Can activate Full WAF mode (.user.ini / php.ini not writable)

You shouldn’t change the permission in the /etc/php/7.2/fpm folder, because it must only be accessible (and writable) by root.

What are the permissions and owner of the public_html folder? It looks like you may have an issue with that.

You would need to create an empty /var/www/mydomain/public_html/.user.ini file and try to chmod it to either 0644 first or, if the firewall still cannot write to it, to 0777.

Hi @nintechnet

Thanks for your suggestions.

(1) I have my ownership and permissions as below:
($USER = my linux admin user, www-data = Apache server)

All directories and files under /public_html/ (including itself): $USER:www-data
except the /public_html/wp-content/, which belongs to www-data:www-data

ALL directories under /public_html/ (including itself) has 755.
ALL files under /public_html/ (including itself) has 644.
wp-config.php and .htaccess are exceptions. They have 664.

These are settings suggested by an online VPS/Ubuntu course for better security but I can change the settings if needed.

(2) When you say “it must only be accessible (and writable) by root“, which root are you referring? I thought the system root has 777 on all files. Or are you referring to the root user of NinjaFirewall or something else?

(3) Just wondering how the .user.ini works and why should I use it if my PHP settings are all in the existing php.ini? How would a new .user.ini impact my system?

Thanks in advance for answering my questions.

I hope you have a wonderful day.

Regards,
Acon

User “root” is the server admin.

The php.ini file in the /etc/php folder is the server-side PHP configuration file. It applies to the whole server. Hence, you should use it only to modify the global PHP configuration (increasing memory, loading modules etc). You must be user root to do that.

The “.user.ini” file is the per-directory PHP INI file. It applies only to the directory where it is located (e.g., public_html), which is what you want. You can use it for your local configuration (to load NinjaFirewall, enable the debug log for that site etc). You can create and edit this file as a simple user, without administrative privileges.

wp-config.php and .htaccess are exceptions. They have 664

Try to create a public_html/.user.ini and chmod it to 0664, like the wp-config.php and .htaccess. This should be working with NinjaFirewall and WordPress.

Hi @nintechnet ,

Thanks for your reply. Here is what I did:

cd /var/www/mydomain.com/public_html/
touch .user.ini
sudo chown -R ubuntu:www-data .user.ini
sudo chmod 664 .user.ini

So now I had an empty .user.ini file with the right ownership and permission, but when I tried to activate the Full WAF mode again, another error message showed up:

NinjaFirewall detected that the requested changes seemed to crash your blog. The website front-end returned: HTTP 503 Service Unavailable.

Changes have been undone. You may need to modify your selection and try again.

What should I do now?

Regards,
Acon

• This reply was modified 3 years, 3 months ago by acon.

The changes crash the site, hence the firewall removed them.
Can you check your HTTP error log? Search for the “503” error and paste here the log line so that we’ll know why it crashes.
You can also check the PHP error log too.

Hi @nintechnet

I checked my /var/log/ directory and /var/log/apache2/ directory and these are what I found:

(1) in /var/log/apache2/ there are error.log, error.log.1, error.log.2.gz, etc. I tried to combine the lines within the time frame that the crash happened, which was late night on the 13th (1 day and 18 hours ago), but I didn’t see anything with 503 or NinjaFirewall related though.

[Fri Nov 12 06:25:01.825501 2021] [mpm_event:notice] [pid 23187:tid 140102092934080] AH00489: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Fri Nov 12 06:25:01.825528 2021] [core:notice] [pid 23187:tid 140102092934080] AH00094: Command line: '/usr/sbin/apache2'
[Fri Nov 12 07:54:29.108660 2021] [mpm_event:notice] [pid 23187:tid 140102092934080] AH00491: caught SIGTERM, shutting down
[Fri Nov 12 07:54:45.273652 2021] [mpm_event:notice] [pid 1069:tid 140011440851904] AH00489: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Fri Nov 12 07:54:45.397606 2021] [core:notice] [pid 1069:tid 140011440851904] AH00094: Command line: '/usr/sbin/apache2'
[Fri Nov 12 16:48:41.521098 2021] [core:error] [pid 1848:tid 140010984654592] [client 193.118.53.210:51160] AH00126: Invalid URI in request HEAD /icons/.%2e/%2e%2e/apache2/icons/sphere1.png HTTP/1.1
[Sat Nov 13 06:17:19.544080 2021] [access_compat:error] [pid 1848:tid 140010875504384] [client 34.65.161.168:11214] AH01797: client denied by server configuration: /var/www/html/
[Sat Nov 13 06:25:01.710105 2021] [mpm_event:notice] [pid 1069:tid 140011440851904] AH00493: SIGUSR1 received.  Doing graceful restart
[Sat Nov 13 06:25:01.757175 2021] [mpm_event:notice] [pid 1069:tid 140011440851904] AH00489: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Sat Nov 13 06:25:01.757203 2021] [core:notice] [pid 1069:tid 140011440851904] AH00094: Command line: '/usr/sbin/apache2'
[Sun Nov 14 06:25:01.880331 2021] [mpm_event:notice] [pid 1069:tid 140011440851904] AH00493: SIGUSR1 received.  Doing graceful restart
[Sun Nov 14 06:25:01.939076 2021] [mpm_event:notice] [pid 1069:tid 140011440851904] AH00489: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Sun Nov 14 06:25:01.939104 2021] [core:notice] [pid 1069:tid 140011440851904] AH00094: Command line: '/usr/sbin/apache2'
[Sun Nov 14 08:10:47.635919 2021] [proxy_fcgi:error] [pid 8853:tid 140010858718976] [client 45.146.164.110:47546] AH01071: Got error 'Unable to open primary script: /var/www/html/index.php (No such file or directory)\n'
[Sun Nov 14 09:49:12.379215 2021] [proxy_fcgi:error] [pid 7623:tid 140010825131776] [client 47.96.134.185:35400] AH01071: Got error 'Unable to open primary script: /var/www/html/wp-login.php (No such file or directory)\n'
[Sun Nov 14 12:56:07.004359 2021] [core:error] [pid 8853:tid 140010833532672] [client 45.146.164.110:46654] AH00126: Invalid URI in request POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
[Sun Nov 14 23:42:35.027957 2021] [proxy_fcgi:error] [pid 8853:tid 140010808321792] [client 45.86.74.235:60541] AH01071: Got error 'Unable to open primary script: /var/www/html/xmlrpc.php (No such file or directory)\n'
[Mon Nov 15 05:12:33.909439 2021] [access_compat:error] [pid 8853:tid 140010791520000] [client 45.93.249.77:53778] AH01797: client denied by server configuration: /var/www/html/
[Mon Nov 15 06:25:01.544155 2021] [mpm_event:notice] [pid 1069:tid 140011440851904] AH00493: SIGUSR1 received.  Doing graceful restart
[Mon Nov 15 06:25:01.607017 2021] [mpm_event:notice] [pid 1069:tid 140011440851904] AH00489: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 configured -- resuming normal operations
[Mon Nov 15 06:25:01.607057 2021] [core:notice] [pid 1069:tid 140011440851904] AH00094: Command line: '/usr/sbin/apache2'
[Mon Nov 15 08:03:57.671263 2021] [proxy_fcgi:error] [pid 17696:tid 140011018258176] [client 45.146.164.110:59552] AH01071: Got error 'Unable to open primary script: /var/www/html/index.php (No such file or directory)\n'
[Mon Nov 15 12:53:52.087685 2021] [core:error] [pid 17696:tid 140010816722688] [client 45.146.164.110:45362] AH00126: Invalid URI in request POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1
[Mon Nov 15 14:47:16.618291 2021] [proxy_fcgi:error] [pid 16904:tid 140011009857280] [client 42.51.55.157:49478] AH01071: Got error 'Unable to open primary script: /var/www/html/index.php (No such file or directory)\n'

