[BlueOnyx:26666] Re: Override php_auto_prepend

Michael Stauber mstauber at blueonyx.it
Fri Dec 15 12:18:41 -05 2023 

Hi Robert,

> I posted about this a couple of weeks ago, Michael clarified the 
> php_auto_prepend is used by the GUI to log all emails sent by PHP 
> scripts. I have some WordPress sites that use the Wordfence plugin for 
> security, which recommends using the setting for security reasons as 
> well...
> 
> https://www.wordfence.com/help/firewall/optimizing-the-firewall/#firewall-optimization-setup
> 
> Would there be any other way I could apply the Wordfence Firewall 
> Optimization described above to a vsite?

There is no good way to do this without compromises. We can only have 
one auto-prepend file as that option doesn't allow to specify multiple 
files.

Modifying the BlueOnyx auto-prepend file 
/usr/sausalito/configs/php/set_php_headers.php to include the code from 
your  Wordfence Firewall isn't really an option. Because then *that* 
code would be run on ALL Vsites as well. Which would most likely cause 
ill side effects and/or unexpected behavior.

So let's break this down further:

You want to include the auto-prepend file of the Wordfence Firewall just 
on one Vsite. You can either have *that*, or the PHP email logging from 
the BlueOnyx auto-prepend.

If I had to, here is what I'd do:

Switch the Vsite to PHP-FPM if it isn't already using it. Locate the 
PHP-FPM pool file of that Vsite.

Depending on the used PHP version and group ID of the Vsite the location 
of that file might differ.

Say the Vsite is "group21" and you're using the OS supplied PHP? Then 
that PHP-FPM pool file would be:

/etc/php-fpm.d/site21.conf

Say you use PHP-8.2 and the Vsite group ID is "site33", then the file 
would be here:

/etc/php-fpm-8.2.d/site33.conf

Edit that file and find the line ...

php_admin_value[auto_prepend_file] = 
/usr/sausalito/configs/php/set_php_headers.php

... and change it to use the Wordpress auto-prepend file instead.

Save the changes.

Then use "chattr +i <filename>" to protect that PHP-FPM pool file 
against modifications. Example:

chattr +i /etc/php-fpm-8.2.d/site33.conf

That means even user "root" cannot modify it and (in this case) the GUI 
won't be able to mess with it either. Because there are GUI related 
handlers which otherwise would try to rewrite the file and would 
overwrite your auto-prepend change with the defaults.

Protecting that file with "chattr +i <filename>" will also mean that you 
loose the ability to make any PHP related changes via the GUI for that 
Vsite.

Restart PHP-FPM. The command also varies depending on the used PHP-FPM 
version:

OS supplied PHP:

systemctl restart php-fpm

Solarspeed-PHP:

systemctl restart php-fpm-<Major-Version>

Examples:

systemctl restart php-fpm-7.4
systemctl restart php-fpm-8.0
systemctl restart php-fpm-8.1
systemctl restart php-fpm-8.2

That should do it.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list