receive an error message on either Apache or Web Browser (Firefox).

The domain: sharpenyoursword.org is TLD #1 && subdomain.sharpenyoursword.org is on it's own STATIC IP (I am trying to achieve the following):

TLD #1: Unique Static IP
TLD #2: Unique Static IP
TLD #3: Unique Static IP
TLD #4: Unique Static IP
TLD #5: Unique Static IP

TLD #1 Subdomains: Unique Static IP (Shared IP across *.sharpenyoursword.org)
TLD #2 Subdomains: Unique Static IP (Shared IP accross *.TLD #2)
TLD #3 Subdomains: Unique Static IP (Shared IP accross *.TLD #3)
TLD #4 Subdomains: Unique Static IP (Shared IP accross *.TLD #4)
TLD #5 Subdomains: Unique Static IP (Shared IP accross *.TLD #5)

Current httpd.conf:

Code:

ServerRoot "/usr/local"
LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
Listen SERVER-IP(Same as TLD #1):80

# LOGGING - MAIN APACHE

ErrorLog "/usr/local/www/apache24/logs/error/apache24-main-error.log"

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /usr/local/www/apache24/logs/access/apache24-access_log common

# ALT APACHE MODES (NON-PHP-FPM)

#LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so

# BARE MINIMUM - REQUIRED

LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
LoadModule version_module libexec/apache24/mod_version.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
LoadModule dir_module libexec/apache24/mod_dir.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
LoadModule mime_module  libexec/apache24/mod_mime.so
LoadModule actions_module libexec/apache24/mod_actions.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule proxy_module libexec/apache24/mod_proxy.so
LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so

# CHOSEN MODULES - EXTENDABLES

LoadModule authz_user_module libexec/apache24/mod_authz_user.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
LoadModule autoindex_module libexec/apache24/mod_autoindex.so

LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so


# MOD SECURITY V2

LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule security2_module libexec/apache24/mod_security2.so
Include /usr/local/etc/modsecurity/*.conf

# OWASP3 CORE BASE RULES FOR MOD SECURITY V2

Include /usr/local/etc/apache24/OWASP3/rules/*.conf

# MOD SECURITY V3

#LoadModule security3_module modules/mod_security3.so

# THIRD PARTY MODULES

#IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf

<IfModule unixd_module>

User www
Group www

</IfModule>

## Apache 2.4 Daemon Hardening

# Prevent Apache from sending identifying information to a Client
ServerTokens Prod
ServerSignature Off

## Vhosts-Enabled Directory - Custom

#IncludeOptional etc/apache24/Vhosts-Enabled/*.conf

# REMAINDER ROOT SERVER CONFIG

<IfModule alias_module>

    ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"

</IfModule>

<IfModule cgid_module>

</IfModule>

<Directory "/usr/local/www/apache24/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule headers_module>

</IfModule>

<IfModule mime_module>

    TypesConfig etc/apache24/mime.types

    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

</IfModule>

<IfModule proxy_html_module>
Include etc/apache24/extra/proxy-html.conf

</IfModule>

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Include etc/apache24/Includes/*.conf
Include etc/apache24/Vhosts-Enabled/*.conf

Current VHOST Example of TLD #1 (Unique STATIC IP Subdomain of sharpenyoursword.org ; which sharpenyoursword.org has a different Unique STATIC IP)

Vhost Configuration Folder: (/Vhosts-Enabled)

File:
subdomain_SYSorg_001_genesis.sharpenyoursword.org.conf

File Contents: (subdomain_SYSorg_001_genesis.sharpenyoursword.org.conf):

Code:

# TLD - SHARPENYOURSWORD.ORG

<VirtualHost 104.36.17.19:80>

ServerAdmin admin@sharpenyoursword.org

ServerName 104.36.17.19:80

DocumentRoot "/usr/local/www/apache24/data/sys_GENESIS/"

<Directory "/usr/local/www/apache24/data/sys_GENESIS/">

    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html index.php
</IfModule>
<Files ".ht*">
    Require all denied
</Files>

ErrorLog "/usr/local/www/apache24/logs/error/subdomain_SYSorg_001_apache24-genesis.sharpenyoursword.org-error.log"

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /usr/local/www/apache24/logs/access/subdomain_SYSorg_001_apache24-genesis.sharpenyoursword.org-access_log common


LogLevel warn

<IfModule log_config_module>

    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
    </IfModule>

</IfModule>

<FilesMatch "\.php$">
    SetHandler  "proxy:fcgi://127.0.0.1:9001"
</FilesMatch>

</VirtualHost>

The exact Web Browser Error is :

"Problem loading page"

Contents: "Unable to connect"

Thank you ahead of time if anyone knows what is causing this!

