some nice hacks for ispconfig + stretch ( roundcube, enigma, munin, phpmyadmin using php-fpm )

Discussion in 'Tips/Tricks/Mods' started by ztk.me, Oct 5, 2017.

  1. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    I'm not going too much into detail on how to enable some plugins or edit the config for those, so please bring a cup of coffee if you don't know what it is all about

    if you don't want to use mod_php because of apache mpm_prefork sucks you need to watch out
    roundcube / phpmyadmin / munin won't work that easy

    you could install it as ispapps with some hazzle or symlink to ispconfig web-folder but... that's not nice

    create a website in ispconfig with your hostname ( fqdn ) and enable letsencrypt/ssl + cgi + php-fpm for that.

    Add custom apache config to that website

    phpmyadmin
    Code:
    Alias /phpmyadmin /usr/share/phpmyadmin
    Directory /usr/share/phpmyadmin/setup>
        <IfModule mod_authz_core.c>
            <IfModule mod_authn_file.c>
                AuthType Basic
                AuthName "phpMyAdmin Setup"
                AuthUserFile /etc/phpmyadmin/htpasswd.setup
            </IfModule>
            Require valid-user
        </IfModule>
    </Directory>
    
    # Disallow web access to directories that don't need it
    <Directory /usr/share/phpmyadmin/templates>
        Require all denied
    </Directory>
    <Directory /usr/share/phpmyadmin/libraries>
        Require all denied
    </Directory>
    <Directory /usr/share/phpmyadmin/setup/lib>
        Require all denied
    </Directory>
    
    roundcube
    Code:
    Alias /webmail /var/lib/roundcube
    
    <Directory /var/lib/roundcube/>
      Options +FollowSymLinks
      # This is needed to parse /var/lib/roundcube/.htaccess. See its
      # content before setting AllowOverride to None.
      AllowOverride All
      <IfVersion >= 2.3>
        Require all granted
      </IfVersion>
      <IfVersion < 2.3>
        Order allow,deny
        Allow from all
      </IfVersion>
    </Directory>
    
    # Protecting basic directories:
    <Directory /var/lib/roundcube/config>
            Options -FollowSymLinks
            AllowOverride None
    </Directory>
    <Directory /var/lib/roundcube/temp>
            Options -FollowSymLinks
            AllowOverride None
            <IfVersion >= 2.3>
              Require all denied
            </IfVersion>
            <IfVersion < 2.3>
              Order allow,deny
              Deny from all
            </IfVersion>
    </Directory>
    
    <Directory /var/lib/roundcube/logs>
            Options -FollowSymLinks
            AllowOverride None
            <IfVersion >= 2.3>
              Require all denied
            </IfVersion>
            <IfVersion < 2.3>
              Order allow,deny
              Deny from all
            </IfVersion>
    </Directory>
    
    munin
    Code:
    Alias /munin /var/cache/munin/www
    <Directory /var/cache/munin/www>
       AuthType Basic
       AuthName "Members Only"
       AuthUserFile /etc/munin/munin-htpasswd
       <limit GET POST>
            require valid-user
        </limit>
            Options None
    </Directory>
    
    ScriptAlias /munin-cgi/munin-cgi-graph /var/www/<yourFQDN>/cgi-bin/munin-cgi-graph
    <Location /munin-cgi/munin-cgi-graph>
       AuthType Basic
       AuthName "Members Only"
       AuthUserFile /etc/munin/munin-htpasswd
       <limit GET POST>
           require valid-user
        </limit>
            <IfModule mod_fcgid.c>
                SetHandler fcgid-script
            </IfModule>
            <IfModule !mod_fcgid.c>
                SetHandler cgi-script
            </IfModule>
    </Location>
    
    change <yourFQDN> to your fqdn!
    copy /usr/lib/munin/cgi/munin-cgi-graph to /var/www/<yourFQDN>/cgi-bin/munin-cgi-graph ( check for updates when upgrading sys )
    give the cgi the owner/group ( webx/clienty ) of that domain and $chmod 550 munin-cgi-graph
    If you followed the tutorial for munin, you should have setup an password in /etc/munin/munin-htpasswd using htpasswd command...


