While configuring this very server I kept in mind that I would want to host multiple sites on it. I wanted to be able to configure PHP settings on a per site basis instead of modifying the global PHP configuration for the entire server. I also wanted to make sure that every site/user had its own permissions and thus wasn’t able to screw things up on my server in case of a successful break-in attempt. And of course I also kept the performance of my server in mind.
Therefor I chose PHP-FPM (over mod_php) which I configured with an application pool per site that has its own configuration file and handler. Just follow the next steps if you would like to duplicate my configuration.
First of all we install the required packages
~$ apt-get install apache2-mpm-worker libapache2-mod-fastcgi php5-fpm
and enable the needed apache modules.
~$ a2enmod actions alias fastcgi
Now we have to create the configuration file /etc/apache2/conf.d/php5-fpm with the following content:
# Configure everything needed to use PHP-FPM as FastCGI # Set handlers for PHP files. # application/x-httpd-php phtml pht php # application/x-httpd-php3 php3 # application/x-httpd-php4 php4 # application/x-httpd-php5 php <FilesMatch ".+\.ph(p?|t|tml)$"> SetHandler application/x-httpd-php # application/x-httpd-php-source phps <FilesMatch ".+\.phps$"> SetHandler application/x-httpd-php-source # Deny access to raw php sources by default # To re-enable it is recommended to enable access to the files # only in specific virtual host or directory Order Deny,Allow Deny from all # Deny access to files without filename (e.g. '.php') <FilesMatch "^\.ph(p?|t|tml|ps)$"> Order Deny,Allow Deny from all # Define Action and Alias needed for FastCGI external server. Action application/x-httpd-php /fcgi-bin/php5-fpm virtual Alias /fcgi-bin/php5-fpm /fcgi-bin-php5-fpm # here we prevent direct access to this Location url, # env=REDIRECT_STATUS will let us use this fcgi-bin url # only after an internal redirect (by Action upper) Order Deny,Allow Deny from All Allow from env=REDIRECT_STATUS FastCgiExternalServer /fcgi-bin-php5-fpm -socket /var/run/php5-fpm.sock -pass-header Authorization
A handler will be set for every PHP file and for every handler a virtual Action is defined. Virtual means that there will be no check that the file exists.
The Alias was created because we will need this to run PHP-FPM as another user than the default www-data user.
Separate configuration per user
Let’s start by creating a new user and adding www-data into its group. Then create the home dir for this user, correct the permissions and link the new home dir to this user.
~$ adduser --disabled-login dimitri ~$ adduser www-data dimitri ~$ mkdir /var/www/dimitrieu ~$ chown -R dimitri:dimitri /var/www/dimitrieu ~$ chmod 750 /var/www/dimitrieu
We can now create the PHP-FPM configuration file for this user. Just copy the default file /etc/php5/fpm/pool.d/www.conf to /etc/php5/fpm/pool.d/dimitri.conf and modify the following lines.
; Start a new pool named 'dimitri'. ; the variable $pool can we used in any directive and will be replaced by the ; pool name ('dimitri' here) [dimitri] ; Unix user/group of processes ; Note: The user is mandatory. If the group is not set, the default user group ; will be used. user = dimitrigroup = dimitri ; The address on which to accept FastCGI requests. ; Valid syntaxes are: ; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on ; a specific port; ; 'port' - to listen on a TCP socket to all addresses on a ; specific port; ; '/path/to/unix/socket' - to listen on a unix socket. ; Note: This value is mandatory. listen = /var/run/php5-fpm-dimitri.sock
Now restart PHP-FPM
~$ /etc/init.d/php5-fpm restart
and verify if the new PHP-FPM instances are running.
~$ ps -efH | grep php-fpm root 30258 30162 0 12:01 pts/0 00:00:00 grep php-fpm root 10409 1 0 Sep27 ? 00:00:22 php-fpm: master process (/etc/php5/fpm/php-fpm.conf) www-data 10415 10409 0 Sep27 ? 00:00:00 php-fpm: pool www www-data 10416 10409 0 Sep27 ? 00:00:00 php-fpm: pool www 1000 18944 10409 0 Oct07 ? 00:02:13 php-fpm: pool dimitri1000 18995 10409 0 Oct07 ? 00:02:03 php-fpm: pool dimitri1000 19142 10409 0 Oct07 ? 00:01:38 php-fpm: pool dimitri
We can now modify our apache vhost for this site (/etc/apache2/sites-enabled/dimitrieu)
ServerAdmin firstname.lastname@example.org ServerName dimitri.eu ServerAlias www.dimitri.eu DocumentRoot /var/www/dimitrieu/public_html Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all Alias /fcgi-bin/php5-fpm /fcgi-bin-php5-fpm-dimitri FastCgiExternalServer /fcgi-bin-php5-fpm-dimitri -socket /var/run/php5-fpm-dimitri.sock -pass-header Authorization ErrorLog /var/log/apache2/dimitrieu/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/dimitrieu/access.log combined
and restart apache.
~$ /etc/init.d/apache2 restart
We’re done, just create a test.php script in the document root for this site to verify the correct PHP-FPM user. Be aware that the test.php script should have the correct ownership on the server.
<!--?php system('whoami'); phpinfo(); ?-->
- Varnish config for WordPress
- How to purge the Varnish cache