PHP-FPM

Whilst converting tokiwinter.com away from mod_php to mod_fastcgi/PHP-FPM, I experienced the following error:

[Thu Jul 11 14:29:31 2013] [error] [client 192.168.122.1] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

1	[Thu Jul 11 14:29:31 2013] [error] [client 192.168.122.1] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

Enabling LogLevel debug for the VirtualHost showed the following extra detail:

[Thu Jul 11 14:29:31 2013] [debug] core.c(3072): [client 192.168.122.1] r->uri = /index.php
[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /cgi-bin/php5.fcgi/index.php
[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /index.php
[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /cgi-bin/php5.fcgi/index.php
[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /index.php
...

[Thu Jul 11 14:29:31 2013] [debug] core.c(3072): [client 192.168.122.1] r->uri = /index.php

[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /cgi-bin/php5.fcgi/index.php

[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /index.php

[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /cgi-bin/php5.fcgi/index.php

[Thu Jul 11 14:29:31 2013] [debug] core.c(3078): [client 192.168.122.1] redirected from r->uri = /index.php

...

We can see that the rewrites required for WordPress in .htaccess are interfering with the correct operation of mod_fastcgi. The net result - HTTP 500 Internal Server Error for all our clients.

The fix is easy enough - add the following additional rewrite to .htaccess for the WordPress installation:

RewriteCond %{REQUEST_URI} ^/cgi-bin/php5.fcgi(.*)
RewriteRule . - [L]

1 2	RewriteCond %{REQUEST_URI} ^/cgi-bin/php5.fcgi(.*) RewriteRule . - [L]

i.e. if the request URI is a mod_fastcgi request, do not apply any rewrites. My complete .htaccess file in my WordPress VirtualHost is now:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_URI} ^/cgi-bin/php5.fcgi(.*)
RewriteRule . - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# BEGIN WordPress

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ - [L]

RewriteCond %{REQUEST_URI} ^/cgi-bin/php5.fcgi(.*)

RewriteRule . - [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

# END WordPress

This works for me with the following VirtualHost configuration:

NameVirtualHost *:80
<VirtualHost *:80>
	ServerAdmin toki@tokiwinter.com
	ServerName tokiwinter.com
	ServerAlias www.tokiwinter.com	
	DocumentRoot /var/www/virtualhosts/tokiwinter.com/htdocs
	ScriptAlias "/cgi-bin/" "/var/www/virtualhosts/tokiwinter.com/htdocs/cgi-bin/"
	FastCGIExternalServer /var/www/virtualhosts/tokiwinter.com/htdocs/cgi-bin/php5.fcgi -host 127.0.0.1:9000
	ErrorLog logs/tokiwinter.com-error_log
	CustomLog logs/tokiwinter.com-access_log common
	<Directory />
		AllowOverride all
		Order allow,deny
		Allow from all
		AddType application/x-httpd-fastphp5 .php
		Action application/x-httpd-fastphp5 /cgi-bin/php5.fcgi
	</Directory>
	DirectoryIndex index.php
</VirtualHost>

NameVirtualHost *:80

ServerAdmin toki@tokiwinter.com

ServerName tokiwinter.com

ServerAlias www.tokiwinter.com

DocumentRoot /var/www/virtualhosts/tokiwinter.com/htdocs

ScriptAlias "/cgi-bin/" "/var/www/virtualhosts/tokiwinter.com/htdocs/cgi-bin/"

FastCGIExternalServer /var/www/virtualhosts/tokiwinter.com/htdocs/cgi-bin/php5.fcgi -host 127.0.0.1:9000

ErrorLog logs/tokiwinter.com-error_log

CustomLog logs/tokiwinter.com-access_log common

AllowOverride all

Order allow,deny

Allow from all

AddType application/x-httpd-fastphp5 .php

Action application/x-httpd-fastphp5 /cgi-bin/php5.fcgi

</Directory>

DirectoryIndex index.php

</VirtualHost>

Your mileage may well vary.

When running PHP-FPM (PHP FastCGI Process Manager), it can be configured to listen on a UNIX socket, or a TCP port. When using the latter on an SELinux enabled system, you will receive HTTP 500 Internal Server Errors if SELinux is not configured correctly.

For example, on my system, I’m using the following directive (in my example.com VirtualHost):

FastCGIExternalServer /var/www/www.example.com/htdocs/cgi-bin/php5.fcgi -host 127.0.0.1:9000

1	FastCGIExternalServer /var/www/www.example.com/htdocs/cgi-bin/php5.fcgi -host 127.0.0.1:9000

However, the default value of the httpd_can_network_connect SELinux boolean is false, or off. Therefore, httpd is unable to connect to the PHP-FPM pool listening on 127.0.0.1:9000.

You will see AVC denial messages in /var/log/audit/audit.log such as:

type=AVC msg=audit(1373344647.677:17670): avc:  denied  { name_connect } for  pid=24124 comm="httpd" dest=9000
 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

1 2	type=AVC msg=audit(1373344647.677:17670): avc: denied { name_connect } for pid=24124 comm="httpd" dest=9000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

To fix this issue, set the httpd_can_network_connect SELinux boolean to true, or on, remembering the -P option so that this change persists across system reboots.

# setsebool -P httpd_can_network_connect on

1	# setsebool -P httpd_can_network_connect on

Toki Winter

Advanced UNIX for the experienced system administrator

Tag Archives: PHP-FPM

WordPress: Avoiding Infinite Recursion with mod_rewrite and mod_fastcgi

SELinux: Allowing HTTPD to Connect to PHP-FPM