Size: 4139
Comment:
|
Size: 4184
Comment:
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
= FastCGI = | = PHP-FPM Setup = |
Line 3: | Line 3: |
'''FastCGI''' is a PHP implementation of the Common Gateway Interface (CGI). It works especially well with [[NGINXSetup|NGINX]]. | '''PHP-FPM''' is a PHP implementation of the FastCGI, an enhancement of the earlier Common Gateway Interface (CGI). It works especially well with [[NGINXSetup|NGINX]]. |
PHP-FPM Setup
PHP-FPM is a PHP implementation of the FastCGI, an enhancement of the earlier Common Gateway Interface (CGI). It works especially well with NGINX.
Setup Directory
The recommendation is to either serve web content from:
a dedicated top-level directory (such as /srv) that can be easily separately-mounted with special settings (i.e. ro--the read-only fstab option)
the traditional web content directory, /var/www
Note that any directory can be a mounted device, but there are additional considerations. Many package managers expect standard directories to be writable.
Setup Test Script
Write the below to cgi/test.php, under whichever directory structure you prefer.
<?php phpinfo(); ?>
Setup User
Linux permissions and restrictions are most easily done through users, groups, and umasks. The recommendation is to set a specific user and group for the web service. The common options are www-data (Apache) and http (PHP).
Depending on your ditro, these users and groups may already be created. See details on running useradd and groupadd in UserSetup.
The directory and files setup above should be owned by this user.
Setup Software
At a minimum, we need: php, php-fpm, fcgi, fcgiwrap, and nginx.
Common additional tools include:
- apache2-utils (a.k.a. apache-tools, httpd-utils, etc.) for creating .htpasswd files for basic restrictions
PHP
The primary configuration for PHP is found in /etc/php/php.ini. Some distributions carry two versions:
php.ini-production which is more secure
php.ini-development which is more backwards-compatible, and includes sensitive details in debugging messages
Chuck the latter straight into the bin.
Some key directives to check:
; Block calls from crafted URLs (i.e., `example.com/something-malicious.php`) cgi.force_redirect = On ; Disable access to filesystem file_uploads = Off ; Disable remote data retrieval allow_url_fopen = Off allow_url_include = Off
PHP-FPM
PHP-FPM is configured by a system configuration (/etc/php/php-fpm.conf) and by pool configurations (/etc/php/php-fpm.d/*.conf).
For the most part, the system configuration works out of the box.
; Pid file pid = /run/php-fpm/php-fpm.pid ; Error log error_log = /var/log/php-fpm.log
The pool configuration will need to be adjusted according to the user that was setup above.
; User/group of processes user = www-data group = www-data ; Socket file listen = /run/php-fpm/php-fpm.pid ; User/group of sockets listen.owner = www-data listen.group = www-data ; Restrictions on file extensions security.limit_extensions = .cgi .php ; Access log access.log = /var/log/php-fpm/access.log
FastCGI and FCGIWrap
FastCGI takes a large number of parameters within NGINX configurations, so it is commonly 'configured' with /etc/nginx/fastcgi_params. This file should be created by default and should work by default.
FCGIWrap is, as the name implies, a wrapper around FastCGI. It will work without configuration.
NGINX
For more details on NGINX configuration, see this walkthrough. A basic configuration for FastCGI would be:
user www-data www-data; http { include mime.types; default_type application/mime.types; sendfile on; keepalive_timeout 65; gzip on; server { listen 80; server_name example.com; access_log /var/log/nginx/example.com/access.log; error_log /var/log/nginx/example.com/error.log; root /var/www; try_files $uri @cgi; location @cgi { include fastcgi_params; fastcgi_param SCRIPT_FILENAME $realpath_root/my-cgi-script.cgi; fastcgi_param PATH_INFO $uri; fastcgi_param QUERY_STRING $args; fastcgi_param HTTP_HOST $server_name; fastcgi_pass unix:/run/fcgiwrap.sock; } } }
Startup