    change links in ispconfig settings accordingly ( https://fqdn/phpmyadmin .... )


    ====

    if you want to run enigma-plugin ( pgp ) in roundcube on debian stretch you need to get some packages, preferable this way:
    modify /etc/apt/preferences , it could look like that ( I added additional repo for php 5.6, you can ignore sury.org )
    Code:
    Package: *
    Pin: release a=stable
    Pin-Priority: 700
    
    Package: *
    Pin: release a=testing
    Pin-Priority: 499
    
    Package: *
    Pin: origin packages.sury.org
    Pin-Priority: 498
    
    aswell as add buster to your /etc/apt/sources.list
    Code:
    deb http://ftp.de.debian.org/debian/ stretch main contrib non-free
    deb-src http://ftp.de.debian.org/debian/ stretch main contrib non-free
    
    deb http://ftp.de.debian.org/debian/ buster main contrib non-free
    deb-src http://ftp.de.debian.org/debian/ buster main contrib non-free
    
    deb http://security.debian.org/ stretch/updates main contrib non-free
    deb-src http://security.debian.org/ stretch/updates main contrib non-free
    
    # stretch-updates, previously known as 'volatile'
    deb http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free
    deb-src http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free
    
    now you can
    $apt-get update
    and
    $apt-get install php-crypt-gpg gpg gpgv2
    ( sorry, either gpg or gpgv2 should work, would have to double check now, both might work aswell )

    this is b/c crypt-pgp is not in stretch and the gpg version in stretch is broken.

    now edit /usr/share/roundcube/plugins/enigma/lib/enigma_driver_gnupg.php
    there's a require-line, which needs an addition, should look like that
    Code:
    ...
    require_once 'Crypt/GPG.php';
    require_once 'Crypt/GPG/KeyGenerator.php';
    
    class enigma_driver_gnupg extends enigma_driver
    ...
    
    now configure enigma as it should be... oh yeah enigma uses a home-directory, it needs r/w access for the web/client the php-fpm is running at, shouldn't be accessable by anyone else!
    I filed a bug report on debian mailing list for that but.. seems to take a while though.

    Besides, if you want to use message-hightlight ( I guess that was the plugin ) and it's not working, don't give up, it's probably just a missing symlink from /var/lib/roundcube/plugins/pluginname to /usr/share/roundcube/plugins/pluginname


    Be also aware of if you use phpmyadmin feature to import/export databases to a folder on the server and you're using a shared environment .... well yeah, you shouldn't use the same folder configured for all users, doh ;)

    hope I didn't miss something, have a nice day



    edit: uhm sorry falko, wasn't sure where to put it, should've read your post before that, so sorry didn't see, eating my carrot - hoping to improve my eyesight *hug
     
    Last edited: May 7, 2018
    concept21 and Hans like this.
  2. Hans

    Hans Moderator ISPConfig Developer

    Thanks for this howto! It is exactly where I was looking for.
     
  3. Poliman

    Poliman Member

    On my vps with ISP installed from Perfect Server tutorial. I did http/2. About http/2 implementation:
    Code:
    a2enconf php7.0-fpm
    systemctl reload apache2
    a2dismod php7.0
    systemctl restart apache2
    a2dismod mpm_prefork
    a2enmod mpm_event
    systemctl restart apache2
    I have problem with roundcube and phpmyadmin (and if I would have munin then with this one too) but maybe your hacks will help in implement http/2 on servers with this also, because these require mpm_event. Roundcube's script tries download and phpmyadmin after open shows only words, without any functionality.
     
