Friday, August 3, 2012

how configure php-fpm 5.x and apache 2.4.x for virtualmin on centos 6, debian 6


Apache 2.4.x series introduce mod_proxy_fcgi which allows apache to communicate php-fpm directly over TCP/IP. Now consider your server running the latest high-performance version of apache and php-fpm ! What's your idea ? I can just say 'That is awesome!'
I've integrated this into virtualmin for automatically creating/removing fpm pools. Here's the guide which applies to both centos and debian servers :

1- Install latest version of php-fpm using remi or dotdeb repository.

** Apache 2.4 is shipped with Centos 7.x or Debian 8.x so you can use these default packages instead **

2- Compile latest version of apache 2.4.x from source :
- Install pcre development package :
(yum install pcre-devel) or (apt-get install libpcre3-dev)

cd /usr/src
mv apr-1.5.2 /usr/src/httpd-2.4.25/srclib/apr
mv apr-util-1.5.4 /usr/src/httpd-2.4.25/srclib/apr-util
cd httpd-2.4.25
./configure --prefix=/opt/apache2 --with-mpm=event --enable-rewrite --enable-ssl --enable-proxy-fcgi --with-included-apr
chown -R nobody /usr/src
sudo -u nobody make
make install
 
You can use my simple init startup script for centos or debian.(End of the article) enable it at boot startup :
cd /etc/init.d
(SEE END OF THIS ARTICLE, SAVE THE INIT FILE AS httpd24)
(service httpd stop OR service apache2 stop)
(chkconfig httpd off OR chkconfig apache2 off)
chmod a+x httpd24
chkconfig httpd24 on

- Now edit /opt/apache2/conf/httpd.conf, comment the following lines :
#<Directory />
#    AllowOverride none
#    Require all denied
#</Directory>

- comment out the following lines :
LoadModule ssl_module modules/mod_ssl.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule rewrite_module modules/mod_rewrite.so 
LoadModule actions_module modules/mod_actions.so
- Enable expires and deflate modules for more performance :
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
- Alter User and Group line to appropriate user and group.
( www-data for debian, apache for centos )
- Add mod_expires and mod_deflate configurations to the end of httpd.conf file :
<IfModule mod_expires.c>
# Enable expirations
ExpiresActive On
# Default directive
# ExpiresDefault "access plus 15 days"
# My favicon
ExpiresByType image/x-icon "access plus 15 days.
# Images
ExpiresByType image/gif "access plus 15 days"
ExpiresByType image/png "access plus 15 days"
ExpiresByType image/jpg "access plus 15 days"
ExpiresByType image/jpeg "access plus 15 days"
# CSS
ExpiresByType text/css "access 15 days.
# Javascript
ExpiresByType application/javascript "access plus 15 days"
</IfModule>

<IfModule deflate_module>
<Location />
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png|swf)$ no-gzip dont-vary
</Location>

</IfModule> 

NOTE: make sure that you have proxy and proxy_fcgi modules enabled in your apache config file, check your httpd.conf in Centos or run the following commands in Debian:
a2enmod proxy
a2enmod proxy_fcgi

3- Configure virtualmin to use the new installed apache2 :
Virtualmin -> Webmin -> Servers -> Apache webserver -> Module config -> System configuration :
root:/opt/apache2
executable:/opt/apache2/bin/httpd
apachectl:/opt/apache2/bin/apachectl
command to start:/etc/init.d/httpd24 start
command to stop: /etc/init.d/httpd24 stop
apply configuration:/opt/apache2/bin/apachectl graceful
apache pid file:/opt/apache2/logs/httpd.pid 

 4- Integrate php-fpm to virutalmin :
Virtualmin -> System Settings -> Server Templates -> Default Settings -> Apache website
Add the following line after DirectoryIndex line of the 'Directives and settings for new websites' section :
<FilesMatch "\.php$">
    SetHandler "proxy:fcgi://localhost:
${UID}/"
</FilesMatch>
Alter the following settings to and save the configuration :
Automatically add appropriate SuExec directive? : No
Default PHP execution mode : mod_php

