View previous topic :: View next topic |
Author |
Message |
redwood Guru
Joined: 27 Jan 2006 Posts: 306
|
Posted: Wed Mar 25, 2015 4:38 pm Post subject: asterisk/FreePBX nginx/php sessions issue |
|
|
My old asterisk/FreePBX server died and I've been trying to migrate and update the asterisk/FreePBX
to another server.
I've currently installed these versions:
Code: |
freepbx-12.0.21.tgz
net-misc/asterisk-11.15.0-r1
net-misc/dahdi-2.10.0.1
net-misc/dahdi-tools-2.10.0
|
I've also installed these versions of nginx, php, mariadb:
Code: |
www-servers/nginx-1.7.6
dev-db/mariadb-10.0.16
dev-lang/php-5.5.21
|
A major problem I'm having is with the FreePBX function asterisk_chown()
in /var/lib/asterisk/freepbx_engine
It keeps changing the ownership/permssions on the system /tmp
from
Code: |
# ls -ldn /tmp
drwxrwxrwt 17 0 0 8192 Mar 25 12:20 /tmp
|
to
Code: |
chown_asterisk() {
echo -n SETTING FILE PERMISSIONS
# Get our PHP session directory.
SESSDIR=$(php -r "echo ini_get('session.save_path');")
[ ! $SESSDIR ] && SESSDIR=/var/lib/php/session
# If it's not a directory AND it's not a link, it's broken. Fix it.
if [ ! -d $SESSDIR -a ! -h $SESSDIR ]; then
mv $SESSDIR $SESSDIR.$$
mkdir $SESSDIR
fi
ASTERISKOWNED=("$ASTRUNDIR" "$ASTETCDIR" "$ASTVARLIBDIR" "$ASTLOGDIR" "$AMPBIN" "$ASTAGIDIR" \
"/etc/dahdi" "/etc/wanpipe" "/etc/odbc.ini" "/usr/local/asterisk" "/dev/tty9" \
"/etc/amportal.conf")
WEBOWNED=("$AMPWEBROOT/admin" "$AMPWEBROOT/recordings" "$FPBXDBUGFILE" "$FPBX_LOG_FILE" "$SESSDIR")
PRIVFILES=("$ASTVARLIBDIR/.ssh/.id_rsa")
DEVICES=("/dev/zap" "/dev/dahdi" "/dev/capi20" "/dev/misdn" "/dev/mISDN" "/dev/dsp")
for target in "${WEBOWNED[@]}"; do
[ ! -e "$target" ] && continue
L=$(readlink -f $target)
chown -R $AMPASTERISKWEBUSER:$AMPASTERISKWEBGROUP $L
chmod -R 775 $L
echo -n .
done
...
}
|
On my system I have
Code: |
# php -r "echo ini_get('session.save_path');"
/tmp
|
And in /etc/php/fpm-php5.5/php.ini
I have:
Code: |
[Session]
session.save_handler = files
session.save_path = "/tmp"
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.bug_compat_42 = On
session.bug_compat_warn = On
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
|
So, everytime FreePBX runs, it recursively changes ther permissions and ownership on /tmp
to the webuser and 755
which breaks everything else on my server which writes to /tmp
So I need a workaround.
Would there be any issues with just changing my
/etc/php/fpm-php5.5/php.ini
from
Code: | session.save_path = "/tmp" |
to
Code: | session.save_path = "/var/lib/php/sessions" |
I guess I would also need to change the same setting in /etc/php/cli-php5.5/php.ini
since it's possible to run amportal manually and not through a browser.
I have the following fpm-php configuration for my pbx virtual web server:
Code: |
# cat /etc/php/fpm-php5.5/pool.d/pbx.conf
[pbx]
listen = /var/run/php5-fpm/pbx.sock
;listen = 127.0.0.1:9000;
listen.backlog = -1
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
; Unix user/group of processes
user = nginx
group = nginx
; Choose how the process manager will control the number of child processes.
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
; Pass environment variables
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
; host-specific php ini settings here
; php_admin_value[open_basedir] = /var/www/DOMAINNAME/htdocs:/tmp
php_flag[expose_php] = off
|
Maybe I should set session.save_path in this file just for this one virtual domain? |
|
Back to top |
|
|
steveL Watchman
Joined: 13 Sep 2006 Posts: 5153 Location: The Peanut Gallery
|
Posted: Thu Mar 26, 2015 12:03 am Post subject: |
|
|
I would definitely modify session.save_path, across the board personally, as /tmp is insecure by design. |
|
Back to top |
|
|
redwood Guru
Joined: 27 Jan 2006 Posts: 306
|
Posted: Thu Mar 26, 2015 1:19 pm Post subject: php session.save_path |
|
|
Yes, that's what I ended up doing.
I also set nginx to run as asterisk.asterisk for my pbx.
FreePBX needs access to way too many files for my comfort,
so eventually going to have to put it in an lxc container
for my peace of mind since I can't keep up with the changes
in its php code from one version to the next.
For anybody running nginx with fpm-php, fpm allows setting the user:group
as well as setting individual php settings for each virtual server.
For now, I've set session.save_path to /var/lib/php/session
since that's the default for FreePBX, but I guess something like
/var/lib/php/{pbx, www, ww2}/session
might make sense with lots of virtual servers?
Code: |
# cat /etc/php/fpm-php5.5/pool.d/pbx.conf
[pbx]
listen = /var/run/php5-fpm/pbx.sock
;listen = 127.0.0.1:9000;
listen.backlog = -1
listen.owner = asterisk
listen.group = asterisk
listen.mode = 0660
; Unix user/group of processes
user = asterisk
group = asterisk
; Choose how the process manager will control the number of child processes.
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
; Pass environment variables
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
; host-specific php ini settings here
; php_admin_value[open_basedir] = /var/www/DOMAINNAME/htdocs:/tmp
php_flag[expose_php] = off
php_admin_value[session.save_path] = /var/lib/php/session
;php_admin_value[display_errors] = on
|
|
|
Back to top |
|
|
steveL Watchman
Joined: 13 Sep 2006 Posts: 5153 Location: The Peanut Gallery
|
Posted: Thu Mar 26, 2015 2:35 pm Post subject: Re: php session.save_path |
|
|
redwood wrote: | Yes, that's what I ended up doing.
I also set nginx to run as asterisk.asterisk for my pbx.
For anybody running nginx with fpm-php, fpm allows setting the user:group
as well as setting individual php settings for each virtual server. |
Nice one.
Quote: | FreePBX needs access to way too many files for my comfort,
so eventually going to have to put it in an lxc container
for my peace of mind since I can't keep up with the changes
in its php code from one version to the next. |
Hehe, that sounds like a good idea; do please let us know how you set that up when you get there.
I think it'd be useful info for others as well.
Quote: | For now, I've set session.save_path to /var/lib/php/session
since that's the default for FreePBX, but I guess something like
/var/lib/php/{pbx, www, ww2}/session
might make sense with lots of virtual servers? |
Dunno, I'm not an admin, but it sounds reasonable to me. I'd ask Patrick/bonsaikitten personally, but someone else on here must have an (informed) opinion. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|