Cannot activate (“optimize”) Wordfence Firewall with php-fpm/FastCGI enabled

Hi @caseybea, sorry to hear you’re having problems with this.

So that we can check the server configuration and whether the .htaccess/ini changes for FastCGI are recognised, can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

Note: For the fastest response time, please make sure and add any information or questions directly to this topic and not the email address above unless asked.

Thanks,

Peter.

Peter- thank you for taking the time to assist.

I just sent the report.

Hi @caseybea, thanks for sending the diagnostics over.

We were able to see from the diagnostic that the auto_prepend_file value was not set. This sometimes happens if the default php.ini for your host/server executes last and therefore supersedes any additional ini file that does try to set this value.

Secondly, as you mention possibly having access to the pool config due to restarting php-fpm, it might be a setting in php-fpm’s “pool” file. For example, a line like this with no value will prevent the auto_prepend_file from being set by .user.ini:

php_admin_value[auto_prepend_file] =

This file could be in a location like /etc/php/7.X/fpm/pool.d/www.conf, though it may vary on other distributions to the one we have tested on. It may be possible for values like that to be set in php-fpm.conf too, if it’s not found there.

This Firewall Optimizing help document, if you were not already referencing it may also help: https://www.wordfence.com/help/firewall/optimizing-the-firewall/troubleshooting/#using-a-single-php-ini-on-servers-with-multiple-sites

Let me know how you get on.

Thanks,

Peter.

• This reply was modified 4 years, 4 months ago by wfpeter.

I don’t have the prepend set in EITHER php.ini or the php-fpm pool. It’s a fairly simplistic setup.

And oddly enough, accessing a phpinfo (via web browser) I plopped in the wordpress directory DOES show the auto prepend file correct, yet the internal WAF diagnostics do not.

I will poke around and try to figure out why the prepend from .user.ini is not working. At least I can see from “within” wordfence the diagnostics which may help

I’ll keep yu posted

Thanks @caseybea,

I just spotted in the diagnostics that your pool file is located at /etc/php-fpm.d/www.conf

I will keep the ticket open and will be happy to assist further should you need to pick this up again with us.

Peter.

Good morning to everyone.

I have the exectly same problem, but i can’t check all the file you have mentioned because mi hosting service.

I have sent my diagnostic report.

Can you help me please?

Thank you very much.

Gabriele

Hi @skullman01,

As per the Forum Guidelines we will need you to create a topic of your own so that we can efficiently help with your specific problem and provide a clear answer.

Once you have done this, I will be able to find your diagnostic report and we can take a look.

Thanks,

Peter.

Done.

Thank you @wfpeter.

Gabriele

OK, I am honestly stuck here.

Per the wordfence packed-up (export or email) diagnostics, I see that no, the auto_prepend is not there. BUT: If I look at my system config this way: Wordfence.. Tools… Diagnostics… Other Tests… “Click to see your system’s configuration”, I get a phpinfo display that **DOES** show the prepend correctly.
(here’s the line copied from the displayL)
auto_prepend_file /rgd/wordpress/wordfence-waf.php no value

I am enclosing both my php.ini and https://www.conf files and you’ll see I do not do have the prepend set or overridden here.

I welcome any ideas…..

PHP.INI (with comment lines removed)
===================================
[PHP]
short_open_tag = Off
user_ini.filename = “.user.ini”
engine = On
short_open_tag = Off
asp_tags = Off
precision = 14
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func =
serialize_precision = 100
disable_functions =
disable_classes =
zend.enable_gc = On
expose_php = On
max_execution_time = 30
max_input_time = 60
memory_limit = 128M
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
html_errors = Off
variables_order = “GPCS”
request_order = “GP”
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 100M
auto_append_file =
default_mimetype = “text/html”
doc_root =
user_dir =
enable_dl = Off
file_uploads = On
upload_max_filesize = 100M
max_file_uploads = 20
allow_url_fopen = On
allow_url_include = Off
default_socket_timeout = 60
extension=oci8.so
[CLI Server]
cli_server.color = On
[Date]
date.timezone = America/Chicago
[filter]
[iconv]
[intl]
[sqlite]
[sqlite3]
[Pcre]
[Pdo]
[Pdo_mysql]
pdo_mysql.cache_size = 2000
pdo_mysql.default_socket=
[Phar]
[mail function]
SMTP = localhost
smtp_port = 25
sendmail_path = /usr/sbin/sendmail -t -i
mail.add_x_header = On
[SQL]
sql.safe_mode = Off
[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1
[Interbase]
ibase.allow_persistent = 1
ibase.max_persistent = -1
ibase.max_links = -1
ibase.timestampformat = “%Y-%m-%d %H:%M:%S”
ibase.dateformat = “%Y-%m-%d”
ibase.timeformat = “%H:%M:%S”
[MySQL]
mysql.allow_local_infile = On
mysql.allow_persistent = On
mysql.cache_size = 2000
mysql.max_persistent = -1
mysql.max_links = -1
mysql.default_port =
mysql.default_socket =
mysql.default_host =
mysql.default_user =
mysql.default_password =
mysql.connect_timeout = 60
mysql.trace_mode = Off
[MySQLi]
mysqli.max_persistent = -1
mysqli.allow_persistent = On
mysqli.max_links = -1
mysqli.cache_size = 2000
mysqli.default_port = 3306
mysqli.default_socket =
mysqli.default_host =
mysqli.default_user =
mysqli.default_pw =
mysqli.reconnect = Off
[mysqlnd]
mysqlnd.collect_statistics = On
mysqlnd.collect_memory_statistics = Off
[OCI8]
[PostgreSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0
[Sybase-CT]
sybct.allow_persistent = On
sybct.max_persistent = -1
sybct.max_links = -1
sybct.min_server_severity = 10
sybct.min_client_severity = 10
[bcmath]
bcmath.scale = 0
[browscap]
[Session]
session.save_handler = files
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.bug_compat_42 = Off
session.bug_compat_warn = Off
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5
url_rewriter.tags = “a=href,area=href,frame=src,input=src,form=fakeentry”
[MSSQL]
mssql.allow_persistent = On
mssql.max_persistent = -1
mssql.max_links = -1
mssql.min_error_severity = 10
mssql.min_message_severity = 10
mssql.compatability_mode = Off
mssql.secure_connection = Off
[Assertion]
[mbstring]
[gd]
[exif]
[Tidy]
tidy.clean_output = Off
[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir=”/tmp”
soap.wsdl_cache_ttl=86400
soap.wsdl_cache_limit = 5
[sysvshm]
[ldap]
ldap.max_links = -1
[mcrypt]
[dba]

