Apache+suEXEC+FastCGI+PHP-FPM+APC - Part 1

This part 1 is going to focus on the Slackware side of things in order to prep your server to use all of the above.  If you are not running Slackware, don’t nessessarily skip this section, as the configure options for compiling everything are still very important and apply to any distro.  If you already have everything recompiled, installed, etc. I would skim this to make sure (if you were recompiled before seeing this) that you used the options I did or at least are familiar with them so that when I reference them later you can apply them to your setup if you choose different options at compile time.  (Wow, that was a mouth full..(that’s what she said..))  Ha ha ha.

Before we start, lets do a benchmark of our current configuration of apache with php.  Be sure to save the output to comepare it with the end results at the end of Part 2.

ab -n 50 -c 3 -k  http://www.somevhost.com/

I am using a fully up to date Slackware 13.0 installation at the time of this writing.  I choose not to install the following “disk sets”, E, KDE, KDEI, X, XAP, Y when upgrading my Linode 360 from 12.2 to 13.0.  I keep a local copy of the source on my Linode just in case.  You will need the source from the Slackware 13.0 repo for the following programs:

  • httpd
  • php

As of this writing,  both are under the patches directory.  You can do the following to download the source:

lftp -c "open http://slackware.cs.utah.edu/pub/slackware/slackware-13.0/patches/source/; mirror httpd; mirror php"

Next we will just need to modify a few things in both slackbuilds.  Besure to increase the $BUILD  by +1 in both slackbuilds.

HTTPD SlackBuild

First start with httpd.  Open the httpd.SlackBuild in whatever your editor of choice is.  Add the following lines just above “–build=$ARCH-slackware-linux || exit 1″


--enable-suexec \
--with-suexec-bin=/usr/sbin/suexec \
--with-suexec-caller=apache \
--with-suexec-userdir=public_html \
--with-suexec-docroot=/home \
Now the last two options may be optional for you.  If you aren’t using apache in userdir mode, you should be able to just remove them entirely.  I didn’t test that though, YMMV.  Please leave a comment down below if you tested it without userdir and if it worked, options you had to change etc. etc.

Now run the SlackBuild and upgrade the package.  To check and make sure that it build properly:

suexec -V

This will output something along the lines of:


 -D AP_DOC_ROOT="/home"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="apache"
 -D AP_LOG_EXEC="/var/log/httpd/suexec_log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=100
 -D AP_USERDIR_SUFFIX="public_html"
Alright, looks good.  If you are a slackware user, you will need to add this to your httpd.conf above your “vhost” line, like so:
# Uncomment the following line to enable <a class="zem_slink" title="PHP" rel="homepage" href="http://www.php.net/">PHP</a>:
#
#Include /etc/httpd/mod_php.conf
 
# FastCgi Config
# **Must go before your virtual hosts**
Include /etc/httpd/mod_fastcgi.conf
 
# Virtual hosts
Include /etc/httpd/extra/httpd-vhosts.conf

Please note that mod_php.conf is commented out, this must be done.  The fastcgi.conf will be added in a little bit as well.  Okay, everything looks good so lets move on.

PHP SlackBuild

Same thing here, open the php.SlackBuild up. This one requires a few more tweaks.

Completely remove the IMAP section, unless you need it.

# we need to compile alpine to get c-client.a for IMAP support:
IMAPLIBDIR=/usr/local/lib${LIBDIRSUFFIX}/c-client
if [ -r $IMAPLIBDIR/lib${LIBDIRSUFFIX}/c-client.a ]; then
echo "Using IMAP library:"
ls -l $IMAPLIBDIR/lib${LIBDIRSUFFIX}/c-client.a
sleep 5
else
( cd $CWD/../alpine ; ./alpine.SlackBuild || exit 1 ) || exit 1
( cd $TMP/alpine-${ALPINE}/imap/c-client
strip -g c-client.a
mkdir -p $IMAPLIBDIR/lib${LIBDIRSUFFIX}
cp c-client.a $IMAPLIBDIR/lib${LIBDIRSUFFIX}
mkdir -p $IMAPLIBDIR/include
cp *.h $IMAPLIBDIR/include
)
fi

AND

--with-imap-ssl=/usr \
--with-imap=$IMAPLIBDIR \

Just above the php_configure() function add:

wget http://php-fpm.org/downloads/php-5.2.12-fpm-0.5.13.diff.gz || exit 1
gunzip php-5.2.12-fpm-0.5.13.diff.gz || exit 1
patch -f -p1 < php-5.2.12-fpm-0.5.13.diff
 
wget http://download.suhosin.org/suhosin-patch-5.2.12-0.9.7.patch.gz || exit 1
gunzip suhosin-patch-5.2.12-0.9.7.patch.gz || exit 1
patch -f -p1 < suhosin-patch-5.2.12-0.9.7.patch
 
./buildconf --force

Okay, now we need to replace this:

# Make the <a class="zem_slink" title="FastCGI" rel="wikipedia" href="http://en.wikipedia.org/wiki/FastCGI">FastCGI</a> interpreter:
make distclean
php_configure \
--enable-fastcgi \
--enable-pcntl \
--enable-sigchild
make $NUMJOBS || make || exit 1
mkdir -p $PKG/usr/bin
cat sapi/cgi/php-cgi > $PKG/usr/bin/php-cgi
chmod 755 $PKG/usr/bin/php-cgi

