Virtualmin on debian 10 cannot get apache2 php to run as domain user

I am at a loss. I realized that apache2 is not running as domain user. in my Apache sites-avail conf files, it is configured for SuexecUserGroup correctly. There are no errors Suexec in apache at all, however when checking phpinfo() you can see that it is running a www-data

I have looked all over with another server that is running debian 11 and running correctly. I cannot figure out why I can’t get this running as the domain user.

I have also noticed that I cannot get this server to switch php versions. Something does not seem to be working correctly. I can’t find any logs files to point me to anything.

in php options I have it as FCGID. I do not know how many times I’ve switched exe modes and tried them all like FPM but nothing seems to changes. I know I need FCGID or FPM. Switching php version does nothing.

Is there anywhere I can check in webmin to understand why I cannot get this to work? I cannot find any difference in configuration of apache2 from a working server with virtualmin and this server.

In case this helps

root@web:/etc/apache2/suexec# apachectl -M
Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 actions_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 dav_module (shared)
 dav_fs_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 fcgid_module (shared)
 filter_module (shared)
 headers_module (shared)
 http2_module (shared)
 include_module (shared)
 lbmethod_byrequests_module (shared)
 mime_module (shared)
 mpm_event_module (shared)
 negotiation_module (shared)
 proxy_module (shared)
 proxy_ajp_module (shared)
 proxy_balancer_module (shared)
 proxy_connect_module (shared)
 proxy_express_module (shared)
 proxy_fcgi_module (shared)
 proxy_fdpass_module (shared)
 proxy_ftp_module (shared)
 proxy_hcheck_module (shared)
 proxy_html_module (shared)
 proxy_http_module (shared)
 proxy_http2_module (shared)
 proxy_scgi_module (shared)
 proxy_uwsgi_module (shared)
 proxy_wstunnel_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 slotmem_shm_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)
 suexec_module (shared)
 xml2enc_module (shared)

Apache never runs as the domain user.

If you are using suexec, then the suexec process runs as the domain user, but you should almost certainly use PHP-FPM, which runs as the domain user.

If you are seeing your PHP applications run as the Apache user, it means you have installed mod_php, and you should not have done that and you should undo that. It is always a mistake to install mod_php.

@Joe Thanks for the reply. I’ve provided a screenshot of the php options in virtualmin below.
So how do I check if mod_php is installed? I guess I should have showed php modules, sorry. I just do not think mod php is installed. But then again, have trouble trying to enable and disable using a2dismod/a2enconf because it does not find my

root@web:~# php -m
[PHP Modules]
bz2
calendar
Core
ctype
curl
date
dom
exif
fileinfo
filter
ftp
gd
gettext
hash
iconv
json
libxml
mailparse
mbstring
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
Phar
posix
readline
Reflection
session
shmop
SimpleXML
sockets
sodium
SPL
standard
sysvmsg
sysvsem
sysvshm
tokenizer
wddx
xml
xmlreader
xmlwriter
xsl
Zend OPcache
zlib

[Zend Modules]
Zend OPcache

Screen Shot 2024-04-01 at 6.55.16 PM2838×1680 416 KB

I’m very confused with this since I have 3 virtualmin’s running and cannot understand really how this is working to have php run as the domain user.

This is a working server running as domain user config: CentOS7

Screen Shot 2024-04-02 at 11.31.03 AM2140×728 76.8 KB

Screen Shot 2024-04-02 at 11.01.01 AM2984×954 197 KB

This is a production server running as a domain user config: debian 11

Screen Shot 2024-04-02 at 11.05.39 AM1708×610 62.1 KB

Screen Shot 2024-04-02 at 11.05.27 AM1546×424 21.3 KB

The server not working has screenshots from my previous reply. I’ve tried matching configurations etc and just cannot get it working as domain user.

If anyone has any experience or things to look at troubleshooting why this would happen please share.

Ok, it’s quite simple.

Don’t install mod_php on a Virtualmin system.

If it has been installed on your Virtualmin system, then remove it immediately.

And read again Joe’s message above.

Don’t compare a CentOS 7 system to a more recent Virtualmin install. Things change.