Best Regards,

Brandon Kastning

VladiBG · Feb 28, 2020

you have
#IncludeOptional etc/apache24/Vhosts-Enabled/*.conf

remove the commend in front so all *.conf file from this directory are loaded.

Include /usr/local/etc/apache24/Vhosts-Enabled/*.conf

StreetDancer · Feb 28, 2020

VladiBG said:
you have
#IncludeOptional etc/apache24/Vhosts-Enabled/*.conf

remove the commend in front so all *.conf file from this directory are loaded.

Include /usr/local/etc/apache24/Vhosts-Enabled/*.conf

VladiBG,

I removed the hash tag; restarted apache and still the same results.

Unless I need to restart the server for some reason.

Thank you for pointing that out. Too bad it didn't fix the problem though. The Vhost configuration files within /Vhosts-Enabled have been loading in HTML.

VladiBG · Feb 28, 2020

do you see your custom log files for each vhost? if not then your vhost*.conf files are not loaded most likely because your path is incorrect
Include etc/apache24/Includes/*.conf
Include etc/apache24/Vhosts-Enabled/*.conf

must be the full path with leading root /
/usr/local/etc/apache24/.....

anlashok · Feb 28, 2020

Do your mod_security settings deny all directory access by default?

add Require all granted or Require valid-user (if using authentication) to the virtualhost <Directory> block

I'd also not set your ServerRoot "/usr/local/". A misconfiguration would give access to all your server configuration folders

StreetDancer · Feb 28, 2020

VladiBG said:
do you see your custom log files for each vhost? if not then your vhost*.conf files are not loaded most likely because your path is incorrect
Include etc/apache24/Includes/*.conf
Include etc/apache24/Vhosts-Enabled/*.conf

must be the full path with leading root /
/usr/local/etc/apache24/.....

VladiBG,

They sure are!

Output for /usr/local/www/apache24/logs/access:

Code:

root@sharpenyoursword:/usr/local/www/apache24/logs/access # ls
001_apache24-sharpenyoursword.org-access_log
002_apache24-sharpenyoursword.net-access_log
003_apache24-thewarriorsdojo-access_log
004_apache24-wethepeopleonline-access_log
005_apache24-uscaselaw-access_log
apache24-access_log
subdomain_SYSorg_001_apache24-genesis.sharpenyoursword.org-access_log
subdomain_WTPO_047_apache24-washington.wethepeopleonline.com-access_log

StreetDancer · Feb 28, 2020

anlashok said:
Do your mod_security settings deny all directory access by default?

add Require all granted or Require valid-user (if using authentication) to the virtualhost <Directory> block

I'd also not set your ServerRoot "/usr/local/". A misconfiguration would give access to all your server configuration folders

anlashok,

Regarding mod_security I am not sure. I ran into difficulties trying to configure it based on internet guides on blogs and mod_security installations. I attempted V3 first; and then I installed Mod Security V2. I was receiving the following error because I did not set it up correctly.

Error with PHP Pages being White since I started to install and configure mod_security on the following file: /var/log/modsec_audit.log

I couldn't get git installed. I manually git cloned to debian and uploaded it to my home directory temperarily (the Core Rule Set); had a problem with OpenSSL and couldn't figure it out.

modsec_audit.log Contents:

Code:

--27790531-F--
HTTP/1.1 500 Internal Server Error
Set-Cookie: 2c9eba53fdcd76efdd52077f96a8c94e=c5sul7o0rckiq8i13s70ujkr1d; path=/; HttpOnly
X-Content-Type-Options: nosniff
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

--27790531-E--

--27790531-H--

Message: Warning. Operator EQ matched 0 at TX. [file "/usr/local/etc/apache24/OWASP3/rules/REQUEST-901-INITIALIZATION.conf"] [line "61"] [id "901001"] [msg "ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions"] [severity "CRITICAL"]

