Does CVE-2019-0211 affect Apache with php-fpm?

Intro

From version 2.4.17 (October 9, 2015) to version 2.4.38 (April 1, 2019),
Apache HTTP suffers from a local extension of root privileges
Out-of-bounds Array Access Vulnerability
any function call. The vulnerability is raised on Apache
gracefully restarts (apache2ctl graceful). In standard Linux
For configurations, the Logrotate utility executes this command once a day
6:25 am to reset protocol handles.

Sometimes php-fpm stops, what's going on?

I have the idea that my PHP Fpm56 sometimes seems to stop on my Direct Admin VPS server. The memory seems to be normal as the times when the PHP Fpm stops are a bit more heavy. The websites that are used will be loaded until I restart the services for php-fpm56. Other php-fpm70 websites are simply online.

The traffic to my webserver does not seem to have increased. Does anyone have any idea why PHP-Fpm is terminated regularly? I can not find any indication as to whether a particular script is responsible for this.

Is it maybe an attack? Or something else?
Who has an idea where to look?

Help to understand INI files and PHP_FPM

With PHP-FPM you can have configuration options in many places

1. Global php.ini – /opt/cpanel/ea-phpXX/root/etc/php.ini

2. The php-fpm pool files may contain php.ini values. For example, in cPanel, the pool conf has php_admin_value[disable_functions] = x, y, z, etc., which you can override by using the .yaml files and recreating the pool conf

3. The .user.ini – Important: "Only INI settings with PHP_INI_PERDIR and PHP_INI_USER modes will be recognized in .user.ini-style INI files." – which means that you can not enter everything there – The list of available options can be found at http://php.net/manual/en/ini.list.php. Look in the changeable column and make sure PHP_INI_PERDIR and PHP_INI_USER are present

That's it!

mod_lsapi vs PHP-FPM

We operate a new dedicated server with CL7 + Cpanel.

We had some instability issues with PHP FPM + Engintron, so we think about … | Read the rest of http://www.webhostingtalk.com/showthread.php?t=1750871&goto=newpost

php fpm – nginx and php-fpm: "Primary script unknown" when reading the response header from the upstream

I want to hand over everyone api / * away to php-fpm. Specially too index.php how I use Symfony. This is the only route PHP should use. Everything else is loaded by / usr / share / nginx / html / public (HTML files and CSS only).

I tried, but an error appears:

FastCGI has sent in stderr: "Primary script unknown" while the response header is read from the upstream

My nginx configuration is below:

Server {
hear 80 default_server;
listen [::]: 80 default_server;
Server name impressive.local;
index index.html index.php;

location / api {
Alias ​​/ usr / share / nginx / html / api;
try_files $ uri /index.php?$args;

location ~  .php $ {
fastcgi_pass php: 9000;
fastcgi_split_path_info ^ (. + . php) (/.*) $;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $ realpath_root $ fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $ realpath_root;
}
}

root / usr / share / nginx / html / public;
}

I get the following error message:

php_1 | [13-Jan-2019 23:22:54] NOTE: fpm is running, pid 1
php_1 | [13-Jan-2019 23:22:54] NOTE: Ready for connections
php_1 | 172.25.0.3 - 13 / Jan / 2019: 23: 22: 57 +0000 "GET /api/index.php" 404
web_1 | 2019/01/13 23:22:57 [error] 10 # 10: * 1 FastCGI sent in stderr: "Primary script unknown" when reading the response header from the upstream,
Client: 172.25.0.1, server: impressive.local, request: "GET /api/index.php HTTP / 1.1", upstream: "fastcgi: //172.25.0.2: 9000", host: "127.0.0.1:8080"
web_1 | 172.25.0.1 - - [13/Jan/2019:23:22:57 +0000] "GET /api/index.php HTTP / 1.1 404 27" - "" Mozilla / 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit / 537.36 (KHTML, Like Gecko) Chrome / 71.0.3578.98 Safari / 537.36 "" "

I wentogle for hours and saw several other responses to Stack Exchange. I can not figure out what causes that. I use Docker. Below is mine docker-compose.yml

