| View previous topic :: View next topic |
| Author |
Message |
jamapii
l33t
Joined: 16 Sep 2004
Posts: 637
|
 Posted: Mon Jul 11, 2022 3:47 pm Post subject: [solved]remote access to php-fpm |
 |
|
Hi,
I'm trying to set up a php-fpm server for remote access. As I found out, there is no documented way to achieve this. However, any known documentation about the topic is useless as it is based upon 2 false statements.
First about the listen directive:
| Quote: | ; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
|
this is false, when just supplying a port, php-fpm goes ipv6-only. This is considered a bug, https://bugs.php.net/bug.php?id=77482 The workaround would be to be aware of it and create multiple pools if needed.
Note some sources seem to suggest one can use multiple "listen =" lines. This has no useful effect.
Then there is "listen.allowed_clients =". Comments and documentation say:
| Quote: | If this value is left blank, connections will be
; accepted from any ip address. |
An experiment shows: if it is left blank, no access is possible, even from localhost. This holds with and without a space after then "=". It is always necessary to specify all the allowed clients. Netmasks like "/24" are at least not a syntax error.
Now one might think, fine, use
| Code: |
listen = 0.0.0.0:9000
listen.allowed_clients = 127.0.0.1, 10.1.2.3
|
and so on. This should make php-fpm listen on all interfaces and allow a specific remote client.
However, no matter what, remote access is impossible. On top of that, in case of remote access, php-fpm even plays dead and logs nothing.
As a last resort, | Code: | | tcpdump -vvv -U -s0 -X port 9000 |
(only 1 interface) reveals that the remote client (webserver) seems to send perfectly good requests, and php-fpm sends short replies, and the web server then displays a message such as "502 Bad Gateway".
When the local web server connects to this php instance, or when the remote web server connects to its own local php-fpm instance, the proper content is displayed. So it can't be anything special with apache/nginx, or an unrelated php-fpm misconfiguration, or broken NFS.
So to summarize:
- 2 false statements in the documentation (replicated in all instances of it)
- Remote access, which is the whole _point_ of TCP, completely blocked
- No logging on remote access (on localhost access, everything is logged)
About the last 2 points, no bugs exist.
How, then, is remote access possible? Any additional directive? Any special undocumented syntax rule? Or does nobody use it at all?
thanks
Last edited by jamapii on Tue Jul 12, 2022 11:55 am; edited 1 time in total |
|
| Back to top |
|
 |
jamapii
l33t
Joined: 16 Sep 2004
Posts: 637
|
| Posted: Mon Jul 11, 2022 5:20 pm Post subject: |
|
|
OK, the special syntax is
| Code: | listen = 0.0.0.0:9000
listen.allowed_clients = 127.0.0.1,10.1.2.3 |
OK, the listen port can be changed.
In allowed_clients no spaces allowed, no netmasks or any kind of "/24". For example, to allow 10.1.2.0/24, enumerate all clients, all 254 of them. Preferably fewer, there's probably a line length limit.
This made remote access possible for me. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
