|
Size: 1822
Comment:
|
Size: 3970
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = FastCGI = | = PHP-FPM = |
| Line 3: | Line 3: |
| '''FastCGI''' is a PHP implementation of the Common Gateway Interface (CGI). It works especially well with [[SetupNGINX|NGINX]]. | The PHP '''FastCGI Process Manager''' ('''PHP-FPM''') is an implementation of the [[Protocols/CGI|FastCGI]] specification. <<TableOfContents>> |
| Line 9: | Line 11: |
| == Setup Files == | == Installation == |
| Line 11: | Line 13: |
| The recommendation is to either serve web content from: | PHP-FPM naturally depends on `php(1)`. See [[PHP#Installation|here]] for help with installation, and [[PHP/Configuration|here]] for help with configuration. |
| Line 13: | Line 15: |
| A. a dedicated top-level directory (such as `/srv`) that can be ''easily'' separately-mounted with special settings (i.e. `ro`--the read-only fstab option) B. the traditional web content directory, `/var/www` |
Most Linux and BSD distributions will offer a `php-fpm` package. |
| Line 16: | Line 17: |
| Note that any directory can be a mounted device, but there are complications with applying special settings to directories that many package managers expect to be able to write to. | Official container images are available from the upstream development team. They are tagged like `php:<version>-fpm` |
| Line 18: | Line 19: |
| Write the below to `cgi/test.php`, under whichever directory structure you prefer. | === PHP === A working installation of '''PHP''' is required. See [[PHP/Configuration|here]] for help in configuring PHP. === PHP-FPM === For the most part, distributed configuration for '''PHP-FPM''' works out of the box. {{{ ; Pid file pid = /run/php-fpm/php-fpm.pid ; Error log error_log = /var/log/php-fpm.log }}} === FCGIWrap === '''FCGIWrap''' is, as the name implies, a wrapper script. It manages the configuration of FastCGI through PHP-FPM so that all you need to do is point NGINX at `/run/fcgiwrap.sock`. === NGINX === '''NGINX''' is a modern and lightweight web server, which works well with PHP-FPM. For more details on NGINX configuration, see [[NGINX/FastCGIConfiguration|here]]. A basic configuration is: {{{ user www-data www-data; http { server { listen 80; server_name example.com; root /var/www; location ~ \.php(/|$) { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; try_files $uri =404; fastcgi_pass unix:/run/fcgiwrap.sock; include fastcgi_params; } } } }}} As stated above, `/run/fcgiwrap.sock` can be used through FCGIWrap. If you are not using that package, or if you are using the upstream Docker image, you will need to set this differently. In particular, if you are redirecting to a PHP environment on another server, you will need to set this to an address and port. {{{ fastcgi_pass 127.0.0.1:9000 }}} === Test Script === A minimal test script to validate the PHP installation. |
| Line 28: | Line 97: |
| == Setup User == | == Remote Files, chroots, and Work Directories == |
| Line 30: | Line 99: |
| Linux permissions and restrictions are most easily done through users, groups, and umasks. The recommendation is to set a specific user and group for the web service. The common options are `www-data` (Apache) and `http` (PHP). | PHP applications can be placed anywhere on the web root and they will work as expected. This is because PHP-FPM defaults to working in the current work directory. |
| Line 32: | Line 101: |
| Depending on your ditro, these users and groups may already be created. See details on running `useradd` and `groupadd` in UserSetup. | However, it is ''recommended'' to isolate PHP-FPM by running it in a different work directory. This is accomplished by configuring PHP-FPM on a pool level, which you can read more about [[PHP/FPMConfiguration#Pool_Configuration|here]]. What needs to be addressed up-front is how a web server will interact with an isolated FastCGI environment. |
| Line 34: | Line 103: |
| ---- | The NGINX `try_files` command, as shown below, checks for existence of files. This will cause issues if PHP applications are actually living in a different directory (or a different server). However, without checking for the existence of an executable, you can run into difficult-to-debug errors and security issues regarding embedded PHP in ordinary files. |
| Line 36: | Line 105: |
