PHP ftp_connect fails! returns bool (false)

The stage!

The problem!

The developed application was working OK in other two servers (developing and staging), but in this new server we’ve come across a problem that never happened before.

Part of the code, that sends the new processed files to the robots server (yes really robot machines), uses FTP connections. Nothing was happening, only errors like:

PHP Warning:  ftp_login() expects parameter 1 to be resource, boolean given in test.php on line 7

Looking further the problem was related to ftp_connect, no connection is being made. Here is the code used for testing:

<?php
ini_set('displat_errors',1);
error_reporting(E_ALL & ~E_NOTICE);

// Connect to ftp
$conn_id = ftp_connect("my.domain.pt",21,90);
var_dump($conn_id);

// Open a session to an external ftp site
$login_result = ftp_login($conn_id, "user", "password");

// Check open
if ((!$conn_id) || (!$login_result)) {
    print "FTP connection failed!";
    exit();
}

// turn on passive mode transfers
if (ftp_pasv($conn_id, true) == FALSE) {
    print "Passive FTP connection failed!";
    exit();
}

This code should work normally, but the return is:

var_dump($conn_id); returns bool(false).

Investigating the source of the problem!

OK, this machine is virtualized (hypervisor), one virtual machine is the newly Centos 7 machine, the other is used for firewall (Kerio Control).

The main problem that we looked for was firewall problems, any forum says that, and thats what to look for. But that was not the problem, since in the logs, nothing was hitting the robots server by FTP on port 21, while any access by eg. Filezilla access was always granted. Telnet to that server was working too.

The problem was only happening in the application. PHP settings all OK (allow_url_fopen = ON, FTP support = enabled). WHAT THE HELL IS GOING ON HERE?!?!?

Solving the problem!

While scavenging deeper in the web soon someone took me to look at SE Linux. Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defense–style mandatory access controls (MAC).

Turned off selinux… and now it works. Damn!

If you don’t want to turn off selinux completely like me, you might get what you need by just setting the httpd_can_network_connect using the setsebool command.

Verify that it was previously set to “off”:

getsebool httpd_can_network_connect

Set it to “on”:

setsebool httpd_can_network_connect=1

Turn selinux back on:

setenforce 1

Check to be sure php ftp_connect still works when running under httpd.

Set the policy (-P) to “on” so it persists over a reboot:

setsebool -P httpd_can_network_connect=1

Want to know more? check this out http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
Did this helped you also? Let me know in the comments below.

Exit mobile version