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client HOME_IP] ModSecurity: Warning. Operator EQ matched 0 at TX. [file "/usr/local/etc/apache24/OWASP3/rules/REQUEST-901-INITIALIZATION.conf"] [line "61"] [id "901001"] [msg "ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions"] [severity "CRITICAL"] [hostname "sharpenyoursword.org"] [uri "/"] [unique_id "XlheXTyYRw5ZoXMokoy2CwAAANg"]

Apache-Error: [file "mod_proxy_fcgi.c"] [line 859] [level 3] AH01071: Got error 'PHP message: PHP Warning:  require_once(/usr/local/www/apache24/data/sysorgmain/administrator/components/com_jvld/common/class.payment.php): failed to open stream: No such file or directory in /usr/local/www/apache24/data/sysorgmain/plugins/jvldpayment/offline/offline.php on line 18\\nPHP message: PHP Fatal error:  require_once(): Failed opening required '/usr/local/www/apache24/data/sysorgmain/administrator/components/com_jvld/common/class.payment.php' (include_path='/usr/local/www/apache24/data/sysorgmain/plugins/system/shlib/shl_packages//ZendFramework-1.11.7-minimal/library:.:/usr/local/share/pear') in /usr/local/www/apache24/data/sysorgmain/plugins/jvldpayment/offline/offline.php on line 18\\n'

Apache-Handler: proxy:fcgi://127.0.0.1:9000
Stopwatch: 1582849629937222 459921 (- - -)
Stopwatch2: 1582849629937222 459921; combined=6041, p1=2327, p2=2282, p3=75, p4=174, p5=663, sr=397, sw=5, l=0, gc=515
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--27790531-Z--

I do not know if sharpenyoursword.org/index.php is loading and being prevented by installed mod_security. I tried to rule that out before completing what the error page said to do. The only way I could do that is to install git and clone the directory. I took the long way on that and haven't gotten that far just yet.

I did try to edit httpd.conf and # disable mod_security; restarted apache24 and the white pages were still there.

I do not know if there are more "on switches" besides that or if I broke it since the last fix and it turns out not to be mod_security

You said:

I'd also not set your ServerRoot "/usr/local/". A misconfiguration would give access to all your server configuration folders

What would you recommend as far as a secure path within the FreeBSD file system?

Thanks again!

StreetDancer · Mar 2, 2020

The logs on php-fpm are showing... path /var/log/

Command:

Code:

# tail -f global-php-fpm.log

Code:

[27-Feb-2020 16:25:06] NOTICE: fpm is running, pid 84554
[27-Feb-2020 16:25:06] NOTICE: ready to handle connections
[02-Mar-2020 14:27:36] NOTICE: [pool sharpenyoursword.org] child 85034 exited with code 0 after 338550.041040 seconds from start
[02-Mar-2020 14:27:36] NOTICE: [pool sharpenyoursword.org] child 76428 started
[02-Mar-2020 15:31:04] NOTICE: Terminating ...
[02-Mar-2020 15:31:04] NOTICE: exiting, bye-bye!
[02-Mar-2020 15:33:10] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

[02-Mar-2020 15:33:10] NOTICE: fpm is running, pid 3546
[02-Mar-2020 15:33:10] NOTICE: ready to handle connections

Still white; I even copied over the configuration file and disabled modsecurity in the main one. Still white screen. That's why I am checking the logs on php-fpm. Apache 2.4 also starts without a problem.

Good puzzle here.

StreetDancer · Mar 3, 2020

I just got done removing php72.x and installed php 7.4 latest. Removed mod_security3, mod_security2 and reinstalled mod_security2.

Apache 2.4 is loading fine. Startup is perfect; even with php-fpm.

The logs are showing good and "ps aux" outputs the following php-fpm pool daemon's running and I can't seem to process .php pages.

White page; no error.

