A Stone Bell

Deep and Sonorous, or maybe just a Dull Thud?

 

Running PHP securely under apache

Configuring the PHP-FPM pool

PHP-FPM creates a pool of processes for each defined user. Each process can handle a website and we can also get dynamic allocation of extra resources for specific sites – more on that in a minute. By default (at least under Ubuntu 16 and PHP 7) it uses the folder /etc/php/7.0/fpm/pool.d/ to store configuration files and creates one file “www.conf” to configure the single default pool

The name of the file is irrelevant to the process as PHP-FPM will create a pool of processes per configuration file in this folder, but it’s a good idea to give them human readable names related to the user pool you are working on, so I have one called /etc/php/7.0/fpm/pool.d/equipel.co.uk.conf which obviously enough ties to the /etc/apache2/sites-enabled/equipel.co.uk.conf – not automatically, but by the values of the parameters in the files, as we shall see.

The default www.conf is well documented, but the relevant lines for my equipel site are (again I’ll show the full file at the end):


; Pool name
[equipel.co.uk]

I believe that this pool name defines the name for the process not the name of the file


; settings specific to this pool’s user
user = equipel
group = equipel
listen = /run/php/php7.0-fpm.equipel.co.uk.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0660

Here is another popular mistake – the user, group, listen-owner and list-group are all www-data in the www.conf file, so most instructions assume you would change all of them to your site specific user, but that’s wrong. Remember PHP-FPM can run under Apache or Nginx – so it needs to know not only the user we want it to pretend to be, but also the user it actually is.

Therefore the listen-user and listen-group are www-data for Apache 2. Don’t change the listen-mode, but make sure that www-data has the same access to /usr/lib/cgi-bin

The listen parameter is where we finally link the PHP-FPM pool to a specific site. This is the same value as the socket we defined as /run/php/php7.0-fpm.equipel.co.uk.sock in the /etc/apache2/sites-enabled/equipel.co.uk.conf

By the way /run/php is a symbolic link to /usr/lib/cgi-bin which is why the listen-owner needs permission to that folder


;parameters for the this pool
pm = dynamic
pm.max_children = 3
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 2

Here is where we define how many processes are spawned for this user’s pool. The mode is dynamic, which lets the pool size grow and shrink within these limits – it’s a trade off between the memory allocated to idle processes, how long it takes to define a new process, the management of the pool (in terms of starting new, or pruning unused, processes) and the impact on a single process which has to handle multiple requests.

Now a lot of instructions just assumed that is it, everything is w#orking , but one site gave me this section to put into the Directory directive

<IfModule mod_fastcgi.c>
  <FilesMatch “.+\.ph(p[345]?|t|tml)$”>
  SetHandler php7-fcgi-equipel
 </FilesMatch”>

</IfModule>

Again we can leave off the IfModule directives is we intend to make this permanent.

What’s this for? Well one of my attempts seemed to work, except I had no CSS rendering, no images: the html by PHP-FPM was properly generated, but very plain white pages. We need Apache to handle all non-PHP files for us. I know the CSS rendering is actually in the browser, but the required information isn’t passed to the browser without Apache’s assistance. This configuration leaves Apache to service everything except script files with a PHP related extension.

- No Comments on this Post -