I love Cockpit CMS

I've had a lot of fun playing with Cockpit CMS.
It's a "An API-driven CMS without forcing you to make compromises in how you implement your site."

Its a CMS without a front end. The front end is completely up to you. This tool takes care of all the back-end stuff. It provides a UI for building content types, uploading media, editing media and content, doing site backups and authentication. How the data is displayed is entierly up to you.

Built with a custom microframework called "Lime" which looks alot like slim2 and a storage system called "Mongo lite", it provides everything you need to build small sites that are a joy to work with.

The documentation includes a walk-through on how to build a simple blog.

Working with Legacy PHP

I support a legacy application and have recently begun making modifications to this code base. Creating a dev environment for older php can be a beast. This wouldn't have been possible without vagrant. Here are some tricks I discovered while setting up my php 5.2 dev environment in 2016.

Did someone already do this?

I found https://github.com/tierra/wp-vagrant
In my case, I don't want the entire environment inside vagrant and had trouble with some of the configuration decisions of these boxes.
They were really specific to testing wordpress.

Configure Vagrant

Mine is based on bento/centos-5.11
It was the most popular centos 5.x box at the time.
This image doesn't have apache or php installed by default.

Edit the Vagrantfile and enabled the local networking.
This gives you a consistant ip address each time you start your dev environment.

config.vm.network "private_network", ip: ""

Increase the memory alloted to vagrant box. Look for this near the end of a "standard" vagrant file.

  config.vm.provider "virtualbox" do |vb|
    # Display the VirtualBox GUI when booting the machine
    vb.gui = false  
    # Customize the amount of memory on the VM:
    vb.memory = "1024"

I added a line to start apache after the box finishes starting up. ( This is at the end of a "standard" vagrant file. )
In my setup. The apache config for my virtual host is a part of the applications code repository.
This caused problems because apache was failing to start because vagrant hadn't mounted my shared folder yet.

config.vm.provision "shell", inline: <<-SHELL

      sudo /etc/init.d/httpd start


Installing php 5.2 in 2016

Your options are find rpms or compile from source. I tried the 'compile from source' route and it didn't go so well.
There are a number of libraries that php depends on that have been updated and are no longer compatible.
hense the php52-backports project. I was able to compile but had trouble building an apache module.

It was much easier to find RPMS.
I used iworx-unsupported repo. It was referenced in many spots and was only missing one plugin I needed.

name=IWorx Unsupported
/etc/yum.repos.d/iworx-unsupported.repo (END) 

It does not have an xdebug module so I had to install that via the pecl repository.
yum install php.x86_64 php-cli php-soap php-devel php-mysql php-pdo php-mcrypt php-mysqli php-pear php-gd php-devel gcc gcc-c++ autoconf automake unzip zip

Can't mount folders in vagrant after yum update

Running yum update will probably break your box's ability to mount shared folders.
To fix; you'll need to rebuild virtualbox's guest additions.

sudo /etc/init.d/vboxadd setup

Installing old xdebug

Version 2.2.7 is the last version which supported php 5.2
If you use pecl to install and build the module, you'll get the latest release which doesn't support php 5.2.
We'll have to compile this module manually.
You will need to install gcc, gcc-c++, autoconf automake php-devel and php-pear.

mkdir /opt/xdebug
cd /opt/xdebug
wget –no-check-certificate https://xdebug.org/files/xdebug-2.2.7.tgz
tar -z -x -f ./xdebug-2.2.7.tgz
cd ./xdebug-2.2.7
./configure –enable-xdebug
make install

My xdebug config looks like this:

xdebug.remote_enable = 1

; default for vagrant
xdebug.remote_host = 

Since we configured a static address earlier, we can now use that address with xdebug.
I was so happy the first time phpStorm started a debug session with this app. Screaming and clapping.

Connecting to local MySQL

I'm used to using my local mysql instance for development. Having it virtual box with all the constrants of virtualbox is awkward.
I wanted to connect my virtual box guest to a mysql server running on the host.
If are ok with mysql running on all your ip addresses, then you can just use the same address you used for xdebug. Edit the /etc/my.cnf to allow connections from and you're set. In my case, mysql only runs on localhost.
We can still connect it to the guest via a ssh proxy.

vagrant ssh — -R 3306:localhost:3306

As long as the command prompt is open, your guest will be able to use the proxy.

I think that covers all the gotchas encountered while trying to configure my dev environment for old php.
PHP 5.2 has been unsupported since Jan. 2011, but a dev environment is the first step to modernizing this app. From a breif test on php 7, I'll have plenty of work to do for year to come.


mod_mime + php = hacked site.

So I learned something about mod_mime today that made my jaw drop.

The default way of telling apache to parse a php file looks something like this:

AddHandler php5-script .php

If you install php via the command line on RHEL 4,5 or 6, this is how it sets it up.

What I didn't know is that mod_mime expands the match (.php) to anywhere in the file name.
So test.php or test.php.csv or test.php.jpg would all be passed to the php handler to be executed.


That's a big deal when your application accepts file uploads and is only type-checking the last file extension.
Magento, expression engine, wordpress, etc…

The workaround is to only apply the php handler to files which end in ".php"

<FilesMatch \.php$>
    SetHandler php5-script

And for a little extra 'security', disable php for a directory if you're accepting uploads.

<Directory "/var/www/html/example/uploads">
    php_flag engine off

Which I'm going to go back and change on any server I've ever setup.
I learned this tid-bit from a security advisory from magento.

UPDATE: You may also see a lot of folks who recommend turning on "open_basedir" in php to lock thinks down.
There is a cavet there too. When "open_basdir" is in use, php disables the realpathcache. 
This makes loading/including files very slow.

php has a ftps bug, please vote this bug up so someone will approve this patch

Update: This fix was finally merged into php 5.6 and 7.0 in Dec. of 2015. It had 165 votes! Thank you for support.

Setting up an FTPS server securly is a big pain. If your environment is behind a NAT, sometimes the server doesn't even know what its public address is, which makes enabling PASV mode fun!

I'm trying to connect to a server setup like this and when I enable PASV mode, it responds with an unroutable internal address.
FileZilla works around this issue by ignoring the address and using the servers inital address instead and everything works as expected.

PHP's FTP library does not. It happily accepts the unroutable address and ultimately fails to connect moments later.

This guy knows what I'm talking about and actually patched php to fix this bug.

If you have a moment, please vote this bug up so it makes it into php's next offical release. 
It was reported in 2011 in version 5.3 and is still unassigned.

phpseclib is awesome

While looking for something to help php connect to a sftp server I stumbled across libphpsec which is a fantastic library that has no dependencies and works in all versions of php. The documentation takes a "cookbook" approch which works really well for me.

The real genius to this library is it makes no assumptions about your environment.
If a suitable native function doesn't exist, there is a pure php one to pick up the slack.
The following are implemented in pure php:

  • BigIntegers
  • RSA
  • SSH2
  • SFTP
  • X.509
  • Symmetric key encryption

    • AES
    • Rijndael
    • Twofish
    • Blowfish
    • DES
    • 3DES
    • RC4
    • RC2

    I'm amazed that someone loved this problem enough to do this much work on it and thankful he chose to open-source it.
    Terrafrost, if your ever able to make it to the Austin PHP Beverage Subgroup; (4th Wednesday) the drinks are on me guy.