# ps aux

Code:

www     91032   0.0  1.4  205296  44148  -  I    17:52   0:00.73 php-fpm: pool sharpenyoursword.org (php-fpm)

www     91273   0.0  1.1  202944  35544  -  I    17:52   0:00.00 php-fpm: pool sharpenyoursword.org (php-fpm)

www     91790   0.0  1.1  202944  35544  -  I    17:52   0:00.00 php-fpm: pool genesis.sharpenyoursword.org (php-fpm)

So now the current build is

# freebsd-version -k:

Code:

12.1-RELEASE
# uname -mrs

FreeBSD 12.1-RELEASE amd64
[/CODE]
# httpd -v:

Code:

Server version: Apache/2.4.41 (FreeBSD)

[/CODE]
# php -v:

Code:

PHP 7.4.3 (cli) (built: Mar  2 2020 17:27:23) ( NTS DEBUG )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.3, Copyright (c), by Zend Technologies

StreetDancer · Mar 3, 2020

The mod_security from ports /www/mod_security 2.9.3 current installed and configured. Everything that I can see is configured properly. I updated to PHP 7.4 like I said earlier and I also re-mapped the PHP-FPM pools and matched to the Vhosts-Enabled/*.conf's for the multiple domain.TLD configurations.

Mod Security modsec_audit.log is producing the following when I am trying to load the main domain.TLD

Code:

--4d3ffc18-A--
[02/Mar/2020:19:47:17 --0800] Xl3TRR8SjLGdHG2oHRVkiAAAAJg HOMEIP 48124 104.36.16.72 80
--4d3ffc18-B--
GET /index.php HTTP/1.1
Host: sharpenyoursword.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __test=f50a0d1177af10c474dab772f80effaa; 2c9eba53fdcd76efdd52077f96a8c94e=ikbftof2k6khh1gamuivlfeb6e
Connection: keep-alive
Upgrade-Insecure-Requests: 1

--4d3ffc18-F--
HTTP/1.1 500 Internal Server Error
X-Content-Type-Options: nosniff
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

--4d3ffc18-E--

--4d3ffc18-H--
Apache-Error: [file "mod_proxy_fcgi.c"] [line 859] [level 3] AH01071: Got error 'PHP message: PHP Warning:  require_once(/usr/local/www/apache24/data/sysorgmain/administrator/>
Apache-Handler: proxy:fcgi://127.0.0.1:9000
Stopwatch: 1583207237807228 38376 (- - -)
Stopwatch2: 1583207237807228 38376; combined=1938, p1=497, p2=1092, p3=62, p4=157, p5=124, sr=151, sw=6, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

Different Domain w/ a standard info.php (This one is just a standard info.php) -- Still white page w/ the following /var/log/modsec_audit.log entry:

Code:

--50f40413-A--
[02/Mar/2020:19:53:42 --0800] Xl3UxphFCsSp96m4o1GBrwAAAJY HOMEIP 48230 104.36.16.72 80
--50f40413-B--
GET /info.php HTTP/1.1
Host: thewarriorsdojo.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: 02960cc0cd3fe42706f1b8455e0f15ab=mjof8rjrfbl69h68p00clo74ac
Connection: keep-alive
Upgrade-Insecure-Requests: 1

--50f40413-F--
HTTP/1.1 500 Internal Server Error
X-Content-Type-Options: nosniff
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

--50f40413-H--
Apache-Handler: proxy:fcgi://127.0.0.1:9003
Stopwatch: 1583207622658159 75490 (- - -)
Stopwatch2: 1583207622658159 75490; combined=1844, p1=724, p2=964, p3=0, p4=0, p5=150, sr=308, sw=6, l=0, gc=0
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--50f40413-Z--

richardtoohey2 · Mar 3, 2020

Could you simplify the set-up to just deliver HTML for now?

So first step might be better as a few "It worked!" HTML pages.

Once those are working you can move onto the PHP-FPM stuff - once you know that basic HTML delivery is working.

Apologies if you've already tried that or it's not going to help here.

StreetDancer · Mar 3, 2020

I have looked over all the configurations over and over.

This is the current tail of modsec_audit.lo

richardtoohey2 said:
Could you simplify the set-up to just deliver HTML for now?

So first step might be better as a few "It worked!" HTML pages.

Once those are working you can move onto the PHP-FPM stuff - once you know that basic HTML delivery is working.

Apologies if you've already tried that or it's not going to help here.

All taken care of richardtoohey2,

http://sharpenyoursword.org/index.html

http://sharpenyoursword.net/index.html

http://thewarriorsdojo.com/index.html

http://wethepeopleonline.com/index.html

http://uscaselaw.org/index.html

All work great!

These subdomain Vhost's do not cause errors but do not work on index.html even. Never have. Just a no connect. Cannot establish connection. Almost like Apache doesn't see it.

http://genesis.sharpenyoursword.net/index.html

http://washington.wethepeopleonline.com/index.html

I just disabled them to see if it was causing problems to the other sites and the answer is no. No changes with them disabled.

