Cara menggunakan php-fpm port

July 06, 2017

PHP-FPM can listen on multiple sockets. I also listen on Unix sockets, or TCP sockets. See how this works and how to ensure Nginx is properly sending requests to PHP-FPM.

PHP-FPM can listen on multiple sockets. I also listen on Unix sockets, or TCP sockets. See how this works and how to ensure Nginx is properly sending requests to PHP-FPM.### Default Configuration

Edit PHP-FPM configuration

# Configure PHP-FPM default resource pool sudo vim /etc/php5/fpm/pool.d/www.conf

PHP-FPM Listen configuration:

# Stuff omitted listen = /var/run/php5-fpm.sock listen.owner = www-data listen.group = www-data

Also edit Nginx and see where it's sending request to PHP-FPM:

# Files: /etc/nginx/sites-available/default # ... stuff omitted server ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php5-fpm.sock; }

We can see above that Nginx is sending requests to PHP-FPM via a unix socket (faux file) at /var/run/php5-fpm.sock. This is also where the www.conf file is setting PHP-FPM to listen for connections.

Unix Sockets

These are secure in that they are file-based and can't be read by remote servers. We can further use linux permission to set who can read and write to this socket file.

Nginx is run as user/group www-data. PHP-FPM's unix socket therefore needs to be readable/writable by this user.

If we change the Unix socket owner to user/group ubuntu, Nginx will then return a bad gateway error, as it can no longer communicate to the socket file. We would have to change Nginx to run as user "ubuntu" as well, or set the socket file to allow "other" (non user nor group) to be read/written to, which is insecure.

# Stuff omitted listen = /var/run/php5-fpm.sock listen.owner = ubuntu listen.group = ubuntu

So, file permissions are the security mechanism for PHP-FPM when using a unix socket. The faux-file's user/group and it's user/group/other permissions determines what local users and processes and read and write to the PHP-FPM socket.

TCP Sockets

Setting the Listen directive to a TCP socket (ip address and port) makes PHP-FPM listen over the network rather than as a unix socket. This makes PHP-FPM able to be listened to by remote servers (or still locally over the localhost network).

Change Listen to Listen 127.0.0.1:9000 to make PHP-FPM listen on the localhost network. For security, we can use the listen.allowed_clients rather than set the owner/group of the socket.

PHP-FPM:

# Listen on localhost port 9000 Listen 127.0.0.1:9000 # Ensure only localhost can connect to PHP-FPM listen.allowed_clients = 127.0.0.1

Nginx:

# Files: /etc/nginx/sites-available/default # ... stuff omitted server ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass 127.0.0.1:9000; }

Ini bekerja dengan Wordpress 5.1.1 dan yang lebih baru bersama dengan PHP 7.3, FastCGI, proksi, juga MariaDB / MySQL. Diperiksa dua kali di server saya. Bekerja seperti pesona.

Pertama di CentOS / Fedora / Red Hat

sudo yum remove php* sudo yum --enablerepo=extras install epel-release sudo yum install php-fpm php-mysql php-gd php-imap php-mbstring sudo grep -E '(proxy.so|fcgi)' /etc/httpd/conf.modules.d/00-proxy.conf sudo mv /etc/httpd/conf.d/php.conf /etc/httpd/conf.d/php.conf_bak

Edit file ini:

sudo nano /etc/php-fpm.d/www.conf

Tempel ini:

[www] ; The address on which to accept FastCGI requests. ; Valid syntaxes are: ; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on ; a specific port; ; 'port' - to listen on a TCP socket to all addresses on a ; specific port; ; '/path/to/unix/socket' - to listen on a unix socket. ; Note: This value is mandatory. listen = 127.0.0.1:9000 listen = /run/php-fcgi.sock sudo ll /run/php-fcgi.sock

Harus memberikan srw-rw-rw-.

Atau cara mengatur di Debian / Ubuntu

Tutorial:

sumber: //emi.is/?page=articles&article=php-7-installation-and-configuration-for-apache-2.4-using-php-fpm-(debian ,-- repository)

sudo apt purge 'php*' or sudo apt-get purge 'php*' sudo add-apt-repository ppa:ondrej/php sudo apt-get update sudo apt install php7.3 php7.3-fpm php-mysql php-mbstring php-gd php-imap libapache2-mod-security2 modsecurity-crs systemctl status php7.3-fpm systemctl stop php7.3-fpm.service sudo a2dismod php7.0 php7.1 php7.2 mpm_event mpm_worker sudo a2enmod mpm_prefork sudo a2enmod php7.3 sudo systemctl restart apache2 (httpd in CentOS)