I might be wrong about it being mod_php. I don’t see it in the list of Apache modules (it’d be named just php), but there aren’t a lot of other explanations for how things would end up running as the Apache user. The only execution modes we support and would configure would be with suexec or FPM (or mod_php, but it’s not available by default), and only mod_php runs as the web server user.

So, something is amiss.

OP, you need to show us the relevant bits of the VirtualHost section for the offending site from httpd.conf. Anything related to PHP, CGI, Exec.

@Joe thanks again for taking the time

I did take a lot of time to search online for checking if mod_php was there. I managed to exec a apt remove php7.3* and removed what I beleived was mod_php. I did the same for php8.3, which is the version I want to use

apt remove php8.3
The following packages will be REMOVED:
  php php8.3
0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
After this operation, 77.8 kB disk space will be freed.
Do you want to continue? [Y/n] y

My apps are fine after exec above. So I’m pretty sure mod_php is not present.

Here is all my <VirtualHost *:443>. I’ve changed the url to plain domain.ca

<VirtualHost *:443>
    SuexecUserGroup "#1010" "#1007"
    ServerName domain.ca
    ServerAlias www.domain.ca
    ServerAlias mail.domain.ca
    #ServerAlias webmail.domain.ca
    ServerAlias admin.domain.ca
    DocumentRoot /home/domain/public_html
    ErrorLog /var/log/virtualmin/domain.ca_error_log
    CustomLog /var/log/virtualmin/domain.ca_access_log combined
    ScriptAlias /cgi-bin/ /home/domain/cgi-bin/
    ScriptAlias /awstats/ /home/domain/cgi-bin/
    DirectoryIndex index.php index.php4 index.php5 index.htm index.html
    <Directory /home/domain/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
        allow from all
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
        Require all granted
    </Directory>
    <Directory /home/domain/cgi-bin>
        allow from all
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
        Require all granted
    </Directory>
    RewriteEngine on
    #RewriteCond %{HTTP_HOST} =webmail.domain.ca
    #RewriteRule ^(?!/.well-known)(.*) https://domain.ca:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.domain.ca
    RewriteRule ^(?!/.well-known)(.*) https://domain.ca:12000/ [R]
    RemoveHandler .php
	RemoveHandler .php7.4
    RemoveHandler .php8.3
	 RedirectMatch ^/awstats$ /awstats/
    SSLEngine on
    #SSLCertificateFile /etc/letsencrypt/live/domain.ca/cert.pem
    #SSLCertificateKeyFile /etc/letsencrypt/live/domain.ca/privkey.pem
    #SSLCertificateChainFile /home/domain/ssl.ca
    #SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 

    SSLCertificateFile /etc/letsencrypt/live/domain.ca/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.ca/privkey.pem 

    <Files awstats.pl>
        AuthName "domain.ca statistics"
        AuthType Basic
        AuthUserFile /home/domain/.awstats-htpasswd
        require valid-user
    </Files>


</VirtualHost>

The one thing I found different in phpinfo() was that this path compared to my working virtualmins. I do not know if this has any relevance.

This is working

This is my problem machine

FPM and fcgid would look quite different. But, when I look at my systems, they do report the right user (but I’m not looking at the Apache process, because the Apache process always runs as the Apache user, and it’s not expected to do otherwise).

image965×132 7.96 KB

(This system is running with FPM, of course.)

@Joe thanks for sharing

well I’ve tried all the configs for this problem domain. I’ve managed to create a new dummy virtual server and I can confirm this one worked as domain user for php when I check phpinfo(). So the server looks to configure new domains properly. It would sure be cool to see virtualmin code as it does the config so I could follow it and see maybe an indication of what could have gone wrong with my problematic domain.

I also tried to fine comb through the apache2 .conf file of this working dummy domain to ensure its the same for the problematic domain and it just will not give me the domain user in FPM. buggers

Screen Shot 2024-04-04 at 11.21.24 AM2022×270 16.2 KB

Anyway, unless there are other tings to check I’m assuming my best course of action will be to backup, delete this domain and re-created it… too bad, I would have liked to have found the problem so I could report it here.

You’re in luck. You can see every bit of code in Virtualmin.

But, this is going to be a problem in the FPM configuration and almost certainly something that happened after Virtualmin created your domain, I think. Since your Apache configuration looks correct, and since no one has ever reported this problem before. So, pretty sure you have something custom that breaks the user configuration. Maybe a syntax error in one of your other PHP configs that prevents loading the whole config.