(2) in /var/log there are <strong>php7.2-fpm.log</strong>, <strong>php7.2-fpm.log.1</strong>, etc and here are lines from 12th to 15th. Again didn't see anything with 503 or NinjaFirewall related.
 
[12-Nov-2021 20:37:32] NOTICE: exiting, bye-bye!
[12-Nov-2021 20:37:32] NOTICE: fpm is running, pid 27066
[12-Nov-2021 20:37:32] NOTICE: ready to handle connections
[12-Nov-2021 20:37:32] NOTICE: systemd monitor interval set to 10000ms
[13-Nov-2021 05:21:42] NOTICE: Terminating ...
[13-Nov-2021 05:21:42] NOTICE: exiting, bye-bye!
[13-Nov-2021 05:21:42] NOTICE: fpm is running, pid 30037
[13-Nov-2021 05:21:42] NOTICE: ready to handle connections
[13-Nov-2021 05:21:42] NOTICE: systemd monitor interval set to 10000ms
[13-Nov-2021 13:21:14] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it
[14-Nov-2021 08:05:08] WARNING: [pool www] server reached pm.max_children setting (5), consider raising it
[15-Nov-2021 06:25:01] NOTICE: error log file re-opened

————-
I’m not a linux expert. Can you please have a look at these log lines? Or I’m looking at the wrong log files?

Regards,

Acon

I don’t see anything interesting in the log.
Try to enable debugging in WordPress and check the PHP log:
1. Edit your wp-config.php
2. Search for:
define('WP_DEBUG', false);
3. Replace with:
define('WP_DEBUG', true);
4. Add this line below:
define( 'WP_DEBUG_LOG', true );

Try to install the firewall in Full WAF mode and then check the log, if any, which will be located in “/wp-content/debug.log”.

After debugging, undo the above changes.

Hi @nintechnet

I added these two lines into wp-config.php, restarted Apache and PHP-fpm, tried to activate the Full WAF mode (and failed) several times, but there is no debug.log generated under the /wp-content folder…

Any thoughts?

Regards,
Acon

Can you try to add the directive manually?
Make sure to do that over FTP, because if there were an error you could delete the .user.ini:
-Run the “Full WAF” installer.
-Select “I want to make the changes myself” and follow the intructions.
-Test your site. If it crashes, delete the INI file.

Hi @nintechnet

I don’t understand what you mean. I added these directives into wp-config.php manually but they didn’t work.

Where can I find the Full WAF installer? And how to run the installer over FTP?

I’m totally confused here.

Go to “NinjaFirewall > Dashboard” and click “Activate Full WAF mode” to run its installer. Select the right HTTP server/PHP SAPI (use the recommended one preferably), then select “I want to make the changes myself” and follow the instructions. Then test your site, frontend and backend. If there’s a fatal error, remove the INI you have created.

Hi @nintechnet

Thanks for the tip. I’ve used this manual way to activate the full WAP mode. No fatal error showed. The site is still running and my WP dashboard is too.

However, these came up in my NinjaFirewall dashboard:
https://prnt.sc/204y1ql

This showed when I hit the “View error log” (The first line was from a time before the full WAF mode. Don’t know what that is too.):
https://prnt.sc/204y34w

Regards,
Acon

• This reply was modified 3 years, 3 months ago by acon.

Regarding the user session message, try to reload the page. Does it go away.
You can ignore the log message, it means no one can read the content of the PHP INI, and that’s a good thing.

Hi @nintechnet

Good news! The user session error has disappeared when I reload the page.

Thanks so much for your time and help. Now I can start learning how to set up the firewall properly.

Hope you have a wonderful weekend.

Regards,
Acon