Masalahnya adalah bahwa php 7.3 dari repo Ondrej hanya bekerja dengan mode mpm_prefork. Ia memiliki git repo, jadi Anda dapat menemukannya di internet dan bertanya kepadanya, apakah ia akan membuat php 7.3 untuk mpm_worker dan mpm_event. Konfigurasi lainnya untuk distro keluarga Debian adalah di bawah ini:

sudo apt --assume-yes install php7.3-fpm sudo systemctl stop php7.3-fpm.service sudo rm /var/log/php7.0-fpm.log sudo mkdir /var/log/php7.3-fpm/ sudo touch /var/log/php7.3-fpm/error.log sudo mkdir /var/log/php7.3/ sudo touch /var/log/php7.3/error.log sudo mkdir /var/tmp/php7.3/ sudo > /etc/php/7.3/fpm/php.ini sudo > /etc/php/7.3/fpm/php-fpm.conf sudo rm /etc/php/7.3/fpm/pool.d/www.conf sudo touch /etc/php/7.3/fpm/pool.d/example.com.conf sudo useradd --comment "PHP" --shell "/usr/sbin/nologin" --system --user-group php sudo nano /etc/php/7.3/fpm/php.ini

pasta

[PHP] date.timezone = Europe/Prague display_errors = Off error_log = /var/log/php7.3/error.log error_reporting = 32767 log_errors = On register_argc_argv = Off session.gc_probability = 0 short_open_tag = Off upload_tmp_dir = /var/tmp/php7.3/ sudo nano /etc/php/7.3/fpm/php-fpm.conf

pasta

[global] error_log = /var/log/php7.3-fpm/error.log include = /etc/php/7.3/fpm/pool.d/*.conf sudo nano /etc/php/7.3/fpm/pool.d/example.com.conf

pasta

[example.com] group = php listen = 127.0.0.1:9000 pm = ondemand pm.max_children = 5 pm.max_requests = 200 pm.process_idle_timeout = 10s user = php sudo nano /etc/logrotate.d/php7.3-fpm

salin ini ke file txt:

/var/log/php7.3-fpm.log { rotate 12 weekly missingok notifempty compress delaycompress postrotate /usr/lib/php/php7.3-fpm-reopenlogs endscript }

hapus dan tempel ini alih-alih di atas:

/var/log/php7.3/*.log /var/log/php7.3-fpm/*.log { copytruncate maxage 365 missingok monthly notifempty rotate 12 }

Tambahkan arahan

sudo nano /etc/apache2/sites-available/example.com.conf <VirtualHost *:80> ServerName www.example.com ServerAlias example.com ServerAdmin DocumentRoot /var/www/html/example.com/public_html DirectoryIndex index.php index.htm index.html index.xht index.xhtml LogLevel info warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined <FilesMatch "^\.ht"> Require all denied </FilesMatch> <files readme.html> order allow,deny deny from all </files> RewriteEngine on RewriteCond %{SERVER_NAME} =example.com RewriteRule ^ //%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/html/example.com/public_html <Directory /var/www/html/example.com/public_html> Options Indexes FollowSymLinks Includes IncludesNOEXEC SymLinksIfOwnerMatch AllowOverride None </Directory> </VirtualHost>

Kemudian aktifkan situs:

sudo a2ensite /etc/apache2/sites-available/example.com.conf

Edit situs SSL berikutnya (Dalam hal ini certbot dari Let's Encrypt telah diinstal dan dikonfigurasi sebelumnya pada awal konfigurasi sertifikat SSL).

sudo nano /etc/apache2/sites-available/example.com-le-ssl.conf <IfModule mod_ssl.c> #headers for security man in the middle attack find how to enable this mod in Google LoadModule headers_module modules/mod_headers.so <VirtualHost *:443> Header always set Strict-Transport-Security "max-age=15768000" SSLEngine On ServerName example.com ServerAdmin DocumentRoot /var/www/html/example.com/public_html <Directory /var/www/html/example.com/public_html> Options Indexes FollowSymLinks Includes IncludesNOEXEC SymLinksIfOwnerMatch AllowOverride All Require all granted DirectoryIndex index.php RewriteEngine On <FilesMatch ^/(.*\.php(/.*)?)$> SetHandler "fcgi://example.com:9000/var/www/html/example.com/public_html" </FilesMatch> </Directory> # Log file locations #LogLevel info ssl:warn LogLevel debug ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # modern configuration SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 #SSLCipherSuite HIGH:!aNULL:!MD5 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM$ SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off <FilesMatch "^\.ht"> Require all denied </FilesMatch> <files readme.html> order allow,deny deny from all </files> </VirtualHost> #Stapling OCSP for Let's Encrypt certs. SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) </IfModule> sudo a2enmod proxy proxy_fcgi setenvif sudo systemctl reload apache2.service sudo chown --recursive root:adm /etc/php/ sudo chmod --recursive 0770 /etc/php/ sudo chown --recursive php:adm /var/log/php7.3/ sudo chown --recursive php:adm /var/log/php7.3-fpm/ sudo chmod --recursive 0770 /var/log/php7.3/ sudo chmod --recursive 0770 /var/log/php7.3-fpm/ sudo chown --recursive php:php /var/tmp/php7.3/ sudo chmod --recursive 0770 /var/tmp/php7.3/ sudo a2enconf php7.3-fpm sudo systemctl enable php7.3-fpm.service sudo systemctl start php7.3-fpm.service

Ingatlah untuk menambahkan port 9000 ke firewall di Debian / Ubuntu

sudo ufw allow 9000/tcp sudo ufw status

Pada CentoOS / Fedora / Red Hat

sudo firewall-cmd --zone=public --add-port=9000/tcp --permanent sudo firewall-cmd --reload sudo firewall-cmd --list-all sudo firewall-cmd --state