https://www.conf (with comment lines removed)
[www]
user = apache
group = apache
listen = /run/php-fpm/www.sock
listen.acl_users = apache
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
slowlog = /var/log/php-fpm/www-slow.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session
php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache

(note it’s just “www.conf” without any http— the forum editor did that)

Hi @caseybea, thanks for giving us the extra information.

We can see that the DOCUMENT_ROOT and SCRIPT_FILENAME in the diagnostics you sent use two different paths. I won’t re-paste the paths themselves here for security purposes.

PHP searches for .user.ini from the current directory up to DOCUMENT_ROOT, but if the current directory isn’t in the document root, it won’t find the .user.ini unless it’s in the current directory.

Give that a try and let me know how you get on.

Thanks,

Peter.

• This reply was modified 4 years, 4 months ago by wfpeter.

The apache document root and the wordpress roots are different.

I am editing the following with slightly changed names here:

from the diagnostics I see:

$_SERVER[‘SCRIPT_FILENAME’] /mysite/wordpress/wp-admin/admin-ajax.php
$_SERVER[‘SERVER_ADMIN’] root@localhost
$_SERVER[‘CONTEXT_DOCUMENT_ROOT’] /mysite/wordpress
$_SERVER[‘CONTEXT_PREFIX’] /wordpresshome
$_SERVER[‘REQUEST_SCHEME’] https
$_SERVER[‘DOCUMENT_ROOT’] /mysite/www

In our case, “/mysite/www” is indeed the APACHE document root, but all the wordpress stuff lives in: “/mysite/wordpress”. The wordpress stuff is all accessed via https://mysite.com/wordpresshome/….

The CONTEXT ROOT is correct.

Is there a way I can force php to look elsewhere than the “DOCUMENT_ROOT” ?

Also, I would like to revisit my question about what I mentioned before: In that the other wordfence diagnostic which DOES show the auto_prepend working (which means, the .user.ini was read)

So, it feels like to me that wordfence’s environment behavior is a bit inconsistent, depending on what script is running.

THIS wordfence diagnostic
shows the auto_prepend is ok:
wordfence… tools… diagnostics… other tests… SHOW SYSTEM INFO)

Yet, this wordfence diagnostic shows it’s not working:
wordfence… tools… diagnostics… EXPORT (or email)

So why does one work, and the other does not?

This seems to be totally inconsistant…..

• This reply was modified 4 years, 4 months ago by caseybea.
• This reply was modified 4 years, 4 months ago by caseybea.

Hi @caseybea,

With the inconsistencies of the reports:

• Viewing the “Show system info” link in a browser goes to a url with the path /?_wfsf=sysinfo&nonce=3d6c7501d5 which is run by the WordPress index.php, so the script is running in the same directory where the current .user.ini is located, and it doesn’t need to search up the directory tree to DOCUMENT_ROOT.
• Sending & exporting the diagnostics report is done via /wp-admin/admin-ajax.php, and because of the current issue, the .user.ini in the root is not found.

With PHP’s DOCUMENT_ROOT:

You can use php.ini to change where PHP looks, but by default it will not look to CONTEXT_DOCUMENT_ROOT until version 8 by the looks of their release documentation. Wordfence’s UI does not have the ability to change this, and the file will have to be edited manually.

The help pages that we pointed to before may not have any with exact steps for this case, but contain some good examples where you can have different values apply to different hosts in the same php.ini.

https://www.wordfence.com/help/firewall/optimizing-the-firewall/

https://www.wordfence.com/help/firewall/optimizing-the-firewall/troubleshooting/

The latter includes example lines like [HOST=host1.example.com]

Thanks,

Peter.

Is there a directory that I can place an additional .user.ini (or a link) that wordfence WILL see in my case? ie, in /wp-admin or…?

========================

EDIT: Taking a shot in the dark, in /wp-admin I created a soft link to the full real path to the .user.ini.

Wordfence now recognizes the enhanced protection and it seems that works.

• This reply was modified 4 years, 4 months ago by caseybea.