When PHP-FPM goes down

Levi

@stefeman said:

@Levi said:

@ehhthing said: There's absolutely no reason to even consider this

virtono.com root dir got exposed to the world for ~24 hours straight. Apparently it is possible and has potential to destroy reputation beyond repair.

In theory curl should give some kind of insight into situation.

Your supposed example is possible if the sysadmin follows multiple online guides and jumps between them copy pasting everything without knowing what he is doing.

It's impossible even for a novice to do this using the default commands for package installs.

But in public forum we can discuss things like that? Or it is so stupid that it is deemed taboo?

stefeman

@Levi said:

@stefeman said:

@Levi said:

@ehhthing said: There's absolutely no reason to even consider this

virtono.com root dir got exposed to the world for ~24 hours straight. Apparently it is possible and has potential to destroy reputation beyond repair.

In theory curl should give some kind of insight into situation.

Your supposed example is possible if the sysadmin follows multiple online guides and jumps between them copy pasting everything without knowing what he is doing.

It's impossible even for a novice to do this using the default commands for package installs.

But in public forum we can discuss things like that? Or it is so stupid that it is deemed taboo?

It's so stupid, that everyone will ask you to re-install.

Nobody in their right mind would have time or interest to ask you to post your PHP configs, and system infos and webserver configs. then debug them for free, and give you directions and commands to fix them.

Why would anyone waste their time when this will be fixed by default by re-installing and then copying over the folder structure to www root.

Everyone here can see that it works, and then it doesen't work, so it's probly week worth of work trying to find the cause in some big system that likely has another service which takes over the webserver.

stefeman

Not to mention, you posted a hypothetical question.

If you need technical advice, start the thread with all info you have available.

Such things could be:

Hardware
OS
Webserver
PHP type/version/handler
Config files (Webserver/PHP)
error logs/crashlogs/System logs

Levi

@stefeman said:
Not to mention, you posted a hypothetical question.

If you need technical advice, start the thread with all info you have available.

Such things could be:

Hardware
OS
Webserver
PHP type/version/handler
Config files (Webserver/PHP)
error logs/crashlogs/System logs

Yes, this thread is hypothetical. So, please post your hypothetocal solution.

tentor

@Levi said: please post your hypothetocal solution

Test your configuration at dev environment before deploying on prod

stefeman

@tentor said:

@Levi said: please post your hypothetocal solution

Test your configuration at dev environment before deploying on prod

And re-install.

tentor

@Levi, I think OWASP CRS for ModSecurity WAF has a rule that deals with your concern.

Levi

@tentor said:
@Levi, I think OWASP CRS for ModSecurity WAF has a rule that deals with your concern.

Finally! Thank you my man.

totally_not_banned

@xvps said:

@totally_not_banned said:

@risharde said:

@totally_not_banned said:

@Levi said:

@totally_not_banned said:

@Levi said:
Virtono.com anyone? Ffs people... Ihostart? Florin?

There is a big difference between uploading a broken configuration and not actually testing it versus "something happening suddenly". If you upload a broken config and go take a nap without thinking twice about it all safeguards you could add there likely aren't there/tested either.

And no monitoring for situations like this?

Well, you could setup a looped curl on another box that would constantly request some php file and send emails to everyone including your dog while setting off a text message every 30 seconds to your private cellphone. Well, either this or... you just actually test the configurations you upload.

This was going to be my second set if thoughts as well!

How about you monitor to see if raw php code is detected when accessing your website and figure out a way to autoshutdown webserver until you fix it including receiving emails at @totally_not_banned said.

Edit: a monitor script on the server could theoretically do this without remote monitoring.

True, the monitor doesn't really have to run remotely. If the webserver isn't up there's nothing to monitor anyways.

https://paste.sh/7uuC1tf2#7tQeS_M7hsQ6lR5FPjgsAF_H

Autoshutdown technology

I guess personally i'd probably still prefer the dog approach though.

Well, it might be a better idea to stop nginx/apache with the script instead of shutting down the server.

Well, yeah but shutting down the whole box (for added security) is more funny

vsys_host

I can create a configuration that will output the text of a PHP file when FPM fails. However, it's difficult to envision how this could happen unintentionally. Regardless, the following command can be used to stop Nginx if PHP code is detected:

varwww

This actually happened to me a decade back on a wordpress site. I was running apache+php (custom ppa) on ubuntu 14.04 or something. Not sure what happened, I think php or apache got automatically upgraded to a newer release and the apache config got reset. all the *.php were getting served as raw files. However there was no damage since the mysql database was locked to localhost.

Since then I have moved on to nginx+php-fpm. Now whenever something like this happens, usually nginx returns http 5xx instead of serving php files as raw text files. I also sometimes test by intentionally removing php-fpm to check what happens to prevent shit like this.

TL;DR your apache/web server config is most likely misconfigured.

vsys_host

@vsys_host said:
I can create a configuration that will output the text of a PHP file when FPM fails. However, it's difficult to envision how this could happen unintentionally. Regardless, the following command can be used to stop Nginx if PHP code is detected:

Oh my God. It's a problem with posting a command.
Sorry for that.

I'll try in this way:

https://prnt.sc/OHLkyr8a9CWJ

tentor

@vsys_host said: Oh my God. It's a problem with posting a command.

I think you should've not do the screenshot of the single CLI line, better post it as text.

JabJab

@tentor said: I think you should've not do the screenshot of the single CLI line, better post it as text.

Most likely blocked by Cloudflare thing and not allowed to post as plaintext... but yeah, fallback to screenshot rather than some paste service is meh.

vsys_host

@tentor said:

@vsys_host said: Oh my God. It's a problem with posting a command.

I think you should've not do the screenshot of the single CLI line, better post it as text.

@JabJab said:

@tentor said: I think you should've not do the screenshot of the single CLI line, better post it as text.

Most likely blocked by Cloudflare thing and not allowed to post as plaintext... but yeah, fallback to screenshot rather than some paste service is meh.

Yes, it's blocked by Cloudflare and not allowed to post(((