Login | Register
ID #1014

php.ini Locations, disable_functions, FPM Pools, and General PHP Information

PHP in EHCP Force Edition

Starting in all versions of EHCP Force Edition released after June 1 2018 (6/1/2018), Apache2 and nginx web server software will be automatically configured to use PHP-FPM for processing PHP requests.  Apache2 uses mod_proxy (https://httpd.apache.org/docs/2.4/mod/mod_proxy.html) and nginx has always been setup to proxy PHP requests to PHP-FPM.

php.ini File Location

As a result of the changes, PHP settings need to be set or changed in the following php.ini files (which will be used by both nginx and Apache2):

Ubuntu 14.04 and Debian 8:  /etc/php5/fpm/php.ini
Ubuntu 16.04 and Debian 9:  /etc/php/7.0/fpm/php.ini
Ubuntu 18.04:  /etc/php/7.2/fpm/php.ini

PHP disable_functions Security

By default and for security purposes, all domains and subdomains will by default run under a non-privileged FPM pool.  Thus, several PHP functions are disabled and unavailable to code running under panel configured domains and sub domains to maintain better security.  The disabled functions are listed below:

exec, passthru, shell_exec, system, proc_open, popen

PHP FPM Pools

There are 2 PHP-FPM pools that are in use by the panel.  One is the aforementioned non-privileged FPM pool with the name of "www" which runs on port 9000.  The other is a privileged pool the EHCP panel uses (since it does run some system calls) with the name of "ehcp" which runs on port 9001. 

If you want to adjust the disabled functions for the non-privileged www pool, you can do so by editing the below files:

Ubuntu 14.04 and Debian 8:  /etc/php5/fpm/pool.d/www.conf
Ubuntu 16.04 and Debian 9:  /etc/php/7.0/fpm/pool.d/www.conf
Ubuntu 18.04:  /etc/php/7.2/fpm/pool.d/www.conf

The privileged ehcp pool can be configured and changed here:

Ubuntu 14.04 and Debian 8:  /etc/php5/fpm/pool.d/ehcp.conf
Ubuntu 16.04 and Debian 9:  /etc/php/7.0/fpm/pool.d/ehcp.conf
Ubuntu 18.04:  /etc/php/7.2/fpm/pool.d/ehcp.conf

If a trusted domain needs to run any of the listed disabled functions, it is recommended you edit the apache template for the domain using the EHCP Force Panel and direct all of that domain's PHP traffic to port 9001.  This applies to both nginx and Apache2 configurations

Categories for this entry

Tags: disable_functions, fpm, php, php-fpm, php.ini, pool, privilege, privileges, security

Related entries:

You cannot comment on this entry