PHP stopped working after downgrade to php-legacy [authz_core:error]

drankinatty · 2023-08-19 13:58:31

I have pulled my hair out on the downgrade from PHP 8.2 to php-legacy in preparation for a Nextcloud install. After installing php-legacy, php continued to work and showed the server was using the proper php. The server string being Apache/2.4.57 (Unix) OpenSSL/3.1.2 mod_fcgid/2.3.9 PHP/8.1.22. This even though the php-8.2 package and a few sub-packages were still installed. PHP worked fine. Now after removing the remaining PHP 8.2 packages I can't even get the test

<?php phpinfo(); ?>

to work. In fact, nothing with the .php extension will load. Any attempt to load a .php document resultsin a 403 Forbidding response from the server.

The full error received is:

[authz_core:error] [pid 5415] [client 192.168.6.104:50256] AH01630: client denied by server configuration: /srv/http/fcgid-bin/php-fcgid-wrapper

I have been back through the Apache-PHP page in great detail many times. Specifically I use the 3.1.2 Using apache2-mpm-worker and mod_fcgid approach, so I have:

 # ll /srv/http/fcgid-bin/
total 0
lrwxrwxrwx 1 root root 23 Aug 19 06:42 php-fcgid-wrapper -> /usr/bin/php-cgi-legacy

 # ll /usr/bin/php-cgi-legacy
-rwxr-xr-x 1 root root 16793712 Aug 13 01:26 /usr/bin/php-cgi-legacy

 # cat /etc/httpd/conf/extra/php-fcgid.conf
# Required modules: fcgid_module

<IfModule fcgid_module>
    AddHandler php-fcgid .php
    AddType application/x-httpd-php .php
    Action php-fcgid /fcgid-bin/php-fcgid-wrapper
    ScriptAlias /fcgid-bin/ /srv/http/fcgid-bin/
    SocketPath /var/run/httpd/fcgidsock
    SharememPath /var/run/httpd/fcgid_shm
        # If you don't allow bigger requests many applications may fail (such as WordPress login)
        FcgidMaxRequestLen 536870912
        # Path to php.ini – defaults to /etc/phpX/cgi
        # DefaultInitEnv PHPRC=/etc/php/
        ## Path to php-legacy php.ini
        DefaultInitEnv PHPRC=/etc/php-legacy/
        # Number of PHP childs that will be launched. Leave undefined to let PHP decide.
        #DefaultInitEnv PHP_FCGI_CHILDREN 3
        # Maximum requests before a process is stopped and a new one is launched
        #DefaultInitEnv PHP_FCGI_MAX_REQUESTS 5000
    <Location /fcgid-bin/>
        SetHandler fcgid-script
        Options +ExecCGI
    </Location>
</IfModule>

 # grep 'httpd-mpm' /etc/httpd/conf/httpd.conf
Include conf/extra/httpd-mpm.conf

 # grep 'php-fcgid' /etc/httpd/conf/httpd.conf
Include conf/extra/php-fcgid.conf

The modifications to /etc/httpd/conf/httpd.conf are:

...
LoadModule unixd_module modules/mod_unixd.so
...
<IfModule unixd_module>
    LoadModule fcgid_module modules/mod_fcgid.so
</IfModule>
<IfModule !mpm_prefork_module>
        LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
        LoadModule cgi_module modules/mod_cgi.so
</IfModule>
...
LoadModule actions_module modules/mod_actions.so
...
## php-legacy 8.1
LoadModule php_module modules/libphp-legacy.so
AddHandler php-script .php
...

There are no errors associated with server startup or reload. Everything seems fine. Putting the <?php phpinfo(); ?> script in /srv/http/htdocs directory so there are no auth issues and verified Require all granted on the directory, I get the following full Debug log:

