Differences between revisions 3 and 4
Revision 3 as of 2020-01-20 07:14:05
Size: 4139
Comment:
Revision 4 as of 2020-07-11 14:19:06
Size: 4184
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= FastCGI = = PHP-FPM Setup =
Line 3: Line 3:
'''FastCGI''' is a PHP implementation of the Common Gateway Interface (CGI). It works especially well with [[NGINXSetup|NGINX]]. '''PHP-FPM''' is a PHP implementation of the FastCGI, an enhancement of the earlier Common Gateway Interface (CGI). It works especially well with [[NGINXSetup|NGINX]].

PHP-FPM Setup

PHP-FPM is a PHP implementation of the FastCGI, an enhancement of the earlier Common Gateway Interface (CGI). It works especially well with NGINX.


Setup Directory

The recommendation is to either serve web content from:

  • a dedicated top-level directory (such as /srv) that can be easily separately-mounted with special settings (i.e. ro--the read-only fstab option)

  • the traditional web content directory, /var/www

Note that any directory can be a mounted device, but there are additional considerations. Many package managers expect standard directories to be writable.

Setup Test Script

Write the below to cgi/test.php, under whichever directory structure you prefer.

<?php phpinfo(); ?>


Setup User

Linux permissions and restrictions are most easily done through users, groups, and umasks. The recommendation is to set a specific user and group for the web service. The common options are www-data (Apache) and http (PHP).

Depending on your ditro, these users and groups may already be created. See details on running useradd and groupadd in UserSetup.

The directory and files setup above should be owned by this user.


Setup Software

At a minimum, we need: php, php-fpm, fcgi, fcgiwrap, and nginx.

Common additional tools include:

  • apache2-utils (a.k.a. apache-tools, httpd-utils, etc.) for creating .htpasswd files for basic restrictions

PHP

The primary configuration for PHP is found in /etc/php/php.ini. Some distributions carry two versions:

  • php.ini-production which is more secure

  • php.ini-development which is more backwards-compatible, and includes sensitive details in debugging messages

Chuck the latter straight into the bin.

Some key directives to check:

; Block calls from crafted URLs (i.e., `example.com/something-malicious.php`)
cgi.force_redirect = On

; Disable access to filesystem
file_uploads = Off

; Disable remote data retrieval
allow_url_fopen = Off
allow_url_include = Off

PHP-FPM

PHP-FPM is configured by a system configuration (/etc/php/php-fpm.conf) and by pool configurations (/etc/php/php-fpm.d/*.conf).

For the most part, the system configuration works out of the box.

; Pid file
pid = /run/php-fpm/php-fpm.pid

; Error log
error_log = /var/log/php-fpm.log

The pool configuration will need to be adjusted according to the user that was setup above.

; User/group of processes
user = www-data
group = www-data

; Socket file
listen = /run/php-fpm/php-fpm.pid

; User/group of sockets
listen.owner = www-data
listen.group = www-data

; Restrictions on file extensions
security.limit_extensions = .cgi .php

; Access log
access.log = /var/log/php-fpm/access.log

FastCGI and FCGIWrap

FastCGI takes a large number of parameters within NGINX configurations, so it is commonly 'configured' with /etc/nginx/fastcgi_params. This file should be created by default and should work by default.

FCGIWrap is, as the name implies, a wrapper around FastCGI. It will work without configuration.

NGINX

For more details on NGINX configuration, see this walkthrough. A basic configuration for FastCGI would be:

user www-data www-data;
http {
  include mime.types;
  default_type application/mime.types;

  sendfile on;
  keepalive_timeout 65;
  gzip on;

  server {
    listen 80;
    server_name example.com;
    access_log /var/log/nginx/example.com/access.log;
    error_log /var/log/nginx/example.com/error.log;

    root /var/www;
    try_files $uri @cgi;

    location @cgi {
      include fastcgi_params;
      fastcgi_param SCRIPT_FILENAME $realpath_root/my-cgi-script.cgi;
      fastcgi_param PATH_INFO $uri;
      fastcgi_param QUERY_STRING $args;
      fastcgi_param HTTP_HOST $server_name;
      fastcgi_pass unix:/run/fcgiwrap.sock;
    }
  }
}


Startup


Maintenance


CategoryRicottone

PHP/FPM (last edited 2023-05-25 17:00:50 by DominicRicottone)