The Perfect Server - Debian 9 (Stretch) - Add PHP 5.3?

Discussion in 'Tips/Tricks/Mods' started by JohnnyBeGood, Oct 10, 2017.

  1. JohnnyBeGood

    JohnnyBeGood Member


    I'm in the process moving from really old Ubuntu server to new Debian 9 and I got VM from this tutorial
    Got everything working so far but I'm stuck now on version, because PHP 7 is installed and I have one very old site that only works with up to PHP 5.3 and I have to have that old PHP version and the website will be read only (archive).
    I cannot figure out how to add PHP 5.3 so that its selectable in ISPconfig?

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That PHP 5.3 is selectable in ISPConfig is probably the easy part, you just have to add the path to it under System > PHP versions. I guess the yourreal problem will be to get or compile PHP 5.3 for Debian 9 at all because of some libs, especially OpenSSL, are too new for PHP 5.3, so you will have to compile some older library versions first before you can compile PHP 5.3.
  3. ISPConfig Developer ISPConfig Developer

    Attached Files:

    Last edited: Oct 12, 2017
  4. JohnnyBeGood

    JohnnyBeGood Member

    Thanks for the reply!
    Can point me to any tutorial or help me achieve this ?
    I have inmotion hosting account for one of the critical website and they do it via .htaccess file PHP 5.3 together with PHP 7
    I understand there's much more behind it but thought it might useful.
  5. ISPConfig Developer ISPConfig Developer

    All they do is loading several mod_php versions and using different names + allow customers to set what handler to be used for serving .php files.
    You'd still need to build these modules for apache in that case.

    Regarding compiling php 5.3 - I don't know wether there's much help out there, it'd be time consuming to put all the pieces together :/
    Only place I actually found ready made .deb is
    Depending on how much trust you have on running these binarys, it might be a solution or not.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The problem is not to use PHP 5.3 as I mentioned in #2 in this thread, you have just to enter 3 paths in ISPConfig and press save, that's all. So it's easier to achieve this in ISPconfig than what is described in the page you posted as you donÄt have to edit any files. What the guide you posted does not describe is the important part, how they compiled PHP 5.3 on Debian 9 as PHP 5.3 does not compile on Debian 9 without modifications in the source code as this PHP version is too old. posted above some steps to achieve this. I don't have another PHP 5.3 compile tutorial at hand for Debian 9.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    As mentioned, getting PHP 5.3 to work on a current Linux is not an easy task and even an experienced admin might not be able to do this 'virtually' without actually doing the compilation on a system and then fixing compile issue after compile issue until it works. That's what makes it so complicated to help you with that trough the forum now. If you really need this, then one option might be is that you ask Florian if he can compile it for you remotely:
  8. JohnnyBeGood

    JohnnyBeGood Member

    Thank you so much for taking time to post this!
    I will look into this.
  9. JohnnyBeGood

    JohnnyBeGood Member

    Ok, thanks for taking time to look into this. I came across this thread and last post explains a workaround, maybe ?

    How about installing different OS on a different VM? I'm just looking to minimize errors and make it simple install process.

    I would love if Florian could make it work but if another option is more simply and takes less time I would not bother him to waste his time. I'm open to any other options.
  10. ISPConfig Developer ISPConfig Developer

    depends on your hardware, sure you _can_ setup a chroot debootstrap for example letting php-fpm run and let your site connect to it via TCP
    this puts some extra load onto your system on the other hand but with a decent system this should be neglible
  11. ISPConfig Developer ISPConfig Developer

    however, you'd need to use some quirks like you can't use ISPConfig to manage php for that instance that easy and you would need to make sure (somehow) php-fpm can access the files as expected and the php-files which uses file operations aswell ...
    it can be done, but it won't be nice, but I doubt you need to change much for such an old piece of software if it runs as needed I guess.
    personally I doubt the prebuild debs from liveconfig contain malicious code, would be bad for their business - up to you however
  12. ISPConfig Developer ISPConfig Developer

    last thought, ha yeah it's mentioneing running the complete web in a chroot with its own webserver and use same principle as how nodejs and such stuff works by using proxypass on a configured website - that'd be pretty easy to do
  13. JohnnyBeGood

    JohnnyBeGood Member

    Never used debootstrap, it runs inside/under Debian sort of like VM?
  14. JohnnyBeGood