I have looked over all the configurations over and over.

This is the current tail of modsec_audit.log: (Mod_Security 2.9.3 is working along side OWASPV3 Core Set Rules 3.2.0) as follows with the current tail:

Code:

--11865814-A--
[02/Mar/2020:21:25:43 --0800] Xl3qVwBV34M@yRsmtb3OVwAAANc HOMEIP 49424 104.36.16.72 80
--11865814-B--
GET /index.php HTTP/1.1
Host: wethepeopleonline.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __cfduid=de675588b7e924c4cb4c990d17f027ffe1580654750; a09c59bfacbe5491da19b8ea585f3f3c=j3cdh18t8henkb1k82u90g1d4s
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

--11865814-F--
HTTP/1.1 500 Internal Server Error
X-Content-Type-Options: nosniff
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

--11865814-H--
Apache-Handler: proxy:fcgi://127.0.0.1:9004
Stopwatch: 1583213143120190 76133 (- - -)
Stopwatch2: 1583213143120190 76133; combined=156, p1=129, p2=0, p3=0, p4=0, p5=22, sr=0, sw=5, l=0, gc=0
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache

--11865814-Z--

Best Regards,

Brandon Kastning

anlashok · Mar 3, 2020

Did you address these errors you were getting?

The first two say that you haven't created a required configuration file for the mod_security settings.
The third one is complaining that a PHP file is not found / missing from the /usr/local/www/apache24/data/sysorgmain/ folders. Is the file it is looking for present or missing? That might stop the whole site working if its a critical one.

StreetDancer said:
Message: Warning. Operator EQ matched 0 at TX. [file "/usr/local/etc/apache24/OWASP3/rules/REQUEST-901-INITIALIZATION.conf"] [line "61"] [id "901001"] [msg "ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions"] [severity "CRITICAL"]

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client HOME_IP] ModSecurity: Warning. Operator EQ matched 0 at TX. [file "/usr/local/etc/apache24/OWASP3/rules/REQUEST-901-INITIALIZATION.conf"] [line "61"] [id "901001"] [msg "ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions"] [severity "CRITICAL"] [hostname "sharpenyoursword.org"] [uri "/"] [unique_id "XlheXTyYRw5ZoXMokoy2CwAAANg"]

Apache-Error: [file "mod_proxy_fcgi.c"] [line 859] [level 3] AH01071: Got error 'PHP message: PHP Warning: require_once(/usr/local/www/apache24/data/sysorgmain/administrator/components/com_jvld/common/class.payment.php): failed to open stream: No such file or directory in /usr/local/www/apache24/data/sysorgmain/plugins/jvldpayment/offline/offline.php on line 18\\nPHP message: PHP Fatal error: require_once(): Failed opening required '/usr/local/www/apache24/data/sysorgmain/administrator/components/com_jvld/common/class.payment.php' (include_path='/usr/local/www/apache24/data/sysorgmain/plugins/system/shlib/shl_packages//ZendFramework-1.11.7-minimal/library:.:/usr/local/share/pear') in /usr/local/www/apache24/data/sysorgmain/plugins/jvldpayment/offline/offline.php on line 18\\n'

As far as getting a white screen all the time when you are trying to view a PHP file, there is probably an issue with the one or more PHP files in your sites, but I expect you now have settings in the PHP configuration to suppress the display of those errors.

Temporarily set these settings in one of the domains php-fpm config, restart php-fpm, try to view that domain's php url, see if you get errors reported on screen, then try to resolve those. Reset the config and restart php-fpm whilst you sort out the issues. PHP errors should also be recorded in the php-fpm.log file or in the apache error logs

Code:

php_admin_value[error_reporting] = "2147483647"
php_admin_flag[display_errors] = On

StreetDancer · Mar 3, 2020

I have looked over all the configurations over and over.

This is the current tail of modsec_audit.lo

richardtoohey2 said:
Could you simplify the set-up to just deliver HTML for now?

So first step might be better as a few "It worked!" HTML pages.

Once those are working you can move onto the PHP-FPM stuff - once you know that basic HTML delivery is working.

Apologies if you've already tried that or it's not going to help here.

All taken care of richardtoohey2,

http://sharpenyoursword.org/index.html

http://sharpenyoursword.net/index.html

http://thewarriorsdojo.com/index.html

http://wethepeopleonline.com/index.html

All work great!

