Leo, first, I appreciate your help. However, you make several assumptions. Let me explain.
leolam wrote: ↑Sun Jan 13, 2019 5:50 am
Ok I am going to give it one more try.
1. It is a server ownership and permission issue and not a Joomla issue as you have mentioned above
As I wrote in my first post, I understood the correct permissions were 644 for files and 755 for directories. The report I submitted was an oversight during testing only.
2. You have misconfigured your server.
Yes, I agree. I also explained it's been some time since I've configured apache for such functions, and much has changed since. I don't understand the relationship between all the different modules - phpSuExec, fcgid, php-fpm, etc.
3. I strongly advise to upgrade cPanel
I'm not using cpanel. I never said anything about cpanel. I am hosting this on our own systems. I am a Linux admin, but haven't configured something that required this type of control since apache-2.0 or perhaps even 1.3. Obviously many of the methods have changed. I explained much of this in my initial post.
5. Change the PHP-handler to suPHP and disable Apache suEXEC which only pertains to PHP that CGI handles
Does this mean removing php7_module from being loaded?
Do you have a cpanel virtual host config you could paste here?
so shortcut: Update to latest cPanel. Change handler to suPHP (fcgi uses the full memory at all times). Run PHP FPM, Chown and CHMOD as given above to correct current state and all files and folders will always be created as user with the correct permissions
- My "Server API" is "FPM/FastCGI". Is that correct? I've included my fcgid config below.
- Do I need to implement the Joomla FTP layer? Is that how joomla performs updates, like extension updates?
- How does Joomla have the ability to write to its own directories, like cache, and other directories when updating extensions?
Where do I actually configure the username(s) that should be permitted to write to the document root?
Do you have other resources (links, documentation, etc) that explain how to configure phpsuexec specifically as it relates to joomla?
Here is my current fcgid.conf. This is still testing only. Some of these values were configured high because our finder tables are >6GB and was otherwise timing out or having memory issues.
Code: Select all
AddHandler fcgid-script fcg fcgi fpl php
FcgidIPCDir /run/mod_fcgid
FcgidProcessTableFile /run/mod_fcgid/fcgid_shm
FcgidMaxRequestLen 1073741824
FcgidOutputBufferSize 1073741824
FcgidMaxRequestsPerProcess 500
FcgidMaxProcesses 300
FcgidFixPathinfo 1
FcgidIdleScanInterval 15
FcgidBusyTimeout 280
FcgidBusyScanInterval 30
FcgidErrorScanInterval 3
FcgidZombieScanInterval 3
FcgidMinProcessesPerClass 0
FcgidIdleTimeout 6000
FcgidProcessLifeTime 6000
FcgidConnectTimeout 6000
FcgidIOTimeout 6000
Here is my php-fpm config:
Code: Select all
[www]
user = apache
group = apache
listen = /run/php-fpm/www.sock
listen.acl_users = apache,nginx
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
access.log = /var/log/php-fpm/$pool.access.log
access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
slowlog = /var/log/php-fpm/www-slow.log
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session
php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache
Here is my current apache config. What more am I missing? ("example" in place of my real hostname)
Code: Select all
Listen 64.1.15.4:80
Listen 64.1.15.4:443
ExtendedStatus on
<VirtualHost 64.1.15.4:80>
ServerName webstage.example.com
ServerAdmin [email protected]
Redirect / https://webstage.example.com/
</VirtualHost>
<VirtualHost 64.1.15.4:443>
ServerName webstage.example.com
ServerAdmin [email protected]
DocumentRoot /var/www/webstage.example.com-443/html/
ScriptAlias /cgi-bin/ /var/www/webstage.example.com-443/cgi-bin/
ErrorLog /var/www/webstage.example.com-443/logs/error_log
CustomLog /var/www/webstage.example.com-443/logs/access_log timing
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %T/%D %I/%O/%B %v" timing
HostnameLookups off
KeepAliveTimeout 600
Timeout 600
ProxyTimeout 600
<IfModule dir_module.c>
DirectoryIndex index.html index.php index.pl
Options +Indexes
IndexOptions FancyIndexing NameWidth=*
</IfModule>
LogLevel notice
SecStatusEngine On
<Directory "/var/www/webstage.example.com-443/html">
<RequireAny>
Require all granted
</RequireAny>
AllowOverride all
AddHandler fcgid-script .php
Options +FollowSymLinks +Includes +ExecCGI
DirectoryIndex index.html index.php
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost/"
</FilesMatch>
FCGIWrapper /var/www/php-fcgi-scripts/example/php-fcgi-starter .php
</Directory>
<Directory "/var/www/webstage.example.com-443/cgi-bin">
Options +ExecCGI
</Directory>
SSLEngine on
Header always set Strict-Transport-Security "max-age=15768000"
SSLCertificateKeyFile /etc/letsencrypt/privkey.pem
SSLCertificateFile /etc/letsencrypt/cert.pem
SSLCertificateChainFile /etc/letsencrypt/fullchain.pem
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
<IfModule mod_mime.c>
AddType application/x-javascript .js
AddType text/css .css
</IfModule>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/css application/x-javascript text/x-component text/html text/plain text/xml application/javascript
<IfModule mod_setenvif.c>
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
</IfModule>
</IfModule>
Header append Vary User-Agent env=!dont-vary
</VirtualHost>
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
Cheers and yes I am smart indeed. Thanks for the compliment
Don't ASSume. And read what I wrote more closely.