A Stone Bell

Deep and Sonorous, or maybe just a Dull Thud?

 

Running PHP securely under apache

Configuring Apache to use PHP-FPM

Another author suggested disabling the main “mod_php” when we are finished, but php-fpm seems more closely bound into php 7.0 than it was with earlier version of PHP (it is certainly located within the php folders) and I have left a small site running under mod_php – perhaps I’ll get around to running some comparison timings one day.

Some instructions suggest adding the following lines to the default Apache configuration in /etc/apache2/sites-enabled/000-default.conf, others apply it site by site. As I want different users running different sites there is absolutely no point putting this into the default and besides I was feeling my way along and I hardly wanted to accidentally stop all our sites because I’d misconfigured something. Therefore I took a site by site approach.

I’m going to reference a real site http://equipel.co.uk which I have converted to using php-fpm, so into its /etc/apache2/sites-enabled/equipel.co.uk.conf I added the following lines – don’t worry at the end I’ll show the complete file, so you can see it all in situ. For each of your sites just replace every occurrence of “equipel” with the relevant user.

The example I saw most frequently was:

<IfModule mod_fastcgi.c>
AddHandler php7-fcgi .php
Action php7-fcgi /php7-fcgi
Alias /php7-fcgi /usr/lib/cgi-bin/php7-fcgi
FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi -socket /var/run/php/php7.0-fpm.sock -pass-header Authorization
</IfModule>

I didn’t bother with the IfModule directives because I’m going to make sure that fastcgi is running. This makes the entries for equipel look like this:

AddHandler php7-fcgi-equipel.co.uk .php
Action php7-fcgi-equipel.co.uk /php7-fcgi-equipel.co.uk
Alias /php7-fcgi-equipel.co.uk /usr/lib/cgi-bin/php7-fcgi-equipel.co.uk
FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi-equipel.co.uk -socket /var/run/php/php7.0-fpm.equipel.co.uk.sock -pass-header Authorization

Next we need to make sure this site can see the shared cgi-bin folder referenced in those last two lines, therefore the following also goes into the virtual hosts file:


 <Directory /usr/lib/cgi-bin>
  Require all granted
 </Directory>

- No Comments on this Post -