And Also do the same for sub-server templates :
Virtualmin -> System Settings -> Server Templates -> Sub-servers -> Apache website
Set the Directives and settings for new websites to From default settings

Download my php-fpm script folder for virtualmin (See end of the article) :
mkdir /script
cd /script
(SEE END OF THE ARTICLE, SAVE FILE AS php-fpm)
chmod a+x php-fpm
Now enable the script :
Virtualmin -> System Settings ->  Virtualmin Configuration -> Actions upon server and user creation
Command to run after making changes to a server : /script/php-fpm
Always show output from pre and post commands? : Yes
5- Apply configuration for you existing domains :

virtualmin disable-feature --web --virtualmin-awstats --logrotate --webalizer --all-domains
virtualmin enable-feature --web --virtualmin-awstats --logrotate --webalizer --all-domains
Enable Subdomains :
virtualmin enable-feature --web --all-domains
I've removed some of the virtualmin feature which I didn't use ( dav, mailman, ... ). You may need to compile some extra apache modules.

6 - Fixing Script installer issue :
Script installer didn't detect php version unless you compile and install mod_php for httpd :
cd /usr/src
yum install -y libxml2-devel
wget http://us2.php.net/get/php-5.4.31.tar.bz2/from/this/mirror
tar -jxf php-5.4.21.tar.bz2
cd php-5.4.21
./configure --prefix=/usr --with-apxs2=/opt/apache2/bin/apxs
make
cp libs/libphp5.so /opt/apache2/modules

Add the following lines to /opt/apache2/conf/httpd.conf, after LoadModules section (~ Line 158)
<IfModule prefork.c>
  LoadModule php5_module modules/libphp5.so
</IfModule>

And also :
Virtualmin -> Webmin -> Servers -> Apache webserver -> Module config :
Always detect Apache modules automatically? : YES
Note: Virtualmin adds NameVirtualHost directive to httpd.conf file which is not needed anymore. You might remove the line manually.

It's all ! Now you've run an AWESOME config on your server, enjoy it !

Mos

-----
Attachments
-----
httpd24 startup script for CentOS (save it as /etc/init.d/httpd24):

#!/bin/bash
#
# Startup script for the Apache Web Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve \
# HTML files and CGI.
# processname: httpd
# pidfile: /opt/apache2/logs/httpd.pid
# config: /opt/apache2/conf/httpd.conf


fullpath=/opt/apache2/bin/apachectl

desc="Apache web server"

case "$1" in
'start')
echo "Starting $desc: "
$fullpath start
RETVAL=$?
        ;;
'stop')
echo "Stopping $desc: "
$fullpath stop
        RETVAL=$?
        ;;
'restart')
echo "Restarting $desc: "
$fullpath restart
        RETVAL=$?
;;
'status')
echo "Status of $desc: "
$fullpath --status-all
RETVAL=$?
        ;;
*)
        echo "Usage: $0 { start|stop|restart|status }"
        RETVAL=1
        ;;
esac

exit $RETVAL

httpd24 startup script for Debian (save it as /etc/init.d/httpd24):

#!/bin/sh -e
### BEGIN INIT INFO
# Provides:          httpd
# Required-Start:    $local_fs $remote_fs $network $syslog
# Required-Stop:     $local_fs $remote_fs $network $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start/stop httpd web server
### END INIT INFO
#
# httpd This init.d script is used to start apache2.
# It basically just calls apache2ctl.

fullpath=/opt/apache2/bin/apachectl

desc="Apache web server"

case "$1" in
'start')
echo "Starting $desc: "
$fullpath start
RETVAL=$?
        ;;
'stop')
echo "Stopping $desc: "
$fullpath stop
        RETVAL=$?
        ;;
'restart')
echo "Restarting $desc: "
$fullpath restart
        RETVAL=$?
;;
'status')
echo "Status of $desc: "
$fullpath --status-all
RETVAL=$?
        ;;
*)
        echo "Usage: $0 { start|stop|restart|status }"
        RETVAL=1
        ;;
esac

exit $RETVAL

php-fpm Script for virtualmin (save it as /script/php-fpm):