[Sat Aug 19 06:57:07.262242 2023] [ssl:info] [pid 5415] [client 192.168.6.104:50256] AH01964: Connection to child 4 established (server 2pi.3111skyline.com:443)
[Sat Aug 19 06:57:07.262672 2023] [ssl:debug] [pid 5415] ssl_engine_kernel.c(2395): [client 192.168.6.104:50256] AH02043: SSL virtual host for servername 2pi.3111skyline.com found
[Sat Aug 19 06:57:07.263201 2023] [core:debug] [pid 5415] protocol.c(2460): [client 192.168.6.104:50256] AH03155: select protocol from , choices=h2,http/1.1 for server 2pi.3111skyline.com
[Sat Aug 19 06:57:07.268502 2023] [ssl:debug] [pid 5415] ssl_engine_kernel.c(2254): [client 192.168.6.104:50256] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits)
[Sat Aug 19 06:57:07.268626 2023] [socache_shmcb:debug] [pid 5415] mod_socache_shmcb.c(508): AH00831: socache_shmcb_store (0x09 -> subcache 9)
[Sat Aug 19 06:57:07.268643 2023] [socache_shmcb:debug] [pid 5415] mod_socache_shmcb.c(862): AH00847: insert happened at idx=0, data=(0:32)
[Sat Aug 19 06:57:07.268650 2023] [socache_shmcb:debug] [pid 5415] mod_socache_shmcb.c(865): AH00848: finished insert, subcache: idx_pos/idx_used=0/1, data_pos/data_used=0/228
[Sat Aug 19 06:57:07.268657 2023] [socache_shmcb:debug] [pid 5415] mod_socache_shmcb.c(530): AH00834: leaving socache_shmcb_store successfully
[Sat Aug 19 06:57:07.268934 2023] [ssl:debug] [pid 5415] ssl_engine_kernel.c(415): [client 192.168.6.104:50256] AH02034: Initial (No.1) HTTPS request received for child 4 (server 2pi.3111skyline.com:443)
[Sat Aug 19 06:57:07.269021 2023] [authz_core:debug] [pid 5415] mod_authz_core.c(815): [client 192.168.6.104:50256] AH01626: authorization result of Require all granted: granted
[Sat Aug 19 06:57:07.269031 2023] [authz_core:debug] [pid 5415] mod_authz_core.c(815): [client 192.168.6.104:50256] AH01626: authorization result of <RequireAny>: granted
[Sat Aug 19 06:57:07.269262 2023] [authz_core:debug] [pid 5415] mod_authz_core.c(815): [client 192.168.6.104:50256] AH01626: authorization result of Require all denied: denied
[Sat Aug 19 06:57:07.269274 2023] [authz_core:debug] [pid 5415] mod_authz_core.c(815): [client 192.168.6.104:50256] AH01626: authorization result of <RequireAny>: denied
[Sat Aug 19 06:57:07.269281 2023] [authz_core:error] [pid 5415] [client 192.168.6.104:50256] AH01630: client denied by server configuration: /srv/http/fcgid-bin/php-fcgid-wrapper
[Sat Aug 19 06:57:07.269347 2023] [authz_core:debug] [pid 5415] mod_authz_core.c(815): [client 192.168.6.104:50256] AH01626: authorization result of Require all granted: granted
[Sat Aug 19 06:57:07.269356 2023] [authz_core:debug] [pid 5415] mod_authz_core.c(815): [client 192.168.6.104:50256] AH01626: authorization result of <RequireAny>: granted
[Sat Aug 19 06:57:07.269679 2023] [authz_core:debug] [pid 5415] mod_authz_core.c(815): [client 192.168.6.104:50256] AH01626: authorization result of Require all granted: granted
[Sat Aug 19 06:57:07.269692 2023] [authz_core:debug] [pid 5415] mod_authz_core.c(815): [client 192.168.6.104:50256] AH01626: authorization result of <RequireAny>: granted
[Sat Aug 19 06:57:07.269874 2023] [authz_core:debug] [pid 5415] mod_authz_core.c(815): [client 192.168.6.104:50256] AH01626: authorization result of Require all granted: granted
[Sat Aug 19 06:57:07.269886 2023] [authz_core:debug] [pid 5415] mod_authz_core.c(815): [client 192.168.6.104:50256] AH01626: authorization result of <RequireAny>: granted
[Sat Aug 19 06:57:07.269964 2023] [authz_core:debug] [pid 5415] mod_authz_core.c(815): [client 192.168.6.104:50256] AH01626: authorization result of Require all granted: granted
[Sat Aug 19 06:57:07.269975 2023] [authz_core:debug] [pid 5415] mod_authz_core.c(815): [client 192.168.6.104:50256] AH01626: authorization result of <RequireAny>: granted
[Sat Aug 19 06:57:12.275407 2023] [ssl:debug] [pid 5415] ssl_engine_io.c(1147): [client 192.168.6.104:50256] AH02001: Connection closed to child 4 with standard shutdown (server 2pi.3111skyline.com:443)

What is odd is that of the four messages that precede the error: the first two show Require all granted: granted and <RequireAny>: granted and then the two immediately preceding the error show Require all denied: denied and <RequireAny>: denied. It's like some module just pops up and rains on the parade. I've never had this much of an issue getting php up and running during the past 15 years. I've searched and read every article I can find related to AH01630: client denied by server configuration: /srv/http/fcgid-bin/php-fcgid-wrapper and 95% of them just describe the change from Allow All to Require all granted that was part of the Apache 2.2->2.4 config changes. That's not the problem here.

The complete list of modules loaded in httpd.conf are

LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule php_module modules/libphp-legacy.so

At this point I'm not sure what to check next. It's no doubt a "forrest-for-the-trees" issue and I need help clearing out some of the trees. All other aspects of Apache work just as it did before the downgrade. Access to all directories is fine and all authtype work. It just won't load a php page to save itself.

All thoughts or ideas welcome.

drankinatty · 2023-08-19 23:33:48

Solved

This was frustrating, but makes sense. Noting the denied occurs immediately prior to the execution of the script in /srv/http/fcgid-bin/ directory, I added a separate <Directory> block granting all for that path. I've never had to do this before with fcgi, but no question it is required with the php-legacy setup. Specifically I added the following to my site setup in /etc/httpd/conf/extra/httpd-local.conf:

## fcgid-bin

<Directory "/srv/http/fcgid-bin">
  AllowOverride All
  Require all granted
</Directory>

Restarted the server and magically all works fine now. The Apache-php setup should mention this in the downgrade to php-legacy.

Arch Linux

#1 2023-08-19 13:58:31

PHP stopped working after downgrade to php-legacy [authz_core:error]

#2 2023-08-19 23:33:48

Re: PHP stopped working after downgrade to php-legacy [authz_core:error]

Board footer