These subdomain Vhost's do not cause errors but do not work on index.html even. Never have. Just a no connect. Cannot establish connection. Almost like Apache doesn't see it.

http://genesis.sharpenyoursword.net/index.html

http://washington.wethepeopleonline.com/index.html

I just disabled them to see if it was causing problems to the other sites and the answer is no. No changes with them disabled.

I have looked over all the configurations over and over.

This is the current tail of modsec_audit.log: (Mod_Security 2.9.3 is working along side OWASPV3 Core Set Rules 3.2.0) as follows with the current tail:

Code:

--11865814-A--
[02/Mar/2020:21:25:43 --0800] Xl3qVwBV34M@yRsmtb3OVwAAANc HOMEIP 49424 104.36.16.72 80
--11865814-B--
GET /index.php HTTP/1.1
Host: wethepeopleonline.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __cfduid=de675588b7e924c4cb4c990d17f027ffe1580654750; a09c59bfacbe5491da19b8ea585f3f3c=j3cdh18t8henkb1k82u90g1d4s
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

--11865814-F--
HTTP/1.1 500 Internal Server Error
X-Content-Type-Options: nosniff
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

--11865814-H--
Apache-Handler: proxy:fcgi://127.0.0.1:9004
Stopwatch: 1583213143120190 76133 (- - -)
Stopwatch2: 1583213143120190 76133; combined=156, p1=129, p2=0, p3=0, p4=0, p5=22, sr=0, sw=5, l=0, gc=0
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache

--11865814-Z--

Best Regards,

Brandon Kastning

anlashok said:
Did you address these errors you were getting?

The first two say that you haven't created a required configuration file for the mod_security settings.
The third one is complaining that a PHP file is not found / missing from the /usr/local/www/apache24/data/sysorgmain/ folders. Is the file it is looking for present or missing? That might stop the whole site working if its a critical one.

As far as getting a white screen all the time when you are trying to view a PHP file, there is probably an issue with the one or more PHP files in your sites, but I expect you now have settings in the PHP configuration to suppress the display of those errors.

Temporarily set these settings in one of the domains php-fpm config, restart php-fpm, try to view that domain's php url, see if you get errors reported on screen, then try to resolve those. Reset the config and restart php-fpm whilst you sort out the issues. PHP errors should also be recorded in the php-fpm.log file or in the apache error logs

Code:

php_admin_value[error_reporting] = "2147483647" php_admin_flag[display_errors] = On

anlashok,

While running out of reasons why this hasn't worked. I decided to go back to the original unix socks that you shown me with php-fpm. I went over the configuration and checked everything over.

Restarted the server and php-fpm doesn't return an error. (The entire time I have had this system built) -- I have never seen "service php-fpm status" ever say it is running.

I immediately logged in as super user and ran the following w/ a zero error dmesg boot:

# service php-fpm onestatus

and received:

Code:

php_fpm is not running.

then I ran

# service php-fpm onestart

and received:

Code:

Performing sanity check on php-fpm configuration:
[03-Mar-2020 11:16:29] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

Starting php_fpm.
[03-Mar-2020 11:16:29] ERROR: unable to bind listening socket for address '127.0.0.1:9000': Address already in use (48)
[03-Mar-2020 11:16:29] ERROR: FPM initialization failed
/usr/local/etc/rc.d/php-fpm: WARNING: failed to start php_fpm
#

I believe this may have been the problem all along. Since this has never been resolved and I do not know the cause at this time. I have changed all domains to use unix socket now and all the other lines that I commented out with ;listen = 127.0.0.1:9001 + (no 9000 port).

Perhaps there is a configuration file I am not remembering.

Now I am getting 503 Unavailable since switching back to unix sockets.