Version: & # 39; 3 & # 39;
Services:
Network:
Picture: nginx: alpine
Volume:
- ./web:/usr/share/nginx/html
- ./conf/impressive.template:/etc/nginx/conf.d/default.conf
ports:
- "8080: 80"
Left:
- php

php:
Image: php: 7.3.1-fpm-alpine
Volume:
- ./web:/usr/share/nginx/html
ports:
- "9000: 9000"

nginx css and js files are provided by php-fpm

i have installed nginx and php-fpm and i have problem with css and js-files are provided by php-fpm. This is strace for php fpm process

                open ("/ home / user / public_html / he-2018-cache-v27.js", O_WRONLY | O_CREAT | O_TRUNC, 0666) = 6
fstat (6, {st_mode = S_IFREG | 0644, st_size = 0, ...}) = 0
lseek (6, 0, SEEK_CUR) = 0
write (6, "! - function (a, b) {" object "" == typeof "..., 8192) = 8192
write (6, "var e, f = a ([]c.length b) g = f.len "..., 8192) = 8192
write (6, "function (b) {var c; do if (c = p? b.la" ..., 8192) = 8192
write (6, "pe? (this.context = this)[0]= a, that. "..., 8192) = 8192
write (6, "d)) return} (c || (delete g[h].data, "..., 8192) = 8192
write (6, "m (c, this). index (i)> = 0: m.find (c, t" ..., 8192) = 8192
write (6, "ltChecked = a.checked)} Function wb" ..., 8192) = 8192
write (6, ", h.left = d, f && (e.left = f)), void 0 =" ..., 8192) = 8192
write (6, "), h = 1, i = 20, if (g && g[3]! == f) {f = f || "..., 8192) = 8192
write (6, "> = 0: void 0}}, k.checkOn || (m.valHo" ..., 8192) = 8192
write (6, "Fields"[f]&& (c[a.responseFields[f"..., 8192) = 8192
write(6, "meout(b):f.onreadystatechange=Xc"..., 8192) = 8192
write(6, "("src",image_verification.image_"..., 8192) = 8192
write(6, "ull_screen.file=$("#resize_file""..., 8192) = 8192
write(6, "'s JavaScript requires jQuery");"..., 8192) = 8192
write(6, "#'+b.id+'"]& # 39;), this.transitioning "..., 8192) = 8192
write (6, "ar a = this; this. $ element.hide (), t" ..., 8192) = 8192
write (6, "ttom left right")}, c.prototype.h "..., 8192) = 8192
write (6, "d (). find (& # 39;[data-toggle="tab"]& # 39). "..., 8192) = 8192
write (6, "$ element.addClass (this.options.l" ..., 8192) = 8192
write (6, "return a? 0: this._clones.length / 2" ..., 8192) = 8192
write (6, "ngs.autoRefresh && this.watch ()}, t" ..., 8192) = 8192
write (6, "var b = c.fullscreenElement || c.moz" ..., 8192) = 8192
write (6, "pe.draw = function () {varb, c = this." ..., 8192) = 8192
write (6, "p: $ (" # left-panel  "). offset (). to" ..., 2970) = 2970
close (6) = 0

The nginx php config looks like this:

                # Pass PHP scripts to PHP-FPM
location ~ *  .php $ {
fastcgi_pass unix: /var/run/user.sock;
fastcgi_index index.php;
fastcgi_param PATH_INFO $ fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME / home / user / public_html $ fastcgi_script_name;
include fastcgi_params;
}

any ideas ?

linux – php-fpm status displays the queue 0 when requests are delayed

I have a PHP Fpm server running on a traffic-heavy website. Often, a point is reached where the active processes correspond to the maximum number of processes. This is the maximum number the server allows.

In this case, it may take 5 to 10 seconds for the php fpm status page to load. It appears that the request is in the queue. However, the list queue value always displays 0.

Why would not this indicate the correct value?

php-fpm and nginx in a single php-fpm crash

I want to run php-written services in the cluster. So I use Docker. Here is the stack:

  • Php 7.2
  • php-fpm
  • docker
  • nginx
  • rabbitmq / redis / db / etc

When working locally, there's no problem sharing volumes with both service and nginx. However, this is a bad approach in production. When I try to create an image with both php-fpm and nginx, php-fpm always crashes. Here are errors:

service_1_5631b886cf08 | [10-Dec-2018 21:48:42] NOTE: [pool www] 
Child 22 started
service_1_5631b886cf08 | [10-Dec-2018 21:48:42] WARNING: [pool www] 
Child 21 was terminated after 26.338965 on Signal 11 (SIGSEGV - Core dumped)
Seconds before the start
service_1_5631b886cf08 | [10-Dec-2018 21:48:42] NOTE: [pool www] 
Child 23 started

