pfSense

#!/bin/sh

#

# rc.php_ini_setup

#

# part of pfSense (https://www.pfsense.org)

# Copyright (c) 2014-2016 Rubicon Communications, LLC (Netgate)

# All rights reserved.

#

# Redistribution and use in source and binary forms, with or without

# modification, are permitted provided that the following conditions are met:

#

# 1. Redistributions of source code must retain the above copyright notice,

#    this list of conditions and the following disclaimer.

#

# 2. Redistributions in binary form must reproduce the above copyright

#    notice, this list of conditions and the following disclaimer in

#    the documentation and/or other materials provided with the

#    distribution.

#

# 3. All advertising materials mentioning features or use of this software

#    must display the following acknowledgment:

#    "This product includes software developed by the pfSense Project

#    for use in the pfSense® software distribution. (http://www.pfsense.org/).

#

# 4. The names "pfSense" and "pfSense Project" must not be used to

#    endorse or promote products derived from this software without

#    prior written permission. For written permission, please contact

#    coreteam@pfsense.org.

#

# 5. Products derived from this software may not be called "pfSense"

#    nor may "pfSense" appear in their names without prior written

#    permission of the Electric Sheep Fencing, LLC.

#

# 6. Redistributions of any form whatsoever must retain the following

#    acknowledgment:

#

# "This product includes software developed by the pfSense Project

# for use in the pfSense software distribution (http://www.pfsense.org/).

#

# THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY

# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR

# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

# OF THE POSSIBILITY OF SUCH DAMAGE.

#

# Set our operating platform

PLATFORM=`/bin/cat /etc/platform`

VERSION=`/bin/cat /etc/version`

MIN_REALMEM_FOR_OPCACHE=512

EXTENSIONSDIR="/usr/local/lib/php/20131226/"

# Grab amount of memory that is detected

if [ -f /var/log/dmesg.boot ]; then

	AVAILMEM=`/bin/cat /var/log/dmesg.boot |/usr/bin/awk '/avail memory/ { memory=($4 / 1048576); printf("%0.0f\n", memory); exit}'`

else

	AVAILMEM=`/sbin/dmesg -a |/usr/bin/awk '/avail memory/ { memory=($4 / 1048576); printf("%0.0f\n", memory); exit}'`

fi

if [ -z "$AVAILMEM" ]; then

	MEM=`/sbin/sysctl hw.physmem | cut -d':' -f2`

	AVAILMEM=`/bin/expr $MEM / 1048576`

fi

# Get amount of ram installed on this system

REALMEM=`/sbin/sysctl hw.realmem | /usr/bin/awk '{print $2/1048576}' | /usr/bin/awk -F '.' '{print $1}'`

export REALMEM

export LOWMEM

if [  ${REALMEM} -lt $MIN_REALMEM_FOR_OPCACHE ]; then

	LOWMEM="TRUE"

	echo ">>> Under $MIN_REALMEM_FOR_OPCACHE megabytes of ram detected.  Not enabling opcache"

	echo ">>> Under $MIN_REALMEM_FOR_OPCACHE megabytes of ram detected.  Not enabling opcache" | /usr/bin/logger -p daemon.info -i -t rc.php_ini_setup

else

	# Calculate opcache memory size according

	# to detected memory values

	if [ "$AVAILMEM" -gt "135" ]; then

		OPCACHEMEMSIZE="10"

	fi

	if [ "$AVAILMEM" -gt "256" ]; then

		OPCACHEMEMSIZE="20"

	fi

	if [ "$AVAILMEM" -gt "384" ]; then

		OPCACHEMEMSIZE="25"

	fi

	if [ "$AVAILMEM" -gt "512" ]; then

		OPCACHEMEMSIZE="30"

	fi

	if [ "$AVAILMEM" -gt "784" ]; then

		OPCACHEMEMSIZE="50"

	fi

fi

# Set upload directory

if [ "$PLATFORM" = "nanobsd" ]; then

	UPLOADTMPDIR=$(/usr/local/sbin/read_global_var upload_path "/root")

else

	UPLOADTMPDIR="/tmp"

fi

# Define php modules.  Do not add .so, it will

# be done automatically by the script below.

PHPMODULES="standard"

# Config read/write

PHPMODULES="$PHPMODULES xml libxml dom"

PHPMODULES="$PHPMODULES SimpleXML xmlreader xmlwriter"

# Downloading via HTTP/FTP (pkg mgr, etc)

PHPMODULES="$PHPMODULES curl date"

# Internationalization

PHPMODULES="$PHPMODULES gettext"

# User manager

PHPMODULES="$PHPMODULES ldap openssl pcntl"

PHPMODULES="$PHPMODULES hash"