#!/bin/bash
# Script to check and create fpm pools
# Simply create the target fpm pool at uid port : 127.0.0.1:UID
# Set the User and Group of fpm pool to User and Group of domain
if [ -d /etc/php-fpm.d ]; then
os="centos";
confdir="/etc/php-fpm.d/";
fpm="/etc/init.d/php-fpm";
elif [ -d /etc/php5/fpm/pool.d ]; then
os="debian";
confdir="/etc/php5/fpm/pool.d/";
fpm="/etc/init.d/php5-fpm"
fi

# There's no need to create pools for sub-servers
if [ "$VIRTUALSERVER_PARENT" = "" ]; then
if 
[[ "$VIRTUALSERVER_ACTION" = "CREATE_DOMAIN" && "$VIRTUALSERVER_WEB" = "1" ]] ||
[[ "$VIRTUALSERVER_ACTION" = "MODIFY_DOMAIN" && "$VIRTUALSERVER_WEB" = "1" && ! -f $confdir$VIRTUALSERVER_UID.conf ]] ||
[ "$VIRTUALSERVER_ACTION" = "ENABLE_DOMAIN" ]; then

# Create the pool for main domain
echo -e "\nCreating fpm pool $VIRTUALSERVER_USER at 127.0.0.1:$VIRTUALSERVER_UID with config file $confdir$VIRTUALSERVER_UID.conf"
#
echo "[$VIRTUALSERVER_USER]" > $confdir$VIRTUALSERVER_UID.conf
echo "listen = 127.0.0.1:$VIRTUALSERVER_UID" >> $confdir$VIRTUALSERVER_UID.conf
echo "listen.allowed_clients = 127.0.0.1" >> $confdir$VIRTUALSERVER_UID.conf
echo "user = $VIRTUALSERVER_USER" >> $confdir$VIRTUALSERVER_UID.conf
echo "group = $VIRTUALSERVER_GROUP" >> $confdir$VIRTUALSERVER_UID.conf
echo "pm = dynamic" >> $confdir$VIRTUALSERVER_UID.conf
echo "pm.max_children =  20" >> $confdir$VIRTUALSERVER_UID.conf
echo "pm.start_servers = 2" >> $confdir$VIRTUALSERVER_UID.conf
echo "pm.min_spare_servers = 2" >> $confdir$VIRTUALSERVER_UID.conf
echo "pm.max_spare_servers = 3" >> $confdir$VIRTUALSERVER_UID.conf
echo "pm.max_requests = 2000" >> $confdir$VIRTUALSERVER_UID.conf
echo "chdir = $VIRTUALSERVER_HOME" >> $confdir$VIRTUALSERVER_UID.conf
echo ";request_slowlog_timeout = 0" >> $confdir$VIRTUALSERVER_UID.conf
echo "slowlog = $VIRTUALSERVER_HOME/logs/"$VIRTUALSERVER_DOM"_slow_log" >> $confdir$VIRTUALSERVER_UID.conf
echo "php_admin_value[error_log] = $VIRTUALSERVER_HOME/logs/"$VIRTUALSERVER_DOM"_error_log" >> $confdir$VIRTUALSERVER_UID.conf
echo "php_admin_value[session.save_path] = $VIRTUALSERVER_HOME/tmp" >> $confdir$VIRTUALSERVER_UID.conf
echo "php_admin_flag[log_errors] = on" >> $confdir$VIRTUALSERVER_UID.conf
echo ";php_admin_value[memory_limit] = 32M" >> $confdir$VIRTUALSERVER_UID.conf

