installing roundcube on nginx causes HTTP ERROR 500

Question

I am trying to run RoundCube on CentOS 7 using NGINX. the installation of Roundcube came via an automatic wizard during the installation of software package called iRedMail.

I am getting a 500 HTTP error on roundcube. The site will not come up. I've been able to tell that this is a problem with NGINX and ROUNDCUBE, but can't figure out what is going on. The logs go to var/log/maillog, however, even with all debug lines engaged, I can't get any errors to begin diagnosis.

Here's the settings I know of:

debug settings

<?php

// SQL DATABASE
$config['db_dsnw'] = 'mysqli://roundcube:63tidm76NovJHcIpIqsJaE59kAr7b3Mn@127.0.0.1:3306/roundcubemail';

// LOGGING
$config['log_driver'] = 'syslog';
$config['syslog_facility'] = LOG_MAIL;

// IMAP
$config['default_host'] = '127.0.0.1';
$config['default_port'] = 143;
$config['imap_auth_type'] = 'LOGIN';
$config['imap_delimiter'] = '/';
// Required if you're running PHP 5.6 or later
$config['imap_conn_options'] = array(
    'ssl' => array(
        'verify_peer'  => false,
        'verify_peer_name' => false,
    ),
);

// SMTP
$config['smtp_server'] = 'tls://127.0.0.1';
$config['smtp_port'] = 587;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['smtp_auth_type'] = 'LOGIN';
// Required if you're running PHP 5.6 or later
$config['smtp_conn_options'] = array(
    'ssl' => array(
        'verify_peer'      => false,
        'verify_peer_name' => false,
    ),
);

// Use user's identity as envelope sender for 'return receipt' responses,
// otherwise it will be rejected by iRedAPD plugin `reject_null_sender`.
$config['mdn_use_from'] = true;

// SYSTEM
$config['force_https'] = true;
$config['login_autocomplete'] = 2;
$config['ip_check'] = true;
$config['des_key'] = 'T594SUCMjhbPBU9JojkkzIpl';
$config['cipher_method'] = 'AES-256-CBC';
$config['useragent'] = 'Roundcube Webmail'; // Hide version number
//$config['username_domain'] = '<<domain>>.com';
$config['mime_types'] = '/etc/mime.types';
$config['max_message_size'] = '15M';

// USER INTERFACE
$config['create_default_folders'] = true;
$config['quota_zero_as_unlimited'] = true;
$config['spellcheck_engine'] = 'pspell';

// USER PREFERENCES
$config['default_charset'] = 'UTF-8';
//$config['addressbook_sort_col'] = 'name';
$config['draft_autosave'] = 60;
$config['default_list_mode'] = 'threads';
$config['autoexpand_threads'] = 2;
$config['check_all_folders'] = true;
$config['default_font_size'] = '12pt';
$config['message_show_email'] = true;
$config['layout'] = 'widescreen';   // three columns
//$config['skip_deleted'] = true;

// PLUGINS
$config['plugins'] = array('managesieve', 'password');

$config['session_debug'] = true; 
$config['sql_debug'] = true; 
$config['imap_debug'] = true; 
$config['ldap_debug'] = true; 
$config['smtp_debug'] = true;

Nginx SSL Setting

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name _;

    root /var/www/html;
    index index.php index.html;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/iredadmin.tmpl;
    include /etc/nginx/templates/roundcube.tmpl;
    include /etc/nginx/templates/sogo.tmpl;
    include /etc/nginx/templates/netdata.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;
    include /etc/nginx/templates/stub_status.tmpl;
}

Template

#
# Running Roundcube as a subfolder on an existing virtual host
#
# Block access to default directories and files under these directories
location ~ ^/mail/(bin|config|installer|logs|SQL|temp|vendor)($|/.*) { allow all; }

# Block access to default files under top-directory and files start with same name.
location ~ ^/mail/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { allow all; }

# Block plugin config files and sample config files.
location ~ ^/mail/plugins/.*/config.inc.php.* { allow all; }

# Block access to plugin data
location ~ ^/mail/plugins/enigma/home($|/.*) { allow all; }

# Redirect URI `/mail` to `/mail/`.
location = /mail {
    return 301 /mail/;
}

location ~ ^/mail/(.*\.php)$ {
    include /etc/nginx/templates/hsts.tmpl;
    include /etc/nginx/templates/fastcgi_php.tmpl;
    fastcgi_param SCRIPT_FILENAME /opt/www/roundcubemail/$1;
}

location ~ ^/mail/(.*) {
    alias /opt/www/roundcubemail/$1;
    index index.php;
}

what can I update here so I can actually troubleshoot. Thank you.

