DietPi-Software | Lighttpd: Issue with multiple setenv.add-environment entries

[Borotes]

• DietPi-Software | ownCloud/Nextcloud: Updated webserver configs to match current recommendations and security hardenings. Only applied on new installs. To apply manually, run "dietpi-software reinstall 47" (owncloud) or "dietpi-software reinstall 114" (Nextcloud). You will be informed about the new configs, which then need to be manually moved to overwrite the old ones, since we don't want to mess with manual changes: https://github.com/Fourdee/DietPi/pull/2361

I did a new install to fix some issues, but still getting this error message: https://i.imgur.com/0HGgkaT.png

Is there a possibility to fix it myself?

[MichaIng]

@Borotes
Thanks for your report.

Can you paste the output of:

cat /etc/php/7.0/mods-available/opcache.ini
php -m
cat /etc/apache2/sites-enabled/dietpi-nextcloud.conf

[Borotes]

Hi, here you are 😊

root@DietPi:~# cat /etc/php/7.0/mods-available/opcache.ini
; configuration for php opcache module
; priority=10
zend_extension=opcache.so
opcache.enable=1
opcache.memory_consumption=32
opcache.revalidate_freq=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.save_comments=1

root@DietPi:~# php -m
[PHP Modules]
apcu
calendar
Core
ctype
curl
date
dom
exif
fileinfo
filter
ftp
gd
gettext
hash
iconv
igbinary
intl
json
libxml
mbstring
mcrypt
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
Phar
posix
readline
redis
Reflection
session
shmop
SimpleXML
sockets
SPL
standard
sysvmsg
sysvsem
sysvshm
tokenizer
wddx
xml
xmlreader
xmlwriter
xsl
Zend OPcache
zip
zlib

[Zend Modules]
Zend OPcache

root@DietPi:~# cat /etc/apache2/sites-enabled/dietpi-nextcloud.conf
cat: /etc/apache2/sites-enabled/dietpi-nextcloud.conf: No such file or directory

[MichaIng]

@Borotes
Ah sorry which webserver do you use? Was accidentally expecting Apache2.
And are you on DietPi v6.20?

[Borotes]

I have clean installed v6.20 and selected only Nextcloud and Certbot.

I didn't change anything to the config. I think Lighttpd is the webserver.

[MichaIng]

Okay yes then it's Lighttpd.

Looks like the the related Lighttpd configs were not enabled.

Please check: ls -l /etc/lighttpd/conf-available
It should contain two configs, 99-dietpi-nextcloud.conf and 99-dietpi-dav_redirect.conf.
Then check: ls -l /etc/lighttpd/conf-enabled
It should contain the same two files (symlinks) without leading 99-.

If this is not the case, do:

lighttpd-enable-mod dietpi-dav_redirect
lighttpd-enable-mod dietpi-nextcloud
systemctl reload lighttpd

to enable them.

Report back if you face any error messages.

I will also test a fresh install later.

[Borotes]

It says:

root@DietPi:# lighttpd-enable-mod dietpi-dav_redirect
already enabled
Run "service lighttpd force-reload" to enable changes
root@DietPi:# lighttpd-enable-mod dietpi-nextcloud
already enabled
Run "service lighttpd force-reload" to enable changes

But the 99 in conf-enabled is there:

[MichaIng]

@Borotes
Hmm so all looks like intended.

I will test myself. Perhaps there is an incompatibility with HTTPS rewrites and the location checks inside the configs.

---

🈯️ Fresh install without HTTPS
🈴 After enabling HTTPS

• OPcache warnings show up on admin panel

Bug verified

---

Security headers and access denial to data/config/... dirs + .htacces/... files is active, so the location directive is entered.
Minor warning about unknown dir-listing.active directive shows up, so the config is loaded.
EDIT: Requires mod_dirlisting: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModDirlisting Even with module enabled, dir listing is disabled by default, but can be enabled globally. We just leave that directive inside. It will be ignored, if module not enabled and otherwise assures that dir listing is always disabled within ownCloud/Nextcloud directories.
Seems only setenv.add-environment += ( "PHP_ADMIN_VALUE" => "opcache.memory_consumption=128" ) is not set.

lighttpd -pf /etc/lighttpd/lighttpd.conf shows the block is parsed successfully. I tried to switch all header/environment directives from = to += and the other way round in case something is overwritten, but no success. All is parsed to = anyway, so += seems to be obsolete.

No error logs from webserver or browser, no lighttpd -t syntax error.