Thanks again. This is a tough one!

anlashok · Mar 3, 2020

Code:

 sockstat -4

will show what else is running on those ports

StreetDancer · Mar 3, 2020

anlashok said:
Code:

sockstat -4

will show what else is running on those ports

# sockstat -4

outputted the following:

Code:

www      php-fpm    58855 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    58643 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    58588 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    58405 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    58197 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    58180 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    58041 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    57997 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    57919 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    57768 6  tcp4   127.0.0.1:9006        *:*
www      php-fpm    57600 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    57435 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    57365 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    57187 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    57084 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    57031 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    56912 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    56867 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    56709 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    56590 6  tcp4   127.0.0.1:9002        *:*
www      php-fpm    56426 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    56241 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    56042 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    55990 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    55965 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    55817 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    55693 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    55606 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    55444 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    55246 6  tcp4   127.0.0.1:9005        *:*
www      php-fpm    55217 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    55019 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    54877 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    54662 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    54588 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    54543 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    54366 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    54243 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    54209 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    54047 6  tcp4   127.0.0.1:9004        *:*
www      php-fpm    53998 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53993 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53954 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53845 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53790 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53728 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53517 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53357 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53295 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53120 6  tcp4   127.0.0.1:9003        *:*
www      php-fpm    53006 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    52886 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    52859 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    52714 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    52551 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    52462 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    52318 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    52241 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    52071 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    51999 6  tcp4   127.0.0.1:9001        *:*
www      php-fpm    51871 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    51704 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    51632 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    51456 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    51242 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    51044 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    50905 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    50838 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    50690 6  tcp4   127.0.0.1:9000        *:*
www      php-fpm    50649 6  tcp4   127.0.0.1:9000        *:*
root     php-fpm    50444 8  tcp4   127.0.0.1:9000        *:*
root     php-fpm    50444 9  tcp4   127.0.0.1:9001        *:*
root     php-fpm    50444 10 tcp4   127.0.0.1:9003        *:*
root     php-fpm    50444 11 tcp4   127.0.0.1:9004        *:*
root     php-fpm    50444 12 tcp4   127.0.0.1:9005        *:*
root     php-fpm    50444 13 tcp4   127.0.0.1:9002        *:*
root     php-fpm    50444 14 tcp4   127.0.0.1:9006        *:*

anlashok · Mar 3, 2020

that's showing a lot of php-fpm processes listening on tcp network ports still. If you have switched back over to unix sockets successfully for all hosts, there shouldn't be any showing up there at all.

Code:

sockstat | grep php-fpm

on my server shows this, which is showing that the php-fpm processes are using unix sockets for connections. There are no instances using tcp4 connections

Code:

www      php-fpm    63057 6  stream /var/run/example.com-php-fpm.sock
www      php-fpm    63056 6  stream /var/run/example.com-php-fpm.sock
www      php-fpm    63055 5  stream -> /tmp/mysql.sock
www      php-fpm    63055 6  stream /var/run/example2.com-php-fpm.sock
www      php-fpm    63054 6  stream /var/run/example2.com-php-fpm.sock
www      php-fpm    63053 6  stream /var/run/example.org-php-fpm.sock
www      php-fpm    63052 6  stream /var/run/example.org-php-fpm.sock
root     php-fpm    63051 5  stream -> ??
root     php-fpm    63051 7  stream -> ??
root     php-fpm    63051 8  stream /var/run/example.org-php-fpm.sock
root     php-fpm    63051 9  stream /var/run/example.com-php-fpm.sock
root     php-fpm    63051 10 stream /var/run/example2.com-php-fpm.sock

StreetDancer · Mar 3, 2020

anlashok,

10-4; Rebooting server.

anlashok said:
that's showing a lot of php-fpm processes listening on tcp network ports still. If you have switched back over to unix sockets successfully for all hosts, there shouldn't be any showing up there at all.

Code:

sockstat | grep php-fpm

on my server shows this, which is showing that the php-fpm processes are using unix sockets for connections. There are no instances using tcp4 connections

Code:

www php-fpm 63057 6 stream /var/run/example.com-php-fpm.sock www php-fpm 63056 6 stream /var/run/example.com-php-fpm.sock www php-fpm 63055 5 stream -> /tmp/mysql.sock www php-fpm 63055 6 stream /var/run/example2.com-php-fpm.sock www php-fpm 63054 6 stream /var/run/example2.com-php-fpm.sock www php-fpm 63053 6 stream /var/run/example.org-php-fpm.sock www php-fpm 63052 6 stream /var/run/example.org-php-fpm.sock root php-fpm 63051 5 stream -> ?? root php-fpm 63051 7 stream -> ?? root php-fpm 63051 8 stream /var/run/example.org-php-fpm.sock root php-fpm 63051 9 stream /var/run/example.com-php-fpm.sock root php-fpm 63051 10 stream /var/run/example2.com-php-fpm.sock

hmm... perhaps it's caching the old connections.