| The workaround is to set the key FastCGI parameters for the target server and check the URI against local null files. Furthermore, note the specific ordering in this configuration. | |
| Line 37: | Line 107: |
| {{{ location ~ \.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_param SCRIPT_FILENAME /remote/path/to/work/directory/$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; |
|
| Line 38: | Line 113: |
| == Setup Software == | try_files $uri =404; |
| Line 40: | Line 115: |
| At a minimum, we need: php, php-fpm, fcgi, fcgiwrap, and nginx. | fastcgi_pass 127.0.0.1:9000; include fastcgi_params; } }}} |
| Line 42: | Line 120: |
| Common additional tools include: * apache2-utils (a.k.a. apache-tools, httpd-utils, etc.) for creating .htpasswd files for basic restrictions === PHP === The primary configuration for PHP is found in `/etc/php/php.ini`. Some distributions carry two versions--`php.ini-production` which is more secure and `php.ini-development` which is more backwards-compatible. Chuck the latter straight into the bin. === PHP-FPM === === FastCGI === === NGINX === ---- == Startup == ---- == Maintenance == |
Note that `try_files` is called ''strictly after'' path info has been pulled out. Try files will, on success, overwrite `$uri` with the matched local URI. To avoid this, set the value of parameters before validating file existence. |
PHP-FPM
The PHP FastCGI Process Manager (PHP-FPM) is an implementation of the FastCGI specification.
Contents
Installation
PHP-FPM naturally depends on php(1). See here for help with installation, and here for help with configuration.
Most Linux and BSD distributions will offer a php-fpm package.
Official container images are available from the upstream development team. They are tagged like php:<version>-fpm
PHP
A working installation of PHP is required. See here for help in configuring PHP.
PHP-FPM
For the most part, distributed configuration for PHP-FPM works out of the box.
; Pid file pid = /run/php-fpm/php-fpm.pid ; Error log error_log = /var/log/php-fpm.log
FCGIWrap
FCGIWrap is, as the name implies, a wrapper script. It manages the configuration of FastCGI through PHP-FPM so that all you need to do is point NGINX at /run/fcgiwrap.sock.
NGINX
NGINX is a modern and lightweight web server, which works well with PHP-FPM. For more details on NGINX configuration, see here.
A basic configuration is:
user www-data www-data;
http {
server {
listen 80;
server_name example.com;
root /var/www;
location ~ \.php(/|$) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
try_files $uri =404;
fastcgi_pass unix:/run/fcgiwrap.sock;
include fastcgi_params;
}
}
}As stated above, /run/fcgiwrap.sock can be used through FCGIWrap. If you are not using that package, or if you are using the upstream Docker image, you will need to set this differently. In particular, if you are redirecting to a PHP environment on another server, you will need to set this to an address and port.
fastcgi_pass 127.0.0.1:9000
Test Script
A minimal test script to validate the PHP installation.
<?php phpinfo(); ?>
Remote Files, chroots, and Work Directories
PHP applications can be placed anywhere on the web root and they will work as expected. This is because PHP-FPM defaults to working in the current work directory.
However, it is recommended to isolate PHP-FPM by running it in a different work directory. This is accomplished by configuring PHP-FPM on a pool level, which you can read more about here. What needs to be addressed up-front is how a web server will interact with an isolated FastCGI environment.
The NGINX try_files command, as shown below, checks for existence of files. This will cause issues if PHP applications are actually living in a different directory (or a different server). However, without checking for the existence of an executable, you can run into difficult-to-debug errors and security issues regarding embedded PHP in ordinary files.
The workaround is to set the key FastCGI parameters for the target server and check the URI against local null files. Furthermore, note the specific ordering in this configuration.
location ~ \.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME /remote/path/to/work/directory/$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
}Note that try_files is called strictly after path info has been pulled out. Try files will, on success, overwrite $uri with the matched local URI. To avoid this, set the value of parameters before validating file existence.