Are there plans to support HTTP/2

I’m wondering if there’s plans to support HTTP/2 in Apache?

Yes, there are.

It’s enabled in the templates at the moment, but the module isn’t enabled by default, as it doesn’t play nicely with mpm_prefork, so would need either fairly dangerous config changes (for low-spec machines), or a swap to mpm_event.

The rewrite of sympl-web-configure will eventually include configuration for that as well as a few other useful switches and settings.

1 Like

Hi All,

I had this working very nicely on one occasion with symbiosis, switching to mpm_event and PHP_FPM and all running in the conf-enabled driectory so the only thing needed was to call the ‘protocols’ keyword. This can be done in the virtualhost part of the configuration and, of course, be delegated to the .htaccess file so that sympl can continue to look after the sites-* files for certificate rotation and the like…

1 Like

Useful to know. Will be a nice little performance boost when it fully arrives. Many things to consider that are outside my current set of knowledge.

+1 on this - more recently i’d been manually swapping our new bytemark+symbiosis hosts to using mpm_event with php-fpm and configuring for HTTP/2 to achieve higher google lighthouse scores, so some way of swapping sympl to that would be ideal (i could do it manually but it means amending the virtualhost configs to remove the new mod_php security additions, and not sure if manually amending the virtualhosts will cause any issues further down the line if you add http2 support later?).
Sweet spot would be creating a file in the config directory to say you want to use mpm_event + php-fpm and sympl use a slightly different virtualhost template automatically to support it?

1 Like

It’s very much on the list, but will probably have to wait for a few other things to be rewritten first (SSL and DNS specifically) as they touch so much, but it’s pretty much next on the list.

What I’m working toward is that things like Apache and PHP are fully configurable; specific versions for sites via FPM, (optionally) separate chrooted users for each site, easy to configure back-ends behind Apache, switchable PROXY protocol settings, and things like that.

Theres a lot on the roadmap, and it’ll take a good while to cross them all off, but development is ongoing to deal with the technical debt from Symbiosis, at which point it’s full steam ahead.

1 Like

Much as I am enjoying using Sympl right now, it is very pleasing to see what’s in the pipeline - lots of goodies to look forward to!

2 Likes

I have created a guide to getting http2 working alongside Sympl at https://wiki.sympl.host/view/Http2. There are a few changes that need to be made but the end result means you are still able to use all of the Sympl tools for administering the websites. Let me know if there are any issues.

4 Likes

I tried it and got:
apachectl -t
AH00526: Syntax error on line 7 of /etc/apache2/conf-enabled/sympl-webmail.conf:
Invalid command ‘php_admin_value’, perhaps misspelled or defined by a module not included in the server configuration

Not using the webmail on this box, so I removed it, and all was well. But something isn’t quite as it should be

Hey Hairydog,

The error suggests you have not run the sed commands on the currently running config.

You can run the second set of sed commands to alter the current config but will then need to process the sympl-web-configure with the --force flag to overwrite with the template.

This way the apachectl -t will give you a thumbs up on the current config as well.

The php-fpm does not like the php_admin_value or the php_admin_flag parameters in the config and these are just changing them to SetEnv parameters so that they still get passed through and set.

I’ve tried again, twice, on absolutely brand new, out-of-the-box Sympl on Buster setups, being VERY careful to exactly follow all the steps. And I still get the same problem.
It would be very helpful if someone who understands it better could do the same, following the steps in the instructions.
Perhaps they could work out what it is telling me to do wrong!

Some questions about these changes:

a) Do php_value settings need to be quoted?

a) Is php_admin_value quoted “key value” back compatible? Ie will it work on my existing installation pre using fpm?

b) Are any php_value settings in .htaccess passed into fcgi? I have an ancient site with a latin-1 database and want to make php use ISO-8859-1 as the default. So will putting

AddDefaultCharset ISO-8859-1
php_value default_charset ISO-8859-1

into .htaccess work? The arguments may need to be quoted :grinning:.

Nice - all works for me (tho i did have to properly restart apache after the sympl-web-configure step for the curl test to correctly show http2 as working). Might be worth being explicit at the top that these commands need to be run as root and not the sympl user (unless you stick sudo infront of them all)?

feel slightly iffy about having to modify the virtualhosts and erb templates thus changing the checksums and blocking any future changes by sympl to those files, be nice longer term to just create a file in config and the templates/virtualhosts to automatically use setenv instead for the php_admin_value’s?

I suspect that there is a problem with your plan to replace

php_admin_value open_basedir .....
php_admin_value upload_tmp_dir ....
php_admin_value session.save_path...

with

SetEnv php_admin_value "open_basedir ....."
SetEnv php_admin_value "upload_tmp_dir ...."
SetEnv php_admin_value "session.save_path ...."

surely this setting the same environment variable to a number of different values, and only the last one will be actually used?

Don’t you have to do something with pools?

