Accesss denied to PHP files after setting up FastCGI + PHP-FPM

English Network/Internet
1

Hello,

I’m a beginner trying to configure PHP with HTTP2 in my localhost (please bear me with me ;))

My environment:

  • Opensuse Leap 15.5
  • Apache version: 2.4.51
  • PHP version: 8.0.30
  • /etc/hosts: 127.0.0.1 localhost

The steps I followed:

1) Enable SSL:
I created a “test certificate” with /usr/bin/gensslcert, then configured the following virtual host (based on a copy of /etc/apache2/vhosts.d/vhost-ssl.template):

<VirtualHost _default_:443>
        DocumentRoot "/srv/www/htdocs"
        ServerName localhost
        ServerAdmin webmaster@example.com
        ErrorLog /var/log/apache2/error_log
        TransferLog /var/log/apache2/access_log
        SSLEngine on
        SSLUseStapling  on
        SSLCertificateFile /etc/apache2/ssl.crt/linux-rj1h-ca.crt
        SSLCertificateKeyFile /etc/apache2/ssl.key/linux-rj1h-ca.key
        CustomLog /var/log/apache2/ssl_request_log   ssl_combined
</VirtualHost>

After that I was able to request pages under https //localhost (despite the browser warning that the certificate is not valid).

2) Enable HTTP2:
After following the steps described in “SDB:Apache HTTP 2 configuration”, I noticed that the browser was still showing HTTP/1.1.
I did a little bit of googling and found I had to add the following line to my vhost configuration file:

Protocols h2 h2c http/1.1

After that the browser started showing HTTP2 for pages under https.

I also added the following line at the end of /etc/apache2/default-server.conf (because apachectl configtest was reporting that it couldn’t determine the server’s fully qualified domain name):

ServerName localhost

3) Configure PHP-FPM
Finally I followed the steps described in “SDB: Apache FastCGI and PHP-FPM configuration” to replace mod_php with php-fpm (with the only difference that I changed references of “php7” to “php8”).

Result:
When I request any PHP file under https://localhost, I get a 403/Access denied error:

image
image996×462 22.7 KB

The PHP files are owned by my personal user. I tried changing the ownership to the web server (wwwrun:www) but with no result.

Do you have any idea what the reason could be?

I’m really out of my depth here. Any advice would be much appreciated!

I’m not sure if it is relevant but I’m adding below the output of several commands I’ve learned while setting thing up:

> a2enmod -l
authz_host actions alias auth_basic authz_user authn_file authz_groupfile autoindex cgi dir include log_config mime negotiation setenvif status userdir asis imagemap authz_core reqtimeout socache_shmcb authn_core version rewrite ssl proxy proxy_fcgi fcgid mpm_event http2

> apachectl configtest
Syntax OK

> systemctl status apache2.service 

● apache2.service - The Apache Webserver
     Loaded: loaded (/usr/lib/systemd/system/apache2.service; disabled; vendor preset: disabled)
     Active: active (running) since Sun 2024-01-07 13:43:13 CET; 50min ago
   Main PID: 2855 (httpd-event)
     Status: "Processing requests..."
      Tasks: 159
     CGroup: /system.slice/apache2.service
             ├─ 2855 /usr/sbin/httpd-event -DSYSCONFIG -DSSL -DHTTP2 -DphpMyAdmin -C "PidFile /run/httpd.pid" -C "Include /etc/apache2/sysconfig.d//loadmodule.conf" -C "Include /etc/apache2/sysconfig.d//global.conf" -f /etc/apache2/httpd.conf -c "Include /etc/apache2/sysconfig.d//include.conf" -DSYSTEMD -DFOREGROUND -k start
             ├─ 2862 /usr/sbin/httpd-event -DSYSCONFIG -DSSL -DHTTP2 -DphpMyAdmin -C "PidFile /run/httpd.pid" -C "Include /etc/apache2/sysconfig.d//loadmodule.conf" -C "Include /etc/apache2/sysconfig.d//global.conf" -f /etc/apache2/httpd.conf -c "Include /etc/apache2/sysconfig.d//include.conf" -DSYSTEMD -DFOREGROUND -k start
             ├─ 2863 /usr/sbin/httpd-event -DSYSCONFIG -DSSL -DHTTP2 -DphpMyAdmin -C "PidFile /run/httpd.pid" -C "Include /etc/apache2/sysconfig.d//loadmodule.conf" -C "Include /etc/apache2/sysconfig.d//global.conf" -f /etc/apache2/httpd.conf -c "Include /etc/apache2/sysconfig.d//include.conf" -DSYSTEMD -DFOREGROUND -k start
             ├─ 2864 /usr/sbin/httpd-event -DSYSCONFIG -DSSL -DHTTP2 -DphpMyAdmin -C "PidFile /run/httpd.pid" -C "Include /etc/apache2/sysconfig.d//loadmodule.conf" -C "Include /etc/apache2/sysconfig.d//global.conf" -f /etc/apache2/httpd.conf -c "Include /etc/apache2/sysconfig.d//include.conf" -DSYSTEMD -DFOREGROUND -k start
             ├─ 2865 /usr/sbin/httpd-event -DSYSCONFIG -DSSL -DHTTP2 -DphpMyAdmin -C "PidFile /run/httpd.pid" -C "Include /etc/apache2/sysconfig.d//loadmodule.conf" -C "Include /etc/apache2/sysconfig.d//global.conf" -f /etc/apache2/httpd.conf -c "Include /etc/apache2/sysconfig.d//include.conf" -DSYSTEMD -DFOREGROUND -k start
             └─ 2866 /usr/sbin/httpd-event -DSYSCONFIG -DSSL -DHTTP2 -DphpMyAdmin -C "PidFile /run/httpd.pid" -C "Include /etc/apache2/sysconfig.d//loadmodule.conf" -C "Include /etc/apache2/sysconfig.d//global.conf" -f /etc/apache2/httpd.conf -c "Include /etc/apache2/sysconfig.d//include.conf" -DSYSTEMD -DFOREGROUND -k start

Jan 07 13:43:13 linux-rj1h systemd[1]: Starting The Apache Webserver...
Jan 07 13:43:13 linux-rj1h systemd[1]: Started The Apache Webserver.
2

Replying to my own post, this may be the answer: access denied on nginx and php - Stack Overflow

Quoting:

On Ubuntu and openSUSE, the access denied error could also be related to AppArmor. You can easily check this by running

sudo grep -i denied /var/log/audit/audit.log

If you get something like this, it’s AppArmor:

type=AVC msg=audit(1678543274.258:837): apparmor=“DENIED” operation=“open” profile=“php-fpm” name=“/srv/www/htdocs/test.php” pid=31787 comm=“php-fpm” requested_mask=“r” denied_mask=“r” fsuid=487 ouid=1000

Indeed I see similar messages in /var/log/audit/audit.log.

AppArmor is new to me but I’ll try to figure out how to configure it and share my results here.

3

In Yast > Security and Users > Apparmor, I changed the mode of the php-fpm profile from “enforce” to “complain” and I can now access PHP pages in my browser.