|
Size: 4139
Comment:
|
Size: 784
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = FastCGI = | = PHP-FPM = |
| Line 3: | Line 3: |
| '''FastCGI''' is a PHP implementation of the Common Gateway Interface (CGI). It works especially well with [[NGINXSetup|NGINX]]. | The PHP '''FastCGI Process Manager''' ('''PHP-FPM''') is an implementation of the [[Protocols/CGI|FastCGI]] specification. <<TableOfContents>> |
| Line 9: | Line 11: |
| == Setup Directory == | == Installation == |
| Line 11: | Line 13: |
| The recommendation is to either serve web content from: | PHP-FPM naturally depends on `php(1)`. See [[PHP#Installation|here]] for help with installation, and [[PHP/Configuration|here]] for help with configuration. |
| Line 13: | Line 15: |
| * a dedicated top-level directory (such as `/srv`) that can be ''easily'' separately-mounted with special settings (i.e. `ro`--the read-only fstab option) * the traditional web content directory, `/var/www` |
Most Linux and BSD distributions will offer a `php-fpm` package. |
| Line 16: | Line 17: |
| Note that any directory can be a mounted device, but there are additional considerations. Many package managers expect standard directories to be writable. | Official container images are available from the upstream development team. They are tagged like `php:<version>-fpm` ---- |
| Line 20: | Line 23: |
| === Setup Test Script === | == Configuration == |
| Line 22: | Line 25: |
| Write the below to `cgi/test.php`, under whichever directory structure you prefer. | As a security measure, the allowable extensions should be set as strictly as possible. |
| Line 25: | Line 28: |
| <?php phpinfo(); ?> | security.limit_extensions = .php .html .htm |
| Line 32: | Line 35: |
| == Setup User == Linux permissions and restrictions are most easily done through users, groups, and umasks. The recommendation is to set a specific user and group for the web service. The common options are `www-data` (Apache) and `http` (PHP). Depending on your ditro, these users and groups may already be created. See details on running `useradd` and `groupadd` in UserSetup. The directory and files setup above should be owned by this user. ---- == Setup Software == At a minimum, we need: php, php-fpm, fcgi, fcgiwrap, and nginx. Common additional tools include: * apache2-utils (a.k.a. apache-tools, httpd-utils, etc.) for creating .htpasswd files for basic restrictions === PHP === The primary configuration for PHP is found in `/etc/php/php.ini`. Some distributions carry two versions: * `php.ini-production` which is more secure * `php.ini-development` which is more backwards-compatible, and includes sensitive details in debugging messages Chuck the latter straight into the bin. Some key directives to check: {{{ ; Block calls from crafted URLs (i.e., `example.com/something-malicious.php`) cgi.force_redirect = On ; Disable access to filesystem file_uploads = Off ; Disable remote data retrieval allow_url_fopen = Off allow_url_include = Off }}} === PHP-FPM === PHP-FPM is configured by a system configuration (`/etc/php/php-fpm.conf`) and by pool configurations (`/etc/php/php-fpm.d/*.conf`). For the most part, the system configuration works out of the box. {{{ ; Pid file pid = /run/php-fpm/php-fpm.pid ; Error log error_log = /var/log/php-fpm.log }}} The pool configuration will need to be adjusted according to the user that was setup above. {{{ ; User/group of processes user = www-data group = www-data ; Socket file listen = /run/php-fpm/php-fpm.pid ; User/group of sockets listen.owner = www-data listen.group = www-data ; Restrictions on file extensions security.limit_extensions = .cgi .php ; Access log access.log = /var/log/php-fpm/access.log }}} === FastCGI and FCGIWrap === FastCGI takes a large number of parameters within NGINX configurations, so it is commonly 'configured' with `/etc/nginx/fastcgi_params`. This file should be created by default and should work by default. FCGIWrap is, as the name implies, a wrapper around FastCGI. It will work without configuration. === NGINX === For more details on NGINX configuration, see [[NGINXSetup|this walkthrough]]. A basic configuration for FastCGI would be: {{{ user www-data www-data; http { include mime.types; default_type application/mime.types; sendfile on; keepalive_timeout 65; gzip on; server { listen 80; server_name example.com; access_log /var/log/nginx/example.com/access.log; error_log /var/log/nginx/example.com/error.log; root /var/www; try_files $uri @cgi; location @cgi { include fastcgi_params; fastcgi_param SCRIPT_FILENAME $realpath_root/my-cgi-script.cgi; fastcgi_param PATH_INFO $uri; fastcgi_param QUERY_STRING $args; fastcgi_param HTTP_HOST $server_name; fastcgi_pass unix:/run/fcgiwrap.sock; } } } }}} ---- == Startup == ---- == Maintenance == |
== Usage == |
PHP-FPM
The PHP FastCGI Process Manager (PHP-FPM) is an implementation of the FastCGI specification.
Contents
Installation
PHP-FPM naturally depends on php(1). See here for help with installation, and here for help with configuration.
Most Linux and BSD distributions will offer a php-fpm package.
Official container images are available from the upstream development team. They are tagged like php:<version>-fpm
Configuration
As a security measure, the allowable extensions should be set as strictly as possible.
security.limit_extensions = .php .html .htm