    JohnnyBeGood Member

    Last edited: Oct 11, 2017
  15. ISPConfig Developer ISPConfig Developer

    yes, debootstrap is some kind of VM .... however it won't automatically "boot" on startup, it's more like running applications in a different context of the host system. That's where docker comes into play, docker uses images of such directories which are started automatically, oh btw. you could use proxmox and setup an "old" server with debian jessie - much overhead but easy to achieve.

    for completeness, example using debootstrap ( I didn't cover installation of apc or configure apache or symlink, more to that at the end of this post )

    On your host-system do

    export MY_CHROOT=/jessie-chroot
    mkdir -p $MY_CHROOT
    debootstrap jessie $MY_CHROOT
    echo "proc $MY_CHROOT/proc proc defaults 0 0" >> /etc/fstab
    mount proc $MY_CHROOT/proc -t proc
    echo "sysfs $MY_CHROOT/sys sysfs defaults 0 0" >> /etc/fstab
    mount sysfs $MY_CHROOT/sys -t sysfs
    cp /etc/hosts $MY_CHROOT/etc/hosts
    chroot $MY_CHROOT /bin/bash
    within chroot do

    apt-get update
    apt-get install locales bzip2
    dpkg-reconfigure tzdata locales
    mkdir /opt/php-5.3.29
    mkdir /usr/local/src/php5-build
    cd /usr/local/src/php5-build
    wget -O php-5.3.29.tar.bz2
    tar jxf php-5.3.29.tar.bz2
    apt-get install libbz2-dev libxml2-dev libcurl4-openssl-dev libjpeg-dev libpng-dev libxpm-dev libfreetype6-dev libc-client2007e-dev libkrb5-dev libmcrypt-dev libpq-dev libmysqlclient-dev build-essential
    mkdir /usr/include/freetype2/freetype
    ln -s /usr/include/freetype2/freetype.h /usr/include/freetype2/freetype/freetype.h
    ln -s /usr/lib/libc-client.a /usr/lib/x86_64-linux-gnu/libc-client.a
    cd php-5.3.29/
    ./configure --prefix=/opt/php-5.3.29 --with-pdo-pgsql --with-zlib-dir --with-freetype-dir --enable-mbstring --with-xpm-dir=/usr --with-libxml-dir=/usr --enable-soap --enable-calendar --with-curl --with-mcrypt --with-zlib --with-gd --with-pgsql --disable-rpath --enable-inline-optimization --with-bz2 --with-zlib --enable-sockets --enable-sysvsem --enable-sysvshm --enable-pcntl --enable-mbregex --with-mhash --enable-zip --with-pcre-regex --with-mysql --with-pdo-mysql --with-mysqli --with-jpeg-dir=/usr --with-png-dir=/usr --enable-gd-native-ttf --with-openssl --with-fpm-user=www-data --with-fpm-group=www-data --with-libdir=/lib/x86_64-linux-gnu --enable-ftp --with-imap --with-imap-ssl --with-kerberos --with-gettext --enable-fpm
    make install
    Now you have different options:

    1. Run php-fpm in that chroot using tcp listener ( configure additional php version in ispconfig, you'd need to link the pool.d / conf.d / php.ini folder to host system where ISPConfig can place webxy.conf .... and uhm add some fake stop/start script, maybe you need to manually reload or hack some stuff together)
    however you would need to link the /var directory into that chroot and copy the corresponding web/client user passwd/group entries into that chroot aswell ( theory I might still have missed something )

    2. install apache with mod_fastcgi and mpm_worker ( recommended ) or use mod_fcgi ( doesn't need patched mod_fastcgi be compiled by yourself, however performance is better with mod_fastcgi ) and set apache port to listen on some differen port and add proxypass config in ISPConfig for that website ( no need to configure PHP on ISPConfig, but changing configs/reloading webserver needs to be done in chroot )

    3. use real virtualization like lxc ct-chroot container ( best performance ) or quemu or docker or setup admin interface to manage your servers using proxmox.
  16. ISPConfig Developer ISPConfig Developer

    yeah screw that, I patched halfway trough openssl.c to make it compatible with 1.1 but uhm yeah didn't even start to test that yet ... soo if you really need that, go for @till 's suggestion and get a quote - or ask liveconfig support what they did .... where I guess they just disabled imap and openssl - support.