#Update 1: Latest Logs /var/log/maillog

Oct  2 19:41:31 mail clamd[2642]: SelfCheck: Database status OK.
Oct  2 19:42:07 mail roundcube: <ep6s2sqc> [1] SELECT `vars`, `ip`, `changed`, now() AS ts FROM `session` WHERE `sess_id` = 'ep6s2sqc4r5mthn6as1n006ss0';
Oct  2 19:42:07 mail roundcube: <ep6s2sqc> [2] INSERT INTO `session` (`sess_id`, `vars`, `ip`, `changed`) VALUES ('ep6s2sqc4r5mthn6as1n006ss0', 'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjs=', '74.80.18.51', now());

php -m

[root@mail ~]# php -m
[PHP Modules]
bz2
calendar
Core
ctype
date
ereg
exif
filter
ftp
gettext
gmp
hash
iconv
libxml
mbstring
mhash
mysql
mysqli
mysqlnd
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_sqlite
posix
readline
Reflection
session
shmop
SimpleXML
sockets
SPL
sqlite3
standard
tokenizer
xml
zlib

[Zend Modules]

the php-fpm -m

[root@mail ~]# php-fpm -m
[PHP Modules]
bz2
calendar
cgi-fcgi
Core
ctype
date
ereg
exif
filter
ftp
gettext
gmp
hash
iconv
libxml
mbstring
mhash
mysql
mysqli
mysqlnd
openssl
pcre
PDO
pdo_mysql
pdo_sqlite
posix
Reflection
session
shmop
SimpleXML
sockets
SPL
sqlite3
standard
tokenizer
xml
zlib

[Zend Modules]

NGINX ERROR.LOG

2020/10/02 14:01:16 [error] 14327#0: *65854 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 176.113.115.214, server: _, request: "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9999", host: "173.236.23.110", referrer: "http://173.236.23.110:80/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"
2020/10/02 16:26:34 [error] 14327#0: *68878 open() "/var/www/html/en/contact.html" failed (2: No such file or directory), client: 119.3.36.252, server: _, request: "GET /en/contact.html HTTP/1.0", host: "www.allbyzip.com"
2020/10/02 19:02:55 [error] 14327#0: *72082 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 176.113.115.214, server: _, request: "GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP HTTP/1.1", upstream: "fastcgi://127.0.0.1:9999", host: "173.236.23.110:443"
2020/10/02 19:25:14 [error] 14327#0: *72538 open() "/var/www/html/api/jsonws/invoke" failed (2: No such file or directory), client: 176.113.115.214, server: _, request: "POST /api/jsonws/invoke HTTP/1.1", host: "173.236.23.110:443"

fastcgi_php.tpml

[root@mail ~]# more /etc/nginx/templates/fastcgi_php.tmpl
#
# Template used to handle PHP fastcgi applications
#
# You still need to define `SCRIPT_FILENAME` for your PHP application, and
# probably `fastcgi_index` if your application use different index file.
#
include fastcgi_params;