PHPMODULES="$PHPMODULES mcrypt"

# Regexs, PERL style!

PHPMODULES="$PHPMODULES pcre"

# The mighty posix!

PHPMODULES="$PHPMODULES posix"

PHPMODULES="$PHPMODULES readline"

# Login sessions

PHPMODULES="$PHPMODULES session"

# Extra sanity seatbelts

PHPMODULES="$PHPMODULES suhosin"

# Firewall rules edit

PHPMODULES="$PHPMODULES ctype"

# firewall_rules_edit.php

PHPMODULES="$PHPMODULES mbstring"

# Synchronization primitives

PHPMODULES="$PHPMODULES shmop"

# Page compression

PHPMODULES="$PHPMODULES zlib"

# SQLlite & Database

PHPMODULES="$PHPMODULES spl"

PHPMODULES="$PHPMODULES PDO"

PHPMODULES="$PHPMODULES sqlite3"

# RADIUS

PHPMODULES="$PHPMODULES radius"

# ZeroMQ

PHPMODULES="$PHPMODULES zmq"

# SSH2

PHPMODULES="$PHPMODULES ssh2"

# pfSense extensions

PHPMODULES="$PHPMODULES pfSense"

# json

PHPMODULES="$PHPMODULES json"

# bcmath

PHPMODULES="$PHPMODULES bcmath"

# filter

PHPMODULES="$PHPMODULES filter"

# rrd

PHPMODULES="$PHPMODULES rrd"

PHP_ZEND_MODULES=""

# Modules previously included.

# can be turned on by touching

# /etc/php_dynamodules/$modulename

#	sysvmsg \

#	sysvsem \

#	sysvshm \

#	bcmath \

#	tokenizer \

#	uploadprogress \

#	sockets \

#	Reflection \

#	mysql \

#	bz2	\

# Clear the .ini file to make sure we are clean

if [ -f /usr/local/etc/php.ini ]; then

	/bin/rm /usr/local/etc/php.ini

fi

LOADED_MODULES=`/usr/local/bin/php-cgi -m | /usr/bin/grep -v "\["`

unset TIMEZONE

# Fetch the timezone from /var/db/zoneinfo if present

if [ -f /var/db/zoneinfo ]; then

	TIMEZONE=$(cat /var/db/zoneinfo)

fi

if [ -z "${TIMEZONE}" ]; then

	# Second option is from config.xml

	TIMEZONE=$(/usr/local/sbin/read_xml_tag.sh string system/timezone)

fi

if [ -z "${TIMEZONE}" ]; then

	# Last option, use default value from $g or Etc/UTC

	TIMEZONE=$(/usr/local/sbin/read_global_var default_timezone "Etc/UTC")

fi

if echo "${VERSION}" | grep -q RELEASE; then

	error_reporting="error_reporting = E_ERROR | E_PARSE"

else

	error_reporting=""

fi

# Get a loaded module list in the stock php

# Populate a dummy php.ini to avoid

# the file being clobbered and the firewall

# not being able to boot back up.

/bin/cat >/usr/local/etc/php.ini <<EOF

; File generated from /etc/rc.php_ini_setup

output_buffering = "0"

expose_php = Off

implicit_flush = true

magic_quotes_gpc = Off

max_execution_time = 900

request_terminate_timeout = 900

max_input_time = 1800

max_input_vars = 5000

register_argc_argv = On

register_long_arrays = Off

variables_order = "GPCS"

file_uploads = On

upload_tmp_dir = ${UPLOADTMPDIR}

upload_max_filesize = 200M

post_max_size = 200M

html_errors = Off

zlib.output_compression = Off

zlib.output_compression_level = 1

include_path = ".:/etc/inc:/usr/local/www:/usr/local/captiveportal:/usr/local/pkg:/usr/local/www/classes:/usr/local/www/classes/Form"

display_startup_errors=on

display_errors=on

log_errors=on

error_log=/tmp/PHP_errors.log

extension_dir=${EXTENSIONSDIR}

date.timezone="${TIMEZONE}"

session.hash_bits_per_character = 5

session.hash_function = 1

${error_reporting}

; Extensions

EOF

# Loop through and generate modules to load.

# Take into account modules built into php.

for EXT in $PHPMODULES; do

	SHOULDADD="true"

