Jump to content

Recommended Posts

Posted (edited)

@Makoto excellent tutorial, i give you my congratulations :y:

Just a quick note that i think you could add to this tutorial. If someone install's Centos 7 and then follows this tutorial, they will be installing PHP 5.4 which is currently EOL, and therefore no more security updates. Because this tut is all about security, i think the minimum version should be php 5.5.

So, you could add the instructions for installing Epel and Remi repo(its stays disabled by default), for example, and then the Yum command would be instead: yum --enablerepo=remi,remi-php56 php-fpm php-cli php-mysqlnd php-pdo php-gd php-mbstring php-xml.
If someone wants to try php 7.0, just change to remi-php70.

With the Remi repo we can also install php-pecl-imagick instead of using the pecl install.

Edited by RevengeFNF
Posted

Thanks, how should I configure php session filepath and opcache filepath, I am not totally understanding about the acl. And if I add microcache for nginx, what permission should I set for cache_path and tmp_path?

  • 3 weeks later...
Posted (edited)

There is a tutorial for conf when forum is in directory ?

Because, here, it's for website with only IPS4 !

Tks

EDIT : Hum. It's maybe possible if you change Root line. hum my fault

Edited by Bliblou
Posted

Thanks for the guide very informative. I've run into a bit of a permission issue I'm hoping you can shed some light. 

If I run your fixperms script, all is good except when I go to upgrade an application, since the files and folders are owned by webapp:webapp I'll get a permission error.

0: Extraction from phar "/tmp/phpZ2rgSN.tar" failed: Cannot extract "Application.php" to "applications/cjmenu/Application.php", setting file permissions failed

if I set the user:group recursively on applications/cjmenu to www-data:www-data the application will upgrade without a hitch. 

I thought we shouldn't have an issue since www-data has read and write access through acl ?

here is the output from getfacl applications/

# file: applications/
# owner: webapp
# group: webapp
user::rwx
user:www-data:rwx
user:nginx:r-x
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:www-data:rwx
default:user:nginx:r-x
default:group::r-x
default:mask::rwx
default:other::---

Please I'd really like to know why this is happening ?

Posted
On 1/7/2016 at 1:05 AM, icedream said:

Thanks, how should I configure php session filepath and opcache filepath, I am not totally understanding about the acl. And if I add microcache for nginx, what permission should I set for cache_path and tmp_path?

Unless you have a reason to, there's really no reason you should need or want to change the default session/opcache filepaths. Regarding microcache, I haven't actually used that as of yet, but I imagine that's also something that is just written to tmp and is owned by Nginx on write? You'll have to review the documentation yourself on that one.

On 1/26/2016 at 4:13 AM, Bliblou said:

There is a tutorial for conf when forum is in directory ?

I'm sorry, I have no idea what you are asking. If you still need help, can you please clarify what the problem / question is..?

17 hours ago, Sull5 said:

If I set the user:group recursively on applications/cjmenu to www-data:www-data the application will upgrade without a hitch. 

I thought we shouldn't have an issue since www-data has read and write access through acl ?

Are you upgrading using IPS4's FTP upgrader? Naturally, if you are using FTP, your FTP user will need read/write access to the files as well. Ideally, if you can, you should just set up an FTP account for the webapp user and utilize that account for upgrades.

Posted
18 minutes ago, Makoto said:

Unless you have a reason to, there's really no reason you should need or want to change the default session/opcache filepaths. Regarding microcache, I haven't actually used that as of yet, but I imagine that's also something that is just written to tmp and is owned by Nginx on write? You'll have to review the documentation yourself on that one.

I'm sorry, I have no idea what you are asking. If you still need help, can you please clarify what the problem / question is..?

Are you upgrading using IPS4's FTP upgrader? Naturally, if you are using FTP, your FTP user will need read/write access to the files as well. Ideally, if you can, you should just set up an FTP account for the webapp user and utilize that account for upgrades.

I'm talking about upgrading 3rd party applications.

not actually upgrading the suite. 

Posted

Oh, it should work then, yes. What are the acl permissions on applications/cjmenu/Application.php? PHP-FPM is running as www-data as well, right?

Posted
40 minutes ago, Makoto said:

Oh, it should work then, yes. What are the acl permissions on applications/cjmenu/Application.php? PHP-FPM is running as www-data as well, right?

getfacl on applications/cjmenu 

# file: applications/cjmenu
# owner: webapp
# group: webapp
user::rwx
user:www-data:rwx
user:nginx:r-x
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:www-data:rwx
default:user:nginx:r-x
default:group::r-x
default:mask::rwx
default:other::---

getfacl on applications/cjmenu/Application.php

# owner: webapp
# group: webapp
user::rw-
user:www-data:rw-
user:nginx:r--
group::r--
mask::rw-
other::rw-

and yes php5-fpm is running under www-data 

Any application gives the same error. Except if I apply the owner:group to www-data recursively to applications/

 

Posted
On 1/31/2016 at 4:10 PM, Makoto said:

Oh, it should work then, yes. What are the acl permissions on applications/cjmenu/Application.php? PHP-FPM is running as www-data as well, right?