    however, I'm going to go the same way I likely did it the last time, since my linked build-package doesn't contain much patched files I'm going to use openssl 1.0.1 and maybe patch curl which might be easier or whatever is needed to get the job done fast

    nice lecture for that topic btw.
    Last edited: Oct 12, 2017
  17. ISPConfig Developer ISPConfig Developer

    done :)
    if you need postgresql-support, additional steps needs to be done ( compile libpsql with openssl 1.0.2 )
    change the -j4 at make commands to approximal your cpu cores

    apt-get install libbz2-dev libxml2-dev libcurl4-openssl-dev libjpeg-dev libpng-dev libxpm-dev libfreetype6-dev libc-client2007e-dev libkrb5-dev libmcrypt-dev libpq-dev libmariadbclient-dev-compat build-essential libxml2-dev libcurl4-openssl-dev libpcre3-dev libbz2-dev libjpeg-dev libpng-dev libfreetype6-dev libmcrypt-dev libmhash-dev freetds-dev libmariadbclient-dev-compat unixodbc-dev libxslt1-dev libfcgi-dev libfcgi0ldbl libmcrypt-dev libssl-dev
    mkdir /usr/local/src/openssl
    cd /usr/local/src/openssl
    tar xf openssl-1.0.2l.tar.gz
    cd openssl-1.0.2l
    ./config shared --openssldir=/usr/local/openssl/ enable-ec_nistp_64_gcc_128
    make depend
    make -j4
    make install
    ln -s /usr/local/openssl/lib /usr/local/openssl/lib/x86_64-linux-gnu
    mkdir /usr/local/src/curl
    cd /usr/local/src/curl
    tar xf curl-7.56.0.tar.gz
    cd curl-7.56.0
    env PKG_CONFIG_PATH=/usr/local/openssl/lib/pkgconfig LDFLAGS=-Wl,-rpath=/usr/local/openssl/lib ./configure --with-ssl=/usr/local/openssl --with-zlib --prefix=/usr/local/curl
    make  -j4
    make install
    mkdir /usr/local/imap
    cd /usr/local/imap
    dpkg-source -x uw-imap_2007f~dfsg-5.dsc
    cd uw-imap-2007f~dfsg/
    touch {ipv6,lnxok}
    ## make process will fail, however it generates what we need, still
    make slx SSLINCLUDE=/usr/local/openssl/include/ SSLLIB=/usr/local/openssl/lib EXTRAAUTHENTICATORS=gss
    mkdir lib include
    cp c-client/*.c lib/
    cp c-client/*.h include/
    cp c-client/c-client.a lib/libc-client.a
    ln -s /usr/lib/libc-client.a /usr/lib/x86_64-linux-gnu/libc-client.a
    mkdir /opt/php-5.3.29
    mkdir /usr/local/src/php5-build
    cd /usr/local/src/php5-build
    wget -O php-5.3.29.tar.bz2
    tar jxf php-5.3.29.tar.bz2
    optional suhoshin-patch
    cd /usr/local/src/php5-build
    gunzip suhosin-patch-5.3.9-0.9.10.patch.gz
    cd php-5.3.29
    patch -p 1 -i ../suhosin-patch-5.3.9-0.9.10.patch
    ## the failed hunks are the visible notes it was build with suhoshin patch, no worries
    if you did not patch do
    cd php-5.3.29/
    LDFLAGS="-Wl,-rpath=/usr/local/openssl/lib,-rpath=/usr/local/curl/lib" ./configure --with-config-file-path=/etc/php/5.3/php.ini --with-config-file-scan-dir=/etc/php/5.3/mods-enabled --prefix=/opt/php-5.3.29 --with-zlib-dir --with-freetype-dir --enable-mbstring --with-xpm-dir=/usr --with-libxml-dir=/usr --enable-soap --enable-calendar --with-curl=/usr/local/curl --with-mcrypt --with-zlib --with-gd --disable-rpath --enable-inline-optimization --with-bz2 --with-zlib --enable-sockets --enable-sysvsem --enable-sysvshm --enable-pcntl --enable-mbregex --with-mhash --enable-zip --with-pcre-regex --with-mysql --with-pdo-mysql --with-mysqli --with-jpeg-dir=/usr --with-png-dir=/usr --enable-gd-native-ttf --with-openssl=/usr/local/openssl --with-imap=/usr/local/imap/uw-imap-2007f~dfsg --with-kerberos --with-imap-ssl --with-fpm-user=www-data --with-fpm-group=www-data --with-libdir=lib/x86_64-linux-gnu --enable-ftp --with-gettext --enable-fpm
    LDFLAGS="-Wl,-rpath=/usr/local/openssl/lib,-rpath=/usr/local/curl/lib" make -j4
    make install
    mkdir -p /etc/php/5.3/fpm/pool.d
    mkdir /etc/php/5.3/mods-enabled
    be aware that session-id calculation can be pretty easy guessed by attackers under circumstances and the default entropy-length is way to low.
    This options have been superseeded in php 7 and are not avail but in 5.3 they're empty / not used by default, double-check.
    a value of 32 for entropy_length is known to be too small, it's up to you