    Last edited: Apr 18, 2018
  4. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    #1 of all: At least until including debian stretch I can't recommend mpm_event, sure, 99,9% of the time it operates amazing but I guess due to a bug or something it can stop serving requests. Long research and almost no useful input ( someone blamed threading model and thought he "hacked" it by special calculated config ) I went back to _worker, still threaded, still good enough.
    Maybe someone thinks he knows the issue and has a solution, I'd like to learn from you :)

    @Poliman php-fpm is not automatically used for default alias-configs for debians implementation of roundcube/phpmyadmin.... setups.
    You could symlink the folders on your filesystem as subdirectory of the ispconfig web-root,

    define a virtualhost and add the alias needed to the extra http options ( and create a free letsencrypt cert for your servers mail,ispconfig,ftp.. - use hostname for virtualhost - ),

    or modify the conf-files to parse .php with fpm-interpreter



    Edit: I'm not sure if this hack still works, please test it before messing your live system
     
  5. Poliman

    Poliman Member

    Sure, before production I always destroy virtual machines. :p
     
    ztk.me likes this.
  6. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    in fact I had an issue with my php7 recently where the solution was to remove my priority setting for sury ...
    real people use real hardware to destroy :D If it doesn't work you can kick it - all anger pointed to the right direction :)
     
  7. Poliman

    Poliman Member

    Last edited: May 8, 2018
  8. concept21

    concept21 Member

    You must also installled and enable these 2 apache2 modules:
    proxy
    proxy_fcgi

    mpm_event will be working flawlessly! :cool:
     
    ztk.me likes this.
  9. Poliman

    Poliman Member

    Why they are needed? :)
     
  10. concept21

    concept21 Member

    I am not a programmer. So I can't explain the reason. When I searched for a solution to make mpm_event to work, I read an article on apache2 official documentation mentioning this 2 modules. After I have enabled them, roundcube begins to work and doesn't show the php text files any more. :cool: Believe it or not? :cool:
     
  11. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

  12. Poliman

    Poliman Member

    I will check I have on my VPS these two mods enabled. ;) If would be that easy we won't need @ztk.me tutorial, is that right @ztk.me @concept21 ? :p
     
  13. concept21

    concept21 Member

  14. concept21

    concept21 Member

    OK.
    One more step to conclude the implementation of mpm_event.
    To prevent the snail sucker mpm_prefork from being loaded again upon php software updating, uninstall this module altogether:
    apt purge libapache2-mod-php7.0

    I remind you guys. Never read anything from the Stuckflow site. I have never found any article on it which helps. They curse mpm_event and are very desperate and crasy to make it work. Some even say it is very difficult to make mpm_event and php working together. :confused:

    However, the fact is, as you know, to me, it is very ........ :cool:
     
  15. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    I wonder which that might be. If you know more than I please teach me, I'd love to use _event, tried for some years every now and then but always fails ( rare conditions, but surely all the same reason ) ... rendering not useable for my debian lamp stack :(

    for me, no need since I never installed it, the issue is a little more in depth :/
     
  16. Poliman

    Poliman Member

    I have tested it yesterday. It worked but I had to do something in right order, because turning on proxy and proxy_fcgi turn on also mpm_prefork, which automatically turn off http2. I should do:
    Code:
    a2enmod proxy
    a2enmod proxy_fcgi
    systemctl restart apache2
    a2dismod mpm_prefork //again disable it
    a2enmod mpm_event
    systemctl restart apache2
    After this roundcube and phpmyadmin work perfect.

    PS
    @concept21 And yes, in my experience stuckoverflow does not help many times, because many times in threads people, who don't understand very good some subject, try to help and say some very harm advices.
     
  17. concept21

    concept21 Member

    Wonderful!!! mpm_event is so much faster! :D
     
  18. concept21

    concept21 Member

    ztk,
    Please observe that you must enable these 2 apache2 modules:
    proxy
    proxy_fcgi

    It is part of the apache2 log of my Ubuntu 16.04.4. It also mention the need for mod_fastcgi and mod_fcgid. Believe it or not? :cool:

    ============
    [mpm_event:notice] AH00489: Apache/2.4.18 (Ubuntu) mod_fastcgi/mod_fastcgi-SNAP-0910052141 OpenSSL/1.0.2g mod_fcgid/2.3.9 configured -- resuming normal operations
     
  19. Poliman

    Poliman Member

    Few commands mentioned in my earlier post turn on easly http2 and don't break roundcube and phpmyadmin. ;)
     
  20. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    Last edited: May 25, 2018

Share This Page