Here is Dockerfile:

From Php: 7.2 fpm range

ENV PHPREDIS_VERSION 4.1.1
ENV AMQP_VERSION 1.9.3

# Mcrypt
#RUN apt-get install -y libmcrypt-dev && docker-php-ext-install -j $ (nproc) mcrypt

# GD
Run apt-get update 
&& apt-get install -y libfreetype6-dev libjpeg62-turbo-dev libpng-dev
RUN docker-php-ext-configure gd 
--with-freetype-dir = / usr / include / --with-jpeg-dir = / usr / include / 
&& docker-php-ext-install -j $ (nproc) gd

# GU
RUN docker-php-ext-install -j $ (nproc) pdo && 
&& docker-php-ext-install -j $ (nproc) pdo_mysql

# Postgres PDO
Run apt-get install -y libpq-dev 
&& docker-php-ext-configure pgsql -with-pgsql = / usr / local / pgsql 
&& docker-php-ext-install pdo_pgsql

# Redis
Execute mkdir -p / usr / src / php / ext / redis
&& curl -L https://github.com/phpredis/phpredis/archive/$PHPREDIS_VERSION.tar.gz | tar xvz -C / usr / src / php / ext / redis --strip 1 
&& echo & # 39; redis & # 39; >> / usr / src / php-available-exts 
&& docker-php-ext-install redis

# INTL
RUN apt-get install -y zlib1g-dev libicu-dev g ++ 
&& docker-php-ext-configure intl 
&& docker-php-ext-install intl

# OPCACHE
Run RUN docker-php-ext-install -j $ (nproc) opcache

# APCu
RUN pecl install apcu && docker-php-ext-enable apcu

# Post Code
RUN docker-php-ext-install -j $ (nproc) zip

# AMQP
RUN apt-get install -y librabbitmq-dev 
&& pecl install amqp- $ AMQP_VERSION 
&& docker-php-ext-enable amqp

# Nginx
Run apt-get update 
&& apt-get install -y nginx 
&& chown -R www-data: www-data / var / lib / nginx

# Supervisor
RUN apt install -y Supervisor 
&& mkdir -p / var / log / supervisor 
&& rm -rf / var / lib / apt / list / *

# Composer
RUN curl -sL https://getcomposer.org/installer | php --installdir / usr / bin --filename composer

WORKDIR / var / www / service / service_1

ADD . / var / www / service / service_1

RUN mv nginx.conf.tmpl /etc/nginx/nginx.conf 
&& mv supervisord.conf /etc/supervisor/conf.d/supervisord.conf

Install RUN Composer --no-plugins --no-scripts

# php-fpm
EXPOSE 9000

# nginx
EXPOSE 8180

CMD ["/usr/bin/supervisord"]

Here is nginx config for the service:

Upstream service {
Server Localhost: 9000;
}

Server {
listen to 8180;
Server name localhost;
root / var / www / services / service_1 / public;

Location / {
# Try to deploy the file directly and contact index.php
try_files $ uri /index.php$is_args$args;
}

location ~ ^ / index  .php (/ | $) {
fastcgi_pass service;
fastcgi_split_path_info ^ (. + . php) (/.*) $;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $ realpath_root $ fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $ realpath_root;
internally;
}

# returns 404 for all other PHP files that do not match the front controller
# This prevents access to other PHP files that are not to be accessed.
location ~  .php $ {
Back 404;
}

# error_log /var/log/nginx/project_error.log;
# access_log /var/log/nginx/project_access.log;
}

And Supervisor Config:

[supervisord]



nodaemon = true
Log file = / dev / null
logfile_maxbytes = 0

[program:php-fpm]
Command = / usr / local / sbin / php-fpm
stdout_logfile = / dev / stdout
stdout_logfile_maxbytes = 0
stderr_logfile = / dev / stderr
stderr_logfile_maxbytes = 0

[program:nginx]
command = / usr / sbin / nginx -g "daemon off;"
stdout_logfile = / dev / stdout
stdout_logfile_maxbytes = 0
stderr_logfile = / dev / stderr
stderr_logfile_maxbytes = 0

What should I do? The main purpose is that I do not want to use a volume with code on Nginx and PHP Fpm containers, so I try to work them side-by-side