Webmail fails with PHP-PFM

Anahata · 18 April 2024 21:20

Problem Description

After switching a site to PHP-FPM, the Roundcube webmail doesn’t work. Errors as shown below.

Any Error Messages

Browser screen displays:

No input file specified.

public/logs/ssl_error.log contains (with some line breaks added for readability)

[proxy_fcgi:error] [pid 1634335] [client 2a02:8010:6315:0:ea04:2f25:c12d:cd0e:36774] 
AH01071: Got error 'PHP message: 
PHP Warning:  Unknown: open_basedir restriction in effect. 
File(/usr/share/roundcube/index.php) is not within the allowed path(s): 
(/srv/birdshot.org.uk/public/:/srv/birdshot.org.uk/php_tmp/:/srv/birdshot.org.uk/php_sessions/) 
in Unknown on line 0PHP message: 
PHP Warning:  Unknown: failed to open stream: Operation not permitted in Unknown on line 0
Unable to open primary script: /var/www/webmail/index.php (Operation not permitted)'

Environment

Sympl Version [9.0/10.0]: 12
Sympl Testing Version? [Yes/No] No
Debian Version [Buster/Stretch]: Bookworm (12)
Hardware Type? [Dedicated/Virtual/Pi] Virtual
Hosted On? [name of hosting co] Bitfolk

Related: I got very confusing and inconsistent results after changing the PHP-FPM configurations, and the only thing that restored sanity seemed to be restarting apache explicitly with

sudo apachectl restart

After running sympl-php-configure.
I see that the end of the sympl-php-configure script appears to run sympl-web-configure which should restart the apache server, but manually starting it as above got much better results.

My confusion was compounded by my trying to disable PHP-FPM by deleting both php and php-fpm files in the config directory. Maybe the Wiki reference should mention that the php-fpm file is used as an internal flag and should not be manually created or deleted (if that’s the correct interpretation). Also the script tests for php-fpm being empty or not empty, but there’s no documentation to explain what happen when you write to it.

Kelduum · 19 April 2024 10:39

I’ve found the issue and come up with a fix for it which I’m fairly sure should work - the problem is that the PHP Handler user for FPM is also handling the example.com/webmail URLs, which should be falling through to the default FPM for compatibility.

As far as php-fpm goes, you’re right, I should have documented that - it’s an internal-ish flag which is used to determine if the site is properly configured for FPM or not - if its there, then sympl-web-configure will set the site up with an FPM setup, or if its missing or contains ‘false’ it’ll use regular/default mod_php.

I should be able to get a fix for the webmail issue in testing later today, and I’ll update the wiki when I get a chance.

Kelduum · 19 April 2024 17:02

Wiki updated with a mention, and an updated sympl-web package now pushed to stable via testing.

Doing a quick sympl update then sudo sympl-web-configure should get webmail working again for you.

Anahata · 19 April 2024 22:14

sympl-update certainly did something, as did sudo sympl-web-configure,
but I’m getting the same error message and no webmail.
See https://birdshot.org.uk/webmail/

I tried removing PHP-FPM on that site and putting it back, and still the same error, and same error message in the log file.

Kelduum · 20 April 2024 00:09

Can you run sudo sympl-web-configure --verbose birdshot.org.uk and check the output?

It may be the configuration needs regenerating if it’s been changed, as the fix was an addition to the templates, which will auto update only if the original configuration hasn’t been changed

If so, run sudo sympl-web-configure --verbose --force birdshot.org.uk and that will generate a fresh configuration.

Anahata · 20 April 2024 07:11

Tried that
Response looks sensible

Domain: birdshot.org.uk
        Current SSL set 37: signed by /C=US/O=Let's Encrypt/CN=R3, expires 2024-06-30 04:47:53 UTC
        SSL is enabled -- using SSL template
        Adding to configurations
Configuration: birdshot.org.uk.conf
        Forcing re-creation of configuration due to --force.
        Syntax OK
        Writing configuration
        Enabling configuration.
Reloading Apache

But still no webmail!
Same error logged.

Kelduum · 20 April 2024 10:28

Found the issue and working on a fix now…

Kelduum · 22 April 2024 19:59

Fix made and will be on the testing branch later tonight, which I’ll push to stable.

This took longer than expected due to some long-running issues with the testing setup (going back to the first releases), which should now be fixed.

Anahata · 25 April 2024 18:26

Just wondering if there’s been a further problem, as it doesn’t seem to be there on stable yet and it’s been 3 days…

Kelduum · 25 April 2024 19:11

The fix should be in sympl-web 12.20240422.0 - if you look at the generated Apache configuration, you should see a two directory blocks with <Directory "/srv"> after each of the lines PHP Provided by PHP-FPM.

If you’re still having problems sending me a private message with the output of sympl-web-configure --verbose example.com and the relevant Apache config, and I’ll take a look

Anahata · 25 April 2024 19:43

Sorry, going by the implied date code in 12.20240422.0 I was assuming it hadn’t been updated yet.

Yes, it does work now, and once again many thanks for fixing it!

Kelduum · 26 April 2024 11:23

They aren’t super clear, but the ‘dates’ there are the date the first pass of the fix was committed, and from there it may need more adjustments, to get to testing (where that version number is now fixed) before it then may have more fixes with incremental versions, before it’s okay to push the normal stable branches.

In this case, quite a few small changes were needed in various places to replace a few bits of the old testing with something more resilient.