echo "Applying php-fpm configuration"
$fpm reload
fi
# Remove php-fpm pool when deleting a virtual-server
if [[ "$VIRTUALSERVER_ACTION" = "DELETE_DOMAIN" ]] ||
        [[ "$VIRTUALSERVER_ACTION" = "MODIFY_DOMAIN" && "$VIRTUALSERVER_WEB" = "0" && -f $confdir$VIRTUALSERVER_UID.conf ]] ||
        [ "$VIRTUALSERVER_ACTION" = "DISABLE_DOMAIN" ]; then
echo "Removing fpm pool $confdir$VIRTUALSERVER_UID.conf";
if [ -f $confdir$VIRTUALSERVER_UID.conf ]; then
rm -fr $confdir$VIRTUALSERVER_UID.conf;
fi
$fpm reload
fi
fi
sed -i /opt/apache2/conf/httpd.conf -e '/^NameVirtualHost/d'

19 comments:

  1. Thanks for the steps and confirming this works.

    Is there any reason why not to just overwrite the existing copy of apache so it can be managed directly by virtualmin/webmin?

    Since you use /opt/ I assume this was originally done in debian and then you converted the script to centos.

    ReplyDelete
    Replies
    1. The version of default apache package on debian and centos is 2.2 which doesn't support tcp/ip fcgi to work with php-fpm.
      2.4.x introduces new mod_proxy_fcgi so it can contact php-fpm pools directly.

      I've installed httpd 2.4.x in /opt folder ( no matter what os ) and integrated it to virtualmin in step #3 so you'll be able to manage it directly using both webmin/virtualmin.

      Delete
  2. Please note that using PHP-FPM with TCP/IP or a socket with too open permissions is a severe security fuck-up waiting to happen.

    ReplyDelete
    Replies
    1. You're right ...
      I've asked apache developers for socket connection fpm support :
      http://httpd.apache.org/docs/2.4/mod/mod_proxy_fcgi.html

      See comments ...

      Delete
  3. Great Tutorial,

    But there is a problem with /script/php-fpm it show an error when it come to the step of applying configuration to existing domains, it show:
    /script/php-fpm: 18: /script/php-fpm: [[: not found
    /script/php-fpm: 19: /script/php-fpm: [[: not found
    /script/php-fpm: 48: /script/php-fpm: [[: not found
    /script/php-fpm: 49: /script/php-fpm: [[: not found

    thanx for your help

    ReplyDelete
    Replies
    1. I think you need to ask the question on a linux forum, I've tested the script on centos and debian.
      '[[' is something like 'if statement' but I don't have any idea why it's not working for you !

      Delete
    2. I changed #/bin/sh to #/bin/bash and this is fixed.

      Delete
  4. Any chance of getting the php-fpm script somewhere? Can't download it anymore

    ReplyDelete
  5. I cannot get scripts to install in virtualmin following this guide: "This script cannot be installed, as this virtual server does not meet its requirements : Could not work out exact PHP version" I followed the part about script install.. any suggestions.. everything else seems fine but I really like to fix this part?

    ReplyDelete
  6. I see /opt/apache2/conf/httpd.conf for editing conf file first but then it is /opt/apache24/conf/httpd.conf. Is this a typo?
    I cannot find /opt/apache24/conf/httpd.conf

    ReplyDelete
  7. What directory should we mkdir /script? root? src? init.d?

    ReplyDelete
  8. Thanks a lot for guide. I think we should keep error log location same.

    ReplyDelete
  9. I am going to give this a go with Centos 7 so Apache 2.4 should already be there and good to go. I am thinking I can just skip step 3 and change the file path to httpd.conf where needed.

    ReplyDelete
  10. Hello, I am going to try this on Ubuntu 16.04 lts.

    I notice you don't turn off mpm-prefork/mod-php, and turn on mpm-worker (or mpm-event)? Why? You would significantly cut down on your Apache overhead...

    ReplyDelete
    Replies
    1. You are right, Ive now updated this post and replaced mpm_prefork with mpm_event.

      Delete