User:Fordprefect/php-fpm

From ArchWiki
Jump to: navigation, search

The PHP FastCGI Process Manager is a fast fcgi implementation for php and can be used with all webservers supporting fcgi.

Installation

Install php-fpm from the official Repositories

Configuration

The main configuration file is found in /etc/php/php-fpm.conf.

Simple Setup

/etc/php/php-fpm.conf
[global]
pid = /run/php-fpm/php-fpm.pid
error_log = /var/log/php-fpm/php-fpm.log
; global maximum number of processes
process.max = 128
events.mechanism = epoll

; configure standard pool
[www]

; user and group used to execute the scripts in that pool
user = http
group = http

; socket to listen on
listen = /run/php-fpm/php-fpm.sock

; mode of the socket (must be accessable for the webserver)
listen.owner = http
listen.group = http
listen.mode = 0660

; configuration of worker threads
pm = dynamic
pm.max_children = 9
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

; limit executing files to respective extension
; add other extensions if needed (e.g. .php5 etc)
security.limit_extensions = .php

; configure environment
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

Using pools for site isolation

To minimize risks from security breaches in PHP software, one can isolate different sites (domains, even subdomains) in different PHP-FPM pools. While this has a little performance cost, it increases security greatly. To avoid a long config file, it it split up in individual files in /etc/php/php-fpm.d. Configure global options as follows:

/etc/php/php-fpm.conf
; includes pool configs
include = /etc/php/fpm.d/*.conf

[global]
pid = /run/php-fpm/php-fpm.pid
error_log = /var/log/php-fpm/php-fpm.log
; global maximum number of processes
process.max = 128
events.mechanism = epoll

Then for each pool add a config file like

/etc/php/php-fpm.d/pool1.conf
[pool1]
; restricted user and group
user = php-pool1
group = php-pool1

; path to socket
listen = /run/php-fpm/php-fpm-pool1.sock

; mode of the socket (must be accessable for the webserver)
listen.owner = http
listen.group = http
listen.mode = 0660

; configuration of worker threads
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

; limit executing files to respective extension
; add other extensions if needed (e.g. .php5 etc)
security.limit_extensions = .php

; configure environment
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

; to limit the capabilities, one can disable functions
php_admin_value[disable_functions] = exec,passthru,shell_exec,system

; disable download from remote objects
php_admin_flag[allow_url_fopen] = off

Change pool1 to your desired name. The last 2 options disable functionalities (change this according to your needs!) to reduce the possible harming actions of an attacker.

Make sure the global process number in /etc/php/php-fpm.conf does match the number needed by your pools.