	# Check to see if module is compiled into php statically

	for LM in $LOADED_MODULES; do

		if [ "$EXT" = "$LM" ]; then

			SHOULDADD="false"

		fi

	done

	if [ "$SHOULDADD" = "true" ]; then

		# Ensure extension exists before adding.

		if [ -f "${EXTENSIONSDIR}${EXT}.so" ]; then

			echo "extension=${EXT}.so" >> /usr/local/etc/php.ini

		fi

	fi

done

# Zend modules

for EXT in $PHP_ZEND_MODULES; do

	# Ensure extension exists before adding.

	if [ -f "${EXTENSIONSDIR}${EXT}.so" ]; then

		echo "zend_extension=${EXT}.so" >> /usr/local/etc/php.ini

	fi

done

if [ "$LOWMEM" != "TRUE" ]; then

	/bin/cat >>/usr/local/etc/php.ini <<EOF

; opcache Settings

opcache.enabled="1"

opcache.enable_cli="0"

opcache.memory_consumption="${OPCACHEMEMSIZE}"

EOF

else

	/bin/cat >>/usr/local/etc/php.ini <<EOF

; opcache Settings

opcache.enabled="0"

EOF

fi

	/bin/cat >>/usr/local/etc/php.ini <<EOF

[suhosin]

suhosin.get.max_array_index_length = 256

suhosin.get.max_vars = 5000

suhosin.get.max_value_length = 500000

suhosin.post.max_array_index_length = 256

suhosin.post.max_vars = 5000

suhosin.post.max_value_length = 500000

suhosin.request.max_array_index_length = 256

suhosin.request.max_vars = 5000

suhosin.request.max_value_length = 500000

suhosin.memory_limit = 805306368

EOF

PHPFPMMAX=3

if [ $REALMEM -lt 250 ]; then

	PHPFPMMAX=2

elif [ ${REALMEM} -gt 1000 ]; then

	PHPFPMMAX=4

fi

/bin/cat > /usr/local/lib/php-fpm.conf <<EOF

[global]

pid = run/php-fpm.pid

error_log=syslog

syslog.facility = daemon

syslog.ident = system

log_level = error

daemonize = yes

events.mechanism = kqueue

process.max = ${PHPFPMMAX}

[nginx]

user = root

group = wheel

;mode = 0600

listen = /var/run/php-fpm.socket

listen.owner = root

listen.group = wheel

listen.mode = 0600

security.limit_extensions =

; Pass environment variables

env[PATH] = /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

env[LOGNAME] = root

EOF

if [ $REALMEM -lt 350 ]; then

	/bin/cat >> /usr/local/lib/php-fpm.conf <<EOF

pm = ondemand

pm.process_idle_timeout = 5

pm.max_children = $PHPFPMMAX

pm.max_requests = 500

EOF

elif [ $REALMEM -gt 1000 ]; then

	/bin/cat >> /usr/local/lib/php-fpm.conf <<EOF

pm = dynamic

pm.process_idle_timeout = 5

pm.max_children = $PHPFPMMAX

pm.start_servers = 1

pm.max_requests = 500

pm.min_spare_servers=1

pm.max_spare_servers=1

EOF

else

	/bin/cat >> /usr/local/lib/php-fpm.conf <<EOF

pm = static

pm.max_children = $PHPFPMMAX

pm.max_requests = 500

EOF

fi

# Remove old log file if it exists.

if [ -f /var/run/php_modules_load_errors.txt ]; then

	/bin/rm /var/run/php_modules_load_errors.txt

fi

for EXT in $PHPMODULES; do

	PHPMODULESLC="$PHPMODULESLC `echo "$EXT" | /usr/bin/tr '[:upper:]' '[:lower:]'`"

done

# Check loaded modules and remove anything that did not load correctly

LOADED_MODULES=`/usr/local/bin/php-cgi -m | /usr/bin/tr '[:upper:]' '[:lower:]' 2>/dev/null | /usr/bin/grep -v "\["`

for EXT in $PHPMODULESLC; do

	SHOULDREMOVE="true"

	for LM in $LOADED_MODULES; do

		if [ "$EXT" = "$LM" ]; then

			SHOULDREMOVE="false"

			break

		fi

	done

	# Handle low memory situations

	if [ "$LOWMEM" = "TRUE" ]; then

		if [ "$EXT" = "opcache" ]; then

			SHOULDREMOVE="true"

		fi

		if [ "$EXT" = "xcache" ]; then

			SHOULDREMOVE="true"

		fi

	fi

	if [ "$SHOULDREMOVE" = "true" ]; then

		if [ -f "${EXTENSIONSDIR}${EXT}.so" ]; then

			echo ">>> ${EXT} did not load correctly.  Removing from php.ini..." >> /var/run/php_modules_load_errors.txt

			/bin/cat /usr/local/etc/php.ini | /usr/bin/grep -v $EXT > /tmp/php.ini

			/bin/rm -f /usr/local/etc/php.ini

			/bin/mv /tmp/php.ini /usr/local/etc/php.ini

		fi

	fi

done