DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st December 2012
scrummie02 scrummie02 is offline
Port Guard
 
Join Date: Nov 2011
Posts: 15
Thanked 0 Times in 0 Posts
Default NGINX/PHP-FPM wordpress issue

I've configured and installed a virtual host and installed php-fpm from the packages and have managed to get wordpress up successfully without issue. It's incredibly fast but I'm having an issue with PHP and network connectivitiy.

I'm receiving the following error:
Code:
 php_network_getaddresses: getaddrinfo failed: temporary failure in name resolution
I suspect it's because php-fpm and nginx are in a chroot environment. I've scoured google groups and the NGINX forums and have found that indeed it's the chroot environment that is the cause of the issue however I'm not sure which or libraries are needed to get this to work. I find threads pertaining to linux and even solaris but not OpenBSD It is causing issues with some of my CSS style sheets and other problems with the Wordpress app.

If anyone has gotten WP working in a chroot environment before that has any direction for me it would be most appreciated.

FYI, I have copied the resolv.conf and hosts files over the /var/www/etc as well and it doesn't seem to work.
Reply With Quote
  #2   (View Single Post)  
Old 21st December 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,149
Thanked 182 Times in 149 Posts
Default

If you run tcpdump to tap the port 53 traffic, do you see outgoing DNS requests like I do when doing a "dig www.openbsd.org"?

Code:
$ tcpdump -Xni re0 port 53

22:02:20.211830 192.168.222.20.3960 > 192.168.222.10.53: 29001+ A? www.openbsd.org. (33)
  0000: 4500 003d ee15 0000 4011 0000 c0a8 de14  E..=î...@...À¨Þ.
  0010: c0a8 de0a 0f78 0035 0029 3dab 7149 0100  À¨Þ..x.5.)=«qI..
  0020: 0001 0000 0000 0000 0377 7777 076f 7065  .........www.ope
  0030: 6e62 7364 036f 7267 0000 0100 01         nbsd.org.....

22:02:20.571070 192.168.222.10.53 > 192.168.222.20.3960: 29001 1/0/0 A 129.128.5.194 (49)
  0000: 4500 004d 38c3 0000 4011 046d c0a8 de0a  E..M8Ã..@..mÀ¨Þ.
  0010: c0a8 de14 0035 0f78 0039 9c99 7149 8180  À¨Þ..5.x.9..qI..
  0020: 0001 0001 0000 0000 0377 7777 076f 7065  .........www.ope
  0030: 6e62 7364 036f 7267 0000 0100 01c0 0c00  nbsd.org.....À..
  0040: 0100 0100 0151 8000 0481 8005 c2         .....Q......Â
re0 is my NIC, my workstation is 192.168.222.20 and my local nameserver is 192.168.222.10.

So here we see the request as well as the answer.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 21st December 2012
scrummie02 scrummie02 is offline
Port Guard
 
Join Date: Nov 2011
Posts: 15
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J65nko View Post
If you run tcpdump to tap the port 53 traffic, do you see outgoing DNS requests like I do when doing a "dig www.openbsd.org"?

Code:
$ tcpdump -Xni re0 port 53

22:02:20.211830 192.168.222.20.3960 > 192.168.222.10.53: 29001+ A? www.openbsd.org. (33)
  0000: 4500 003d ee15 0000 4011 0000 c0a8 de14  E..=î...@...À¨Þ.
  0010: c0a8 de0a 0f78 0035 0029 3dab 7149 0100  À¨Þ..x.5.)=«qI..
  0020: 0001 0000 0000 0000 0377 7777 076f 7065  .........www.ope
  0030: 6e62 7364 036f 7267 0000 0100 01         nbsd.org.....

22:02:20.571070 192.168.222.10.53 > 192.168.222.20.3960: 29001 1/0/0 A 129.128.5.194 (49)
  0000: 4500 004d 38c3 0000 4011 046d c0a8 de0a  E..M8Ã..@..mÀ¨Þ.
  0010: c0a8 de14 0035 0f78 0039 9c99 7149 8180  À¨Þ..5.x.9..qI..
  0020: 0001 0001 0000 0000 0377 7777 076f 7065  .........www.ope
  0030: 6e62 7364 036f 7267 0000 0100 01c0 0c00  nbsd.org.....À..
  0040: 0100 0100 0151 8000 0481 8005 c2         .....Q......Â
re0 is my NIC, my workstation is 192.168.222.20 and my local nameserver is 192.168.222.10.

So here we see the request as well as the answer.
DNS for the server itself is fine. I installed all of the packages. But when I try DNS requests from the web app nothing comes across the wire. It seems that the chroot is preventing from doing so. I suspect a binary or library must be missing.
Reply With Quote
  #4   (View Single Post)  
Old 21st December 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,149
Thanked 182 Times in 149 Posts
Default

http://php.net/manual/en/function.dns-get-record.php gives some simple examples of PHP code doing DNS lookups. Try one of these on your server.

If that works then the issue is Wordpress. If it does not return any result, then it really is the chrooted PHP install.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 21st December 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,149
Thanked 182 Times in 149 Posts
Default

Check the shared libs needed to run 'dig':

Code:
# ldd $(which dig)
/usr/sbin/dig:
        Start    End      Type Open Ref GrpRef Name
        1c000000 3c02e000 exe  1    0   0      /usr/sbin/dig
        0857c000 285b9000 rlib 0    1   0      /usr/lib/libcrypto.so.20.1
        07d3a000 27d68000 rlib 0    1   0      /usr/lib/libc.so.62.0
        0be98000 0be98000 rtld 0    1   0      /usr/libexec/ld.so
You probably will need these shared libs in the chroot.

