Problem:
You are using the Froxlor open source webhosting admin panel, together with the Apache2 webserver and the mod_php5 PHP handler. You installed a PHP web application that wants to access files outside of its document root, or used an Alias Apache directive to the same effect. The vhost configuration for its domain is done inside Froxlor. And, you want to use the open_basedir PHP directive for added security.
The two solutions below were tested with Froxlor 0.9.27.
Solution 1: Adding the same additional directories for all virtual hosts at once
In the Froxlor panel, go to "Server -> Settings -> Web Server Settings -> Configuration", where you'll find an option to append paths to the open_basedir setting of all your virtual hosts. Compared to the per-vhost setting below, this is a much simpler solution, so it is probably a good idea to add some standard paths here even if they're not needed by every single site. Like PHP Pear paths, for example.
Solution 2: Adding different directories for different virtual hosts
- Create this domain as a "main domain" within Froxlor. As, only main domains can have domain-specific vhost configuration. If you created it as a subdomain (that is, using a Froxlor customer user instead of an admin user), you have to delete it there and re-create it as main domain using an admin user. (Froxlor will not delete your domain's PHP etc. files when deleting it in Froxlor's panel). You can create a Froxlor "main domain" even for a subdomain, but be sure to set the "This domain is subdomain of:" setting correctly then.
- Disable the OpenBasedir setting for this domain. This is done in the settings while creating the domain, and can be changed later. It is needed to prevent Froxlor from generating an open_basedir setting, as we want to create our own custom setting for that below.
- Add your own open_basedir settings in "Own vHost Settings:". This is done in the settings while creating the domain, and can be changed later. You should enter there a line that includes both the values that Froxlor normally uses for open_basedir (namely, the document root directory and /tmp) and the additional values you need. So for example something like:
php_admin_value open_basedir "/var/customers/webs/customer1/sub-example-com/:/tmp/:/usr/share/pear/"
Note the two spaces in the front – this will nicely indent your line in the Apache config file 😉 - Re-create configs. For that, do one of these:
- Execute this via SSH on the server:
php /var/www/froxlor/scripts/froxlor_master_cronjob.php --force
- Wait until the next Froxlor cron job runs, which will also rewrite all vhost configs that need changes. (Clicking "Server -> Re-create configs" in Froxlor won't speed that up, it just queues additional config files for re-creation.)
- Execute this via SSH on the server:
- Restart Apache. Because the config changes will not be picked up in all cases automatically. So:
service restart apache2
- Test the effect. Create a
<?php phpinfo(); ?>
script in a phpinfo.php the affected domain's document root, open it in your browser and look for the value of open_basedir.
Discussion
There would normally be a lot of alternative ways to solve this, but they're all blocked for various reasons:
- You cannot simply change the Froxlor-generated vhost configuration file (for example /etc/apache2/conf.d/22_manual_fix_vhost_sub.example.com.conf) because your change will be lost when Froxlor re-generates all the config files after the next change done to any domain configuration in the Froxlor backend.
- You cannot manually create another Apache configuration file, say /etc/apache2/conf.d/45_manual_fix_vhost_sub.example.com.conf, to overwrite the Froxlor-provided open_basedir setting with your own value. That's because (according to my tests at least), Apache2 will only accept the first
<VirtualHost ...></VirtualHost>
configuration directive it finds per named virtual host. - In PHP, there is no way to give
open_basedir
values globally in php.ini that would be appended to by the open_basedir directive. Instead, they will be overwritten. However there's a feature request for some time now to change that behavior. - There is no Froxlor setting to add another directory to every open_basedir line it generates, even though that would be helpful for things like PEAR.
- You cannot provide this vhost configuration setting for all virtual hosts at once via the settings for one IP in Froxlor's "Server -> IPs and Ports" view. Because the open_basedir setting has to include a domain-specific value or it won't make much sense.
Leave a Reply