    cd /usr/local/src/php5-build/php-5.3.29
    cp php.ini-production php.ini
    sed -i 's/^\(short_open_tag\s*=\s*\).*$/\1On/' php.ini
    sed -i 's/^\(expose_php\s*=\s*\).*$/\1Off/' php.ini
    sed -i 's/^\(default_socket_timeout\s*=\s*\).*$/\110/' php.ini
    sed -i 's/^\(;date\.timezone\s*=\s*\).*$/date\.timezone="Europe\/Berlin"/' php.ini
    sed -i 's/^\(session\.cookie_httponly\s*=\s*\).*$/\11/' php.ini
    sed -i 's/^\(session\.hash_function\s*=\s*\).*$/\11/' php.ini
    sed -i 's/^\(session\.hash_bits_per_character\s*=\s*\).*$/\16/' php.ini
    sed -i 's/^\(disable_functions\s*=\s*\).*$/\1pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,/' php.ini
    cp php.ini /etc/php/5.3/
    /etc/php/5.3/fpm/php-fpm.conf ( see attached php-fpm.conf.txt )
    /etc/php/5.3/fpm/pool.d/www.conf ( see attached www.conf.txt )
    /etc/init.d/php5.3-fpm ( see attached php5.3-fpm.txt )
    /lib/systemd/system/php5.3-fpm.service ( see attached php5.3-fpm.service.txt )

    optional Install APC
    mkdir /usr/local/src/php5-build/apc
    cd /usr/local/src/php5-build/apc
    wget -O 3.1.13.tar.gz
    tar xf 3.1.13.tar.gz
    cd APC-3.1.13/
    ./configure --with-php-config=/opt/php-5.3.29/bin/php-config
    make -j4
    make install
    optional suhoshin extension ( it's not the same as the patch! )
    mkdir /usr/local/src/php5-build/suhoshin
    cd /usr/local/src/php5-build/suhoshin
    tar xf suhosin-
    cd suhosin-
    ./configure --with-php-config=/opt/php-5.3.29/bin/php-config
    make install
    echo "" > /etc/php/5.3/mods-enabled/suhoshin.ini
    see for options

    ln -s /opt/php-5.3.29/bin/php /usr/bin/php5.3
    ln -s /opt/php-5.3.29/sbin/php-fpm /usr/sbin/php-fpm5.3
    update-alternatives --install /usr/bin/php php /usr/bin/php5.3 0
    chmod +x /etc/init.d/php5.3-fpm
    update-rc.d php5.3-fpm defaults

    check/set your default system php
    update-alternatives --config php
    systemctl enable php5.3-fpm.service
    systemctl daemon-reload
    systemctl restart php5.3-fpm.service
    go to System > Additional PHP Versions in ISPConfig and compare to attached Picture :) No cgi, please don't use cgi!

    for TLS usage in this version, there has been a discussion:

    edit: added suhoshin patch
    edit: added suhoshin extension
    edit: added some disable_functions
    edit: tls hint

    Attached Files:

    Last edited: Oct 12, 2017
    oxemelot, SammySeggs, DedySoe and 5 others like this.
  18. ISPConfig Developer ISPConfig Developer

    notify, did some changes, see all "edit" blocks up to tls-hint :) have a great day
  19. JohnnyBeGood

    JohnnyBeGood Member

  20. ISPConfig Developer ISPConfig Developer

    Why doesn't it support Debian 9? Does it have issues with the new apache syntax maybe? Anyway,
    yes you can install jessie like in the tutorial. Maybe have a look at ;)

Share This Page