Thoughts on the issue ?

Posted
7 hours ago, Sull5 said:

Thoughts on the issue ?

I'm actually able to reproduce this, but I'm not sure if there's a solution. It only happens when upgrading applications, not installing.

The error is caused because PHP is (intentionally) not allowed to change permissions on files it overwrites when they are not owned by www-data. This, in turn, causes PHP's Phar library to throw a fit and abort. It's actually irrelevant, ACL permissions make it where PHP doesn't need to handle permissions on its own, but PHP doesn't seem to care or offer any simple way to get around it that I can see. If it can't set permissions on files extracted with Phar, it will abort.

The simple short term solution is to manually change the file ownership of the applications you're upgrading, I'll see if I can provide a more official workaround in the future however.

Posted

@Makoto, this is kind of off-topic, but

1) Love this guide, and when I've got enough time set aside to test an upgrade and go through in production, I'm sure this will be super helpful as someone with (very) limited server admin experience (I followed enough guides to get a secure LAMP stack up to run IPB, but that's it). So first off, thanks for taking the time

2) Any chance you would be willing to do a short summary of what a dedicated IPS server might also have installed by way of mariadb (and version), php (and version), any specific thoughts on php functions to disable/enable, which php accelerator to use, etc etc etc. Kind of "hey, once you've followed a guide to setting up a VPS and followed the guides on securing your admin user and getting fail2ban and other recommended stuff installed to make it safe, here's your LEMP stack specifically tuned for IPS 4". That's a big ask, but you seem to be the active admin with tips around here, so figured I'd ask :)

  • 2 weeks later...
Posted

@Makoto could you help me with rewrite url like:

http://mysite.com/forum/forum/19-title-1/
http://mysite.com/forum/files/
http://mysite.com/forum/19-title-1/ don't touch this... this is ips4 url thing

see @https://regex101.com/r/qY5lW3/4

onto nginx rules? Thanks for any replies ;)

#tested 
#1----------
	location ~* ^/forum/(?![0-9]+\-.+).*$ {
		rewrite ^/forum/(?![0-9]+\-.+)(.*)$ /$1;
	}
	location / {
		try_files  $uri $uri/ /index.php;
	}
2----------
	location / {
		try_files  @rules $uri $uri/ /index.php;
	}
	location @rules {
		rewrite ^/forum/(?![0-9]+\-.+)(.*)$ /$1 break;
	}

not work for me :(

Posted
Quote

is it possible to create a subdomain to graphic static files? to put there files like /forum/uploads? skins and so on?

Not flexible and it will not give any significant performance gain :(

Posted

Could someone provide an example .conf for loading the forum under the /forum/ subdirectory I can't seem to get the rewrites working at all. Thanks. 

  • 1 month later...
Posted

Hello,

I have read through all of this. I am unsure of what to pick out for my problem. I purchased a Dedicated Virtual Server from Media Temple. The rewrite refuses to work on NGINX :(. Everything, server wise, is all already set up and installed. I just need to know what extra to put into the Plesk 12.5 "Additional nginx directives". 

Image: alRhOpz.png

My domain is www.pvpallday.com and my forum is at www.pvpallday.com/forum

Please tell me the snippet that needs to go here. I tried pasting everything you put into there, i picked at it from what seemed like would redirect the clean URLs... I've looked all over, pasted and modified and edited and etc as much as I can. i even went as far as to use an onine convertor from htaccess to nginx, from the provided htaccess that IPB gives in the Admin CP...

I am at a loss of ideas now.

Please @Makoto or anyone, you seem to know what you're talking about better than any articles i have found online. Please help :(

 

Thank You.

Posted
On 2/3/2016 at 1:21 PM, Makoto said:

The simple short term solution is to manually change the file ownership of the applications you're upgrading, I'll see if I can provide a more official workaround in the future however.

I don't really have any problem with this, is a minor temporary change to chown -R an application folder, and it's an extra layer of confirmation/security before upgrading an application.

  • 3 weeks later...
Posted
5 hours ago, Jimmy Gavekort said:

Offtopic, how did you make this fancy design?

My guides are written using a template I purchased from ThemeForest a while back.

You can find it here,
http://themeforest.net/item/vsdocs-online-documentation-template/11418861

Eventually I'll have posts/guides like this compiled and posted somewhere online, instead of only available as post snippets here.

This is also the template I use to write the readme's included with my newer applications, such as Bulk Downloader,
https://www.makoto.io/docs/bulkdl/index.html

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...