Well I’ve been investigating SetEnv and fpm. It seems basically that the Setenv’s are simply ignored, they are set but don’t get actioned to change the ini settings for PHP running in fpm. I’ve been using local vm site with Sympl installed as a test bed, and then using phpinfo() to see what is happening. The answer is: nothing changes when the SetEnvs are used with fpm.

I found that setting php_value in .htaccess doesn’t appear to work. Apache complains if it’s not changed to a SetEnv, but then doesn’t seem to work either.

However, it’s possible to supply a .user.ini file in any directory that can set PHP values, this probably needs defending against external access in the Apache files. The .user.ini file can be used to set default character sets. I suspect, but haven’t checked, that the values are limited to those that can changed by users.

Theoretically, PHP ini files can read things from the environment and insert them ‘now’. So can I set up a unique value in the Apache environment and use it with fpm’s initialisation? So we make the Apache config file use SetEnv to load a value into an environment variable, then pick that value up in the pool initialisation file in /etc/php/7.3/fpm/pool.d/www.conf setting the appropriate PHP value.

Sadly this doesn’t work either. It seems that fpm doesn’t understand ${VALUE} where VALUE is in the environment.

The actual documentation on the web on fpm is negligible, lots of it is really old and not relevant. It seems to me that the basic intention for vhosted sites is that each should have its own pool, and then specific system settings can be installed for that pool.

Without using pools, and using the SetEnvs, I think the system is losing a lot of protection, and specifically if you have users accessing vhosted sites with say Wordpress, then you want to sandbox them.

I also want a PHP error log… which currently can be installed as a single file in the www pool, but would be better if it bunged things into the per-vhost error.log.

Pools for Sympl will need some hacks to the ruby setup to generate server specific pool files, each with their own file settings. Also the apache setup files will be need to be told which fpm socket belongs to which server.

So for now, I’ve stopped on this. Anyone out there with better news?

Hi, Sorry it has been a while, I have been a little busy…

I have looked into the SetEnv a little further and have come to these findings.

The SetEnv on its own does not work to cascade the settings through to php (checking with ‘phpinfo();’)

I have found that you can use:

ProxyFCGISetEnvIf “true” PHP_ADMIN_VALUE “open_basedir=/srv/example.com/public/:/srv/example.com/php_tmp/:/srv/example.com/php_sessions/ \n upload_tmp_dir=/srv/example.com/php_tmp \n session.save_path=/srv/example.com/php_sessions/”

as opposed to:

php_admin_value open_basedir /srv/example.com/public/:/srv/example.com/php_tmp/:/srv/example.com/php_sessions/
php_admin_value upload_tmp_dir /srv/example.com/php_tmp/
php_admin_value session.save_path /srv/example.com/php_sessions/

Also you are not able to change the PHP_ADMIN_FLAG value so you are not able to turn of php for the uploads folder. I have found that you can use ‘SetHandler !’ to turn off handling file types so the requested files are simply served which is ideal for images and things in the upload folder. Therefore the proposed change would be:

<LocationMatch “wp-content/uploads/”>
SetHandler !

as opposed to:

<LocationMatch “wp-content/uploads/”>
php_admin_flag engine off

<LocationMatch “wp-content/uploads/.*.php”>
deny from all

I have tested the first change with 2 different domains and all 3 changes are cascading through as you’d want and the second change disables an index.php file from a wp-content/uploads folder yet an image is served.

I’ll hold fire on updating the wiki page at the moment as I’d like you guys to try these modifications first. I think ideally there would be a sandboxed vhost for each domain with its own fpm pool and user/group but that would then impact on the server a little more and require a lot more engineering.

Looking forward to the feedback.

That is the aim once we get to re-implementing the code behind sympl-web - at the moment it’s not really feasible (too much technical debt with the Ruby code, and it touches too many things), but fully sandboxed FPM pools (with things like selectable PHP versions) are on the roadmap for Sympl, just a way down the line at the moment.

There’s good news and bad news.

First the good news. Your solution works very well. Things are set up as expected and I even managed to get roundcube working by changing the setup in the sympl-webmail.conf. I was getting around to suggesting what needs to be put in the config file when the bad news happened.

So the bad news. It seems that the settings are applied when the fpm worker is started and are not re-applied when another website sends pages into the worker.

I have two websites on my test machine… and it was all working well… until I got ‘No input file specified’ in one of them. The error log (which I configured) showed that this was because it was denied access to its files because the ‘open_basedir’ was configured for the other site.

So to prove this - I set fpm to use ‘static’ worker allocation - and gave it one process. I accessed one of the websites, and got the ‘No Input file specified’ message on the other.

The error log is interesting, it was set by Apache in config as part of the PHP_ADMIN_VALUE - and logged to the right file so it’s possible that user settable values are reloaded.

It’s hard to be certain if values set in a .user.ini file is loaded per worker thread or per page being processed. I have one of my sites setting the default charset to ISO-8859-1 in its user.ini and a phpinfo page in each website shows the right setting when the page is loaded - so it seems likely that using this approach is OK for user settable values.

Be good if someone else can verify this too.

However, it really does look as if each vhost needs its own pool, if sandboxing vhosts is wanted.