The only configuration files I can find is /usr/local/etc/php-fpm.conf (no mention of any ports) && /usr/local/etc/php-fpm.d/www.conf (ports are commented out with ; and just the .sock's are uncommented).

StreetDancer · Mar 3, 2020

/var/log/modsec_audit.log (Mod Security V2 log):

Code:

--409a4c77-A--
[03/Mar/2020:14:52:34 --0800] Xl7fsq6gVR@MUEEu70PLkwAAANY HOMEIP 52800 104.36.16.72 80
--409a4c77-B--
GET /index.php HTTP/1.1
Host: wethepeopleonline.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: a09c59bfacbe5491da19b8ea585f3f3c=tj129hv2mefpb36lio1b2aafbg
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

--409a4c77-F--
HTTP/1.1 503 Service Unavailable
X-Content-Type-Options: nosniff
Content-Length: 299
Connection: close
Content-Type: text/html; charset=iso-8859-1

--409a4c77-H--
Apache-Error: [file "mod_proxy_fcgi.c"] [line 1068] [level 3] AH01079: failed to make connection to backend: httpd-UDS
Apache-Handler: proxy:unix:/var/run/wethepeopleonline.com-php-fpm.sock|fcgi://localhost/
Stopwatch: 1583275954979229 6359 (- - -)
Stopwatch2: 1583275954979229 6359; combined=250, p1=220, p2=0, p3=0, p4=0, p5=25, sr=0, sw=5, l=0, gc=0
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache

--409a4c77-Z--d

StreetDancer · Mar 4, 2020

I reverted back to ports and it's back to white screen.

So if I change it back to unix sockets; I get a 503 unavailable.

I also installed NGINX

if you go to http://sharpenyoursword.org:81/index.html you should see a basic HTML for "SharpenYourSword" [NGINX]

However; when using the following (only seen an example so far on NGINX using ports as opposed to unix sockets):

I configured it to use port 81 for testing and created a new sharpenyoursword.org data folder where I extracted a fresh RT-Joomla-Premium-Template in PHP (Should display the Joomla Installer page).

http://sharpenyoursword.org:81/index.php (White page w/ 200 GET)

/usr/local/etc/nginx/nginx.conf:

Code:

user  www;
worker_processes  1;

# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
error_log  /var/log/nginx/error.log;
#

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    include       001_sharpenyoursword.org.conf;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;
    access_log /var/log/nginx/access.log;
    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    
        server {
        listen       81;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;
        access_log logs/sharpenyoursword.org.access.log;
        location / {
           #root   /usr/local/www/nginx;
            root   /usr/local/www/nginx/sysorgmain/;
            index index.php index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/local/www/nginx-dist;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
#            root           html;
            root           /usr/local/www/nginx/sysorgmain/;
            fastcgi_pass   127.0.0.1:9001;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
            include        fastcgi_params;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }
}

StreetDancer · Mar 4, 2020

anlashok,

On your server, when you "service php-fpm onestatus" ; what do you get in return?

StreetDancer · Mar 4, 2020

I almost forgot:

inside nginx.conf is an include line which includes sharpenyoursword.org

001_sharpenyoursword.org.conf:

Code:

server {

  listen 81;
  server_name sharpenyoursword.org; # Replace with your IP or hostname
  root /usr/local/www/nginx/sysorgmain/;
  index index.php index.html index.htm;

  location / {
    try_files $uri $uri/ =404;
  }

  location ~ \.php$ {
    fastcgi_pass 127.0.0.1:9001;
    fastcgi_index index.php;
#    fastcgi_param SCRIPT_FILENAME $document_root               $fastcgi_script_name;
    include fastcgi_params;
  }

}

anlashok · Mar 4, 2020

mine reports

Code:

php_fpm is running as pid nnnnn

anlashok · Mar 4, 2020

StreetDancer

for tcp based proxy in nginx it would be as you have it now

Code:

fastcgi_pass 127.0.0.1:9001;

the unix socket equivalent would be this, just replace the php72-fpm.sock with one of yours

Code:

fastcgi_pass unix:/var/run/php72-fpm.sock;

StreetDancer · Mar 4, 2020

anlashok said:
mine reports

Code:

php_fpm is running as pid nnnnn

lucky!