---

🈯️ Adding opcache.memory_consumption=128 directly to /etc/php/7.0/mods-available/opcache.ini works, so it is indeed an incompatibility with any of the SSL related settings and setenv.add-environment += ( "PHP_ADMIN_VALUE" => "opcache.memory_consumption=128" ).
🈯️ Commenting setenv.add-environment += ( "HTTPS" => "on", ) in /etc/lighttpd/conf-enabled/letsencrypt.conf works as well. So having two setenv.add-environment in different blocks seems to break each other. Commas and =/+= have no influence.

🈯️ Having both in the same config file+conditional directive works:

setenv.add-environment += ( "HTTPS" => "on", )
setenv.add-environment += ( "PHP_ADMIN_VALUE" => "opcache.memory_consumption=128", )

• 🈴 Having one in the same file but different conditional directive leads to this one being ignored, e.g. the following leads to admin panel warning:

$HTTP["url"] =~ "^/nextcloud($|/)" {

        setenv.add-environment += ( "PHP_ADMIN_VALUE" => "opcache.memory_consumption=128" )

}

# Based on: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=lighttpd-1.4.35&openssl=1.0.1t&hsts=yes&profile=intermediate
$SERVER["socket"] == ":443" {
        protocol     = "https://"
        ssl.engine   = "enable"
        ssl.disable-client-renegotiation = "enable"

        # pemfile is cert+privkey, ca-file is the intermediate chain in one file
        ssl.pemfile               = "/etc/letsencrypt/live/my.domain.org/combined.pem"
        ssl.ca-file               = "/etc/letsencrypt/live/my.domain.org/fullchain.pem"

        # for DH/DHE ciphers, dhparam should be >= 2048-bit
        #ssl.dh-file               = "/path/to/dhparam.pem"
        # ECDH/ECDHE ciphers curve strength (see 'openssl ecparam -list_curves')
        ssl.ec-curve              = "secp384r1"
        # Compression is by default off at compile-time, but use if needed
        # ssl.use-compression     = "disable"

        # Environment flag for HTTPS enabled
        setenv.add-environment += ( "HTTPS" => "on" )

        # intermediate configuration, tweak to your needs
        ssl.use-sslv2 = "disable"
        ssl.use-sslv3 = "disable"
        ssl.honor-cipher-order    = "enable"
        ssl.cipher-list           = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256$
}

🈴 Interesting, the following throws an error on Lighttpd restart, so += is required when having both directives in one config file, but not when having them in separate ones 🤔.

setenv.add-environment = ( "HTTPS" => "on", )
setenv.add-environment = ( "PHP_ADMIN_VALUE" => "opcache.memory_consumption=128", )

Bug or intended? Can't find something about it, but setenv.add-environment is not set and even the variable is a different one, so at least it is not intuitive that two separate directives of those override each other.

---

• Test on Buster, e.g. if indeed bug and resolved

[MichaIng]

On Buster it's the same. I mark this as external bug and forward it to Lighttpd devs.

I am not yet sure about the best workaround our side. We want both env vars but in separate config files and there seems to be currently to way to achieve this. Only thinkable is to add the OPcache setting directly to the opcache.ini. But to keep it simple we should then do this perhaps for all Nextcloud installs and skip the webserver directive completely?

However it is not urgent just a warning in Nextcloud panel that is actually about a totally out of range value. Whole Nextcloud loaded into OPcache takes ~30M, default OPcache size is 64M, so already more than enough. There are simply not more PHP scripts that can be cached, so no point for 128M. No idea who/why chose to add this warning.

I delay this to v6.23 to wait for Lighttpd dev reply and have another think through if we want to allow 128M for OPcache server wide.

[MichaIng]

The behaviour is expected btw. and seems to be true for other directives as well: https://redmine.lighttpd.net/boards/2/topics/7684?r=7699#message-7699

That makes handling of Lighttpd settings much more complicated. I see no other viable way than creating a separate "environment" drop-in config and add/remove entries from there, similar to what we do in some cases with the modules toggle (although there multiple directives are possible).

[MichaIng]

Okay I validated an assumption I already had:

• With Nextcloud we add a setting to the webserver configuration to set OPcache max memory consumption to 128, as of warning in Nextcloud admin panel about recommended OPcache settings.
• The idea was do only do this for the Nextcloud web UI while leaving the default lower value for other websites.
• But the intention does not work since one the Nextcloud page is opened once, the OPcache setting is applied to PHP server-wide. So from then on (until PHP restart) 128M is true for all other websites anyway.
• So we can skip this webserver => PHP setting transfer and instead add the desired value to the PHP configuration directly.
• So in case of Lighttpd no additional setenv.add-environment required anymore.

This solves this issue where multiple setenv.add-environment in different settings files or conditional statements just override each others, which especially is the case with HTTPS enabled where we need to set setenv.add-environment = ( "HTTPS" => "true" )

Related commits:

• faa7dcd
• bbd9d1f