Check the file in /etc/php-fpm.d/<domain-id>.conf (where domain-id is the number correlating to your problem domain, which you can find with virtualmin list-domains --id-only --domain <domainname.tld>) for the user and group fields, and also check any customization you have in the php-fpm config files to make sure they’re valid.

Wait. In this screenshot, Virtualmin on debian 10 cannot get apache2 php to run as domain user - #9 by gstlouis

The domain name is being shown! What makes you think your PHP apps are not running as the user!?

@Joe

I believe this for sure, because when creating a dummy domain proved the virtualmin script is working I think.

sorry, this is from the dummy domain I created, showing us that creating a new virtual server on this is machine is working just fine.

So I just need to try and find out where I went wrong with this problematic domain so maybe I could share. If not, well I’ll just have to re-create it. Unfortunately, its been so long this machine was made I do not recall if I did things outside the virtualmin way. I do know that my apache2 .conf file for this problematic domain is titled with 0-domain.ca.conf when usually domains start simply with domain.ca.conf, so its like it was deleted and rebuilt or something. I just don’t remember.

Interesting, cool thanks for sharing. I do not have /etc/php-fpm but I do have /etc/php/8.2/fpm/pool.d that holds all the domains and default www.conf
Holly shatballs batman I got it working!
If you look at these files /etc/php/8.2/fpm/pool.d/*.conf below
The last one which is www.conf hold www-data:www-data, but also had listen:/run/php/php8.3-fpm.sock and my other ones are listen = 127.0.0.1:800*

What I do not understand is my first below “mysandbox” is working with its own user even if it has listen = 127.0.0.1:8001. But what I did is change the problematic from listen = 127.0.0.1:8002 to listen = /run/php/php8.3-fpm.sock which crashed on systemctl restart php8.3-fpm because www.conf conflicted with same path, but then I did mv www.conf www.conf.bak and fpm restarted and my problematic is working.

So I’m still not sure what is going on here since mysandbox works with its path, but problmatic wasn’t, but at least I know this is fixing the problem. Any repercussions leaving www.conf.bak? Or can I fix my problematic with another listen path?

I actually have this error in php options

Screen Shot 2024-04-05 at 1.51.35 PM811×78 6.25 KB

[171156851729758](working on fpm)
user = mysandbox
group = mysandbox
listen.owner = mysandbox
listen.group = mysandbox
listen.mode = 0660
listen = 127.0.0.1:8001
pm = dynamic
pm.max_children = 20
pm.start_servers = 3
pm.min_spare_servers = 1
pm.max_spare_servers = 10
php_value[upload_tmp_dir] = /home/mysandbox/tmp
php_value[session.save_path] = /home/mysandbox/tmp
php_value[log_errors] = On


[149891341662722](problematic)
user = problematic
group = problematic
listen.owner = problematic
listen.group = problematic
listen.mode = 0660
listen = 127.0.0.1:8002
pm = dynamic
pm.max_children = 20
pm.start_servers = 3
pm.min_spare_servers = 1
pm.max_spare_servers = 10
php_value[upload_tmp_dir] = /home/problematic/tmp
php_value[session.save_path] = /home/problematic/tmp
php_value[log_errors] = On
php_value[error_log] = /home/problematic/logs/php_log
php_admin_value[error_reporting] = E_ALL


[www](providing only some parts of www.conf)
 *
user = www-data
group = www-data
*
listen = /run/php/php8.3-fpm.sock

ok I think I have everything working now.

After understanding a little more about fpm and reading this post

Doing a grep on my problematic conf file in /etc/apache2/sites-available/ I realized that there was a problem with the apache file missing this snippet

    <FilesMatch \.php$>
        SetHandler proxy:fcgi://127.0.0.1:8002
    </FilesMatch>

I think @Joe would have caught this if I would have not only showed my <VirtualHost *:443> block, but my <VirtualHost *:80> as well as it had this. I do not know why my 443 was missing this but I’m sure somewhere I’m the blame. Now that I understand a little more about php-fpm and the sethandler proxy:fcgi I can see this was the missing piece.

Thanks again Joe for all the leads! I would have never found how this all worked and using the virtualmin list-domains --id-only --domain to get the domain ID

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.