open_basedir restriction for wrong client website?

Discussion in 'Installation/Configuration' started by ItsDom, Nov 25, 2013.

  1. ItsDom

    ItsDom New Member


    Server setup: CentOS 6.4 with nginx (from this guide IIRC–-centos-64-x86-64-nginx-dovecot-ispconfig-3/)

    I recently updatedto

    On my server, I have 1 client account (client5) with 3 websites (web5 - 7)

    web5 works perfectly in all respects.

    web6 failure looks like this:

    Notice that the allowed paths has web5 instead of web6 (I've replaced the actual web5 domain name with ACTUALWEB5DOMAIN - web6 and web7 are internal domains.)

    Same with web7 gets following error:
    Again, notice how the allowed paths include web5 details instead of Web7

    Some settings.
    web6 open_basedir from control panel interface:
    web7 open_basedir from control panel interface:
    web6 open_basedir from /etc/php-fpm.d/web6:
    web7 open_basedir from /etc/php-fpm.d/web7:
    web6 php_open_basedir field value in web_domain table of ISPConfig database:
    web7 php_open_basedir field value in web_domain table of ISPConfig database:
    I think the issue is due to the nginx directive. I'm using fat-free framework on all 3 domains, so I have the following nginx directive on all 3:

    I've just noticed that when I remove the directive from web6 or web7, they work as you would expect it to work with no directive (e.g. the framework loads but freaks out because it's not got the right URL - no open_basedir restriction in the log though.)

    Any idea what's causing this strange behaviour? I can't figure out why, even if the directive is faulty, it would use a different websites open_basedir.
  2. ItsDom

    ItsDom New Member

    So I think I've fixed it.

    The issue was I had the wrong port number in the nginx directive.

    Basically, Fast-CGI server on my setup was running on port 9000.

    Explanation for strange behaviour

    Perhaps someone could confirm, but I think the reason why it was showing such strange symptoms was that the main php-fpm server listen on 9000, and for each client website, it spawns a new connection on a different port with the settings specific to that website (including open_basedir restrictions and other php.ini custom rules I'm guessing.)

    Port 9014 happened to be the port that had been assigned for web5, so when the other websites were using port 9014, they were effectively running it through web5's PHP process, which is why it was trying to use web5's open_basedir restriction.

    To fix this, I simply changed the nginx directive fastcgi_pass to use the correct port for the main php-fpm server (port 9000) and not a specific child process port (9014) that was spawned for Web5.

    What I don't fully understand is why it worked fine before for a while and then stopped working with the latest update.

    Either way, problem is fixed, I'd appreciate it if someone that knows a bit more about how PHP-FPM and different client websites interact could confirm that this is the correct reason.


Share This Page