# Directory index file
fastcgi_index index.php;

# Handle PHP files with upstream handler
fastcgi_pass php_workers;

# Fix the HTTPROXY issue.
# Reference: https://httpoxy.org/
fastcgi_param HTTP_PROXY '';

[root@mail ~]# ls -la /opt/www/roundcubemail/

total 404
drwxr-xr-x 13 root  root    4096 Jul  4 05:58 .
drwxr-xr-x  5 root  root    4096 Sep 29 17:40 ..
drwxr-xr-x  2 root  root    4096 Sep 26 15:57 bin
----------  1 root  root  183785 Jul  4 05:58 CHANGELOG
-rw-r--r--  1 root  root     908 Jul  4 05:58 composer.json
-rw-r--r--  1 root  root     940 Jul  4 05:58 composer.json-dist
-rw-r--r--  1 root  root   80538 Jul  4 05:58 composer.lock
drwxr-xr-x  2 root  root    4096 Sep 26 15:57 config
-rw-r--r--  1 root  root    2603 Jul  4 05:58 .htaccess
-rw-r--r--  1 root  root   12843 Jul  4 05:58 index.php
----------  1 root  root   12850 Jul  4 05:58 INSTALL
d---------  3 root  root    4096 Sep 26 15:57 installer
----------  1 root  root   35147 Jul  4 05:58 LICENSE
drwxr-xr-x  2 nginx nginx   4096 Sep 26 15:57 logs
drwxr-xr-x 35 root  root    4096 Jul  4 05:58 plugins
drwxr-xr-x  8 root  root    4096 Jul  4 05:58 program
drwxr-xr-x  3 root  root    4096 Sep 26 20:27 public_html
----------  1 root  root    3810 Jul  4 05:58 README.md
lrwxrwxrwx  1 root  root      28 Sep 26 15:25 roundcubemail-1.4.7 -> /opt/www/roundcubemail-1.4.7
drwxr-xr-x  5 root  root    4096 Jul  4 05:58 skins
d---------  7 root  root    4096 Jul  4 05:58 SQL
drwxr-xr-x  2 nginx nginx   4096 Sep 26 15:57 temp
----------  1 root  root    4148 Jul  4 05:58 UPGRADING
drwxr-xr-x  9 root  root    4096 Sep 26 15:57 vendor

php-fpm.conf

;;;;;;;;;;;;;;;;;;;;;
; FPM Configuration ;
;;;;;;;;;;;;;;;;;;;;;

; All relative paths in this configuration file are relative to PHP's install
; prefix.

; Include one or more files. If glob(3) exists, it is used to include a bunch of
; files from a glob(3) pattern. This directive can be used everywhere in the
; file.
include=/etc/php-fpm.d/*.conf

;;;;;;;;;;;;;;;;;;
; Global Options ;
;;;;;;;;;;;;;;;;;;

[global]
; Pid file
; Default Value: none
pid = /run/php-fpm/php-fpm.pid

; Error log file
; Default Value: /var/log/php-fpm.log
error_log = syslog

; Log level
; Possible Values: alert, error, warning, notice, debug
; Default Value: notice
;log_level = debug

; If this number of child processes exit with SIGSEGV or SIGBUS within the time
; interval set by emergency_restart_interval then FPM will restart. A value
; of '0' means 'Off'.
; Default Value: 0
;emergency_restart_threshold = 0

; Interval of time used by emergency_restart_interval to determine when
; a graceful restart will be initiated.  This can be useful to work around
; accidental corruptions in an accelerator's shared memory.
; Available Units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
;emergency_restart_interval = 0

; Time limit for child processes to wait for a reaction on signals from master.
; Available units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
;process_control_timeout = 0

; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
; Default Value: yes
daemonize = no

;;;;;;;;;;;;;;;;;;;;
; Pool Definitions ;
;;;;;;;;;;;;;;;;;;;;

; See /etc/php-fpm.d/*.conf

only file in .d folder: www.conf*

[root@mail php-fpm.d]# more www.conf
[inet]
user = nginx
group = nginx

listen = 127.0.0.1:9999
listen.owner = nginx
listen.group = nginx
listen.mode = 0660

; IP addresses must be separated by comma, and no space between comma and ip.
listen.allowed_clients = 127.0.0.1

pm = dynamic
pm.max_children = 100
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 10
pm.max_requests = 100

pm.status_path = /status
ping.path = /ping

request_terminate_timeout = 60s
request_slowlog_timeout = 10s

;
; Log files
;
access.log = /var/log/php-fpm/php-fpm.log
slowlog = /var/log/php-fpm/slow.log

Answer 1

The error message "primary script unknown" is a indication that might something is wrong with your php-fpm config or premissions issues: https://serverfault.com/a/517327/569434

I will continuously update my answer till it work, its a complexe problem with many inquires which can not be answer that easy.

The usage of a generated/automated installation makes it more complex.

Before we start, make sure we are working on the corret issue. To be sure that roundcube cause the problem, comment out the roundcube config from nginx and restart it. Works anything else ?