DNS requests also include a random number to helps the resolver to match the answer with the question and also is meant to prevent somebody spoofing a fake DNS reply (he would have to guess the random ID correctly):

Code:
$ dig www.openbsd.org     

; <<>> DiG 9.4.2-P2 <<>> www.openbsd.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26376
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.openbsd.org.               IN      A

;; ANSWER SECTION:
www.openbsd.org.        77653   IN      A       129.128.5.194

;; Query time: 1 msec
;; SERVER: 192.168.222.10#53(192.168.222.10)
;; WHEN: Sat Dec 22 00:28:07 2012
;; MSG SIZE  rcvd: 49

00:28:07.341373 192.168.222.20.9625 > 192.168.222.10.53: [bad udp cksum 48aa!] 26376+ A? www.openbsd.org. (33) (ttl 64, id 40525, len 61, bad cksum 0! differs by 9ef2)
00:28:07.342385 192.168.222.10.53 > 192.168.222.20.9625: [udp sum ok] 26376 q: A? www.openbsd.org. 1/0/0 www.openbsd.org. A 129.128.5.194 (49) (ttl 64, id 54455, len 77)
.
So it looks like you also need the /dev/*random device nodes.
Code:
ls -l /dev/*random*
crw-r--r--  1 root  wheel   45,   3 Dec 21 21:29 /dev/arandom
crw-r--r--  1 root  wheel   45,   0 Apr  5  2010 /dev/random
crw-r--r--  1 root  wheel   45,   1 Apr  5  2010 /dev/srandom
crw-r--r--  1 root  wheel   45,   2 Dec 21 21:29 /dev/urandom
Although for Linux see http://forum.nginx.org/read.php?3,212362,212362

EDIT: As shown in the following post, it turns out that this is not needed at all.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 23rd December 2012 at 08:46 AM.
Reply With Quote
  #6   (View Single Post)  
Old 23rd December 2012
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,149
Thanked 182 Times in 149 Posts
Default

I installed the latest OpenBSD amd64 snapshot, nginx and php_fpm from the snapshot packages. The only thing I had to to get DNS lookups working from within php was to create an etc directory and copy /etc/resolv.conf to it:

Code:
root@fidelity[/var/www]cat etc/resolv.conf
                                                                                                                                 
search utp.xnet
nameserver 192.168.222.10
I have to admit that I first forgot to create /var/www/etc. Then it does not work at all. The 'chroot" starts at /var/www so a program looking for "/etc/resolv.conf" really needs that "etc" directory.

I used the following PHP script:
PHP Code:
<html>

<head>
<title>Test for php DNS requests</title>
</head>

<body>
<h1>Testing PHP-FPM with nginx</h1>


<?php
$host 
'www.openbsd.org';

echo 
"<h4>Trying to resolve IP address of $host</h4>";
$ip gethostbyname($host);

echo <<< END_OF_TXT
<p>
IP address of 
$host$ip
</p>  

END_OF_TXT;


echo 
"<p>A reverse lookup of $ip : ";

$name gethostbyaddr($ip);
echo 
$name;
echo 
"</p>";
?>
</body>

</html>
The output;

HTML Code:
:<html>

<head>
<title>Test for php DNS requests</title>
</head>

<body>
<h1>Testing PHP-FPM with nginx</h1>


<h4>Trying to resolve IP address of www.openbsd.org</h4><p>
IP address of www.openbsd.org: 129.128.5.194
</p>  
<p>A reverse lookup of 129.128.5.194 : obsd3.srv.ualberta.ca</p></body>

</html>
The tcpdump output (truncated because the snap length is too short):

Code:
09:03:42.222806 192.168.222.240.41997 > 192.168.222.10.53: 43294+ A? www.openbsd.org. (33)
09:03:42.223868 192.168.222.10.53 > 192.168.222.240.41997: 43294 1/0/0 A 129.128.5.194 (49)
09:03:42.224031 192.168.222.240.1883 > 192.168.222.10.53: 36739+ PTR? 194.5.128.129.in-addr.arpa. (44)
09:03:42.224944 192.168.222.10.53 > 192.168.222.240.1883: 36739 1/0/0 PTR[|domain]
The modification of /etc/nginx.conf:
Code:
root@fidelity[/etc/nginx]diff -u nginx.conf.orig nginx.conf      
--- nginx.conf.orig     Sun Dec 23 07:06:55 2012
+++ nginx.conf  Sun Dec 23 07:32:07 2012
@@ -66,20 +66,21 @@
 
         # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
         #
-        #location ~ \.php$ {
-        #    root           /var/www/htdocs;
-        #    fastcgi_pass   127.0.0.1:9000;
-        #    fastcgi_index  index.php;
-        #    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
-        #    include        fastcgi_params;
-        #}
+        location ~ \.php$ {
+            #root          /var/www/htdocs;
+            root           /htdocs;
+            fastcgi_pass   127.0.0.1:9000;
+            fastcgi_index  index.php;
+            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+            include        fastcgi_params;
+        }
 
         # deny access to .htaccess files, if Apache's document root
         # concurs with nginx's one
         #
-        #location ~ /\.ht {
-        #    deny  all;
-        #}
+        location ~ /\.ht {
+            deny  all;
+        }
     }
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't import mysql wordpress into jail unixjingleman FreeBSD General 4 25th July 2012 09:05 PM
WordPress 3.3 approaches with first release candidate J65nko News 0 1st December 2011 03:23 PM
WordPress 3.0.3 security update released J65nko News 0 9th December 2010 02:10 PM
Problems with TinyMCE / Wordpress sampler OpenBSD Packages and Ports 6 18th August 2010 01:30 PM
WordPress 3.0 nearly complete J65nko News 0 9th June 2010 06:28 PM


All times are GMT. The time now is 06:39 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick