Search | Running | Sailfish OS | All Posts | About Me

Making Baikal authentication work again after migrating to FPM

February 08, 2025 — Nico Cartron

A long story for a short post

I realised yesterday that my Apache configuration was only accepting HTTP/1.1, so I decided to fix it to accept HTTP/2 (hey, we're in 2025 after all!)

I checked my httpd.conf and to my surprise, I already had this line:

Protocols h2 http/1.1

"Hum, then why does it no work?" I asked myself.

I checked the Apache documentation and noticed a section about MPM, recommending to use event mpm instead of preform mpm.

Of course, I was using preform mpm, as confirmed in my configuration:

# grep mpm httpd.conf
#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so

I uncommented the mpm_event line and commented the mpm_prefox one, but when I ran the usual apachectl configtest, I was greeted by this error message:

Apache is running a threaded MPM, but your PHP Module is not compiled to be
threadsafe. You need to recompile PHP

Right, so after a bit of poking around, I found out that having mod_php was not great, and I should instead use FPM/FastCGI as Server API for PHP.

I uninstalled mod_php and went for installing configuring FPM using this excellent article by Albert Valbuena which gives detailed instructions about how to not only enable mpm event (this is easy enough), but also configured PHP-FPM, aka FastCGI Process Manager for PHP.

Everything was fine, PHP pages were still being rendered fine.

However, I shortly realised that there was something wrong with Baikal, as a vdirsyncer sync would return a 401 error.

It took me a bit of time to find what the issue was: FPM acts as a proxy, so you have to pass it the Authorization header specifically, otherwise it won't work.

Just adding the below line to my Apache virtual host made the trick:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

Conclusion

Alright, I now have HTTP/2 working fine on my server, confirmed with:

$ curl -svo /dev/null https://www.ncartron.org
* Host www.ncartron.org:443 was resolved.
[...]
* ALPN: curl offers h2,http/1.1
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS
* ALPN: server accepted h2
* Connected to www.ncartron.org (193.200.42.230) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://www.ncartron.org/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: www.ncartron.org]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.11.1]
* [HTTP/2] [1] [accept: */*]
} [5 bytes data]
> GET / HTTP/2

Tags: IT

I don't have any commenting system, but email me (nicolas at ncartron dot org) your comments!
If you like my work, you can buy me a coffee!