Keep in mind that every time you changes something in the nginx/php config you have to restart the services!

---

1) check you SCRIPT_FILENAME

I assume your are trying to run roundcube under https://example.com/mail Ensure that SCRIPT_FILENAME matches the installations path of roundcube. In your case: /opt/www/roundcubemail/

Please post your /etc/nginx/templates/fastcgi_php.tmpl, it might be possible that one config override another: https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi/

---

2) NGINX/php-fpm/roundcube premissions

Are nginx&php-fpm services running under the same user ? What premissions are set on the roundcoube installation ?

ls -la /opt/www/roundcubemail/

Can php/nginx access these files/folders ? Try a chmod -R 755 /opt/www/roundcubemail/

---

Enable in your php-fpm config: access.log = /var/log/$pool.access.log. Restart nginx & php-fpm to activate the changes: systemctl restart php-fpm & systemctl restart nginx

Try to access again roundcube and view the log file: tail /var/log/www.access.log

if you see "GET /" without a correct php file name, then it's your nginx conf problem.

https://stackoverflow.com/a/40535412/5781499

Edit 2020.10.04 - 14:00 UTC +1

Try to set roundcube installation dir owner/group to nginx: chown -R nginx:nginx /opt/www/roundcubemail/

Let's start a chat here: https://chat.stackoverflow.com/rooms/222480/room-for-marc-and-arcee123

Answer 2

First, enable debug mode in Roundcube, config/config.inc.php

$config['debug_level'] = 1;
$config['sql_debug'] = true;
$config['imap_debug'] = true;
$config['ldap_debug'] = true;
$config['smtp_debug'] = true;

enable error/access logs in your Nginx config

server {
    .....
    root /var/www/html;
    index index.php index.html;
    access_log  /var/log/nginx/accesslogfile;
    error_log  /var/log/nginx/errorlogfile;
    .....

}

Now lets enable php-fpm logs, add this to www.conf

php_admin_value[error_log] = /var/log/php-errors.log
php_admin_flag[log_errors] = on

restart Nginx and PHP-FPM process, if you are using systemctl

systemctl restart nginx 
systemctl restart php-fpm 

check if both services are running

systemctl status nginx 
systemctl status php-fpm 

At this point you should be able to see errors, if not try to change in your server.conf of Nginx

error_log  /var/log/nginx/errorlogfile warn; 

if it at this point you are not able to see the error, any particular reason you are using fastcgi_param HTTP_PROXY '';? check if you are using same fast_cgi path, in /etc/php-fpm.d/www.conf

listen = 127.0.0.1:9000

and your site config nginx.conf file

fastcgi_pass 127.0.0.1:9000;

Try to remove include's from your Nginx config file and start with a simple .conf, Here is a simple config file that should work

server
{
    listen 80;
    #listen 443 ssl http2;
    server_name WWW.YOURDOMAIN.COM;
    error_log  /var/www/WWW.YOURDOMAIN.COM.log;
    root /var/www/html/;
    index index.php;

    location / {
      try_files $uri $uri/ /index.php?url=$uri;
    }

    location ~ \.(php)$ {
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_index  index.php;
      fastcgi_param   HTTPS               on;
      fastcgi_param   HTTP_SCHEME         https;
      fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
      include fastcgi_params;
  }
}

Answer 3

Your tail /var/log/nginx/error.log rather looks alike hacking attempts than relevant to me. For example: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php hints for an attempted code injection, which would work when a composer project not has the web-root setup properly.

---

But now, let talk CentOS ...

Please update the directory listing with security contexts: ls -laZ /opt/www/roundcubemail as this issue might well be SE Linux related, when installing into /opt (and the RPM hasn't set them). There are further SE Linux contexts & flags required to serve files from outside of the web-root.

Checking sealert -a /var/log/audit/audit.log suggested.

This article might be relevant for you:

• Using NGINX and NGINX Plus with SELinux

For example, if nginx cannot connect or relay (likely the second), this would permit it:

setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_relay 1

---

In case you'd need further support concerning this; I'd have to try setting it up in a fresh container. This cause could also be ruled out, by temporarily disabling SE Linux. Permanently disabling SE Linux is certainly not suggested, because it's a reliable security feature and not a bug.