With this:

## Make the FastCGI interpreter:
make distclean
php_configure \
--enable-fastcgi \
--enable-discard-path \
--enable-force-cgi-redirect \
--enable-fpm \
--with-fpm-pid=/var/run/php-fpm.pid \
--with-fpm-log=/var/log/php-fpm.log \
--with-fpm-conf=/etc/httpd/php-fpm.conf \
--with-fpm-init=/etc/rc.d/rc.php-fpm \
--enable-pcntl \
--enable-sigchild
make $NUMJOBS || make || exit 1
mkdir -p $PKG/usr/bin $PKG/etc/{httpd,rc.d}
cat sapi/cgi/php-cgi > $PKG/usr/bin/php-cgi
cat sapi/cgi/fpm/php-fpm.conf > $PKG/etc/httpd/php-fpm.conf
cat sapi/cgi/fpm/php-fpm > $PKG/etc/rc.d/rc.php-fpm
chmod 755 $PKG/usr/bin/php-cgi $PKG/etc/rc.d/rc.php-fpm
chmod 644 $PKG/etc/httpd/php-fpm.conf

** Optional **
I added mcrypt support in for phpmyadmin.  First, install mcrypt with sbopkg.  Next you need to add “–with-mcrypt” in the php_configure() function, aka the “kitchen sink”.

Last think you might want to look at is the $NUMJOBS and change it from -j7 to whatever fits your current host.  Execute the slackbuild and upgrade the package.

FastCGI

I’ve made a SlackBuild for this.  I haven’t submitted it to SlackBuilds.org as of yet(at the time of writing this) but I will afterwards.  Here is the link, http://learnix.net/slackbuilds/13.0/fcgi/.  The fcgi.tar.gz contains everything in that directory.  I’m working on the index script that will just hide that file but offer the download link below the source link.

APC

I’m in the process of making the slackbuild for APC.  You can try to install it via:

pecl install apc

But, at least for me, it didn’t work.  I got a phpize error and I didn’t feel like spending a bunch of time trying to figure out why.  So I just did this:

cd /tmp/pear/download/APC-3.0.19
phpize
./configure --enable-apc-mmap --with-apxs --with-php-config=/usr/local/php/bin/php-config
make && make install

This will install the php extension only.  Copy the “apc.php“, found in the apc source root,  to your web root.  This is used to view the stats of APC, clear the cache, etc.  You will also want a apc.ini in your /etc/php directory.  Here is my apc.in, which mostly what is suggested withing the INSTALL file located in the source.

cat /etc/php/apc.ini
; /etc/php.d/apc.ini
 
extension = apc.so
 
apc.enabled = 1
apc.shm_segments = 1
apc.shm_size = 90
apc.optimization = 0
apc.num_files_hint = 4096
apc.ttl = 7200
apc.user_ttl = 7200
apc.gc_ttl = 0
apc.cache_by_default = 1
apc.filters = ""
apc.mmap_file_mask = "/tmp/apc.XXXXXX"
apc.slam_defense = 0
apc.file_update_protection = 2
apc.enable_cli = 0
apc.max_file_size = 5M
apc.stat = 1
apc.write_lock = 1
apc.report_autofilter = 0
apc.include_once_override = 0
;apc.rfc1867	= 0
;apc.rfc1867_prefix = "upload_"
;apc.rfc1867_name = "APC_UPLOAD_PROGRESS"
;apc.rfc1867_freq = 0
apc.localcache = 0
apc.localcache.size = 512
apc.coredump_unmap = 0
apc.stat_ctime = 0

You may or may not need to adjust this to your settings.  YMMV with this, but at least it’s a good starting point to be able to continue on with the rest of the configuration.

SUHOSIN

There are two parts to suhosin.  We applied the suhosin patch to the php source which protects from format string vulnerabilities but the extension is where all the money’s at.  This was on of the easier ones to install as there is a SlackBuild for it.  You can get it HERE or use sbopkg to install it.

To make sure things are working, restart apache and start php-fpm.

/etc/rc.d/rc.httpd restart
/etc/rc.d/rc.php-fpm start

Check your logs.  Make sure everything started up correctly.  View your website, make sure it displays correctly.  Check your php config.  There’s a couple ways of doing this.  In your web root, create a file called:  phpinfo.php and put this inside:

<?php
phpinfo();
?>

From your web browser you would view it by going to http://yourdomain.com/phpinfo.php.  You can search for fastcgi, php-fpm and apc.ini.  It will tell you that those options were compiled in and/or in use.  You should also check out, http://yourdomain.com/apc.php , to check that apc is working.

This concludes Part 1 of this guide.  Next we will go over all the configuration options to put all of this together.

Part 2

PS: I make mistakes.  This is a long guide.  If you see one, please let me know.  Thanks!
Thanks for pointing those out Seth!

Reblog this post [with Zemanta]
# FastCgi Configuration
LoadModule fastcgi_module /usr/lib/httpd/modules/mod_fastcgi.so
AddHandler fastcgi-script .fcgi .fcg .fpl
FastCgiConfig -idle-timeout 20 -maxClassProcesses 1
#FastCgiConfig -singleThreshold 100 -killInterval 300 -autoUpdate -idle-timeout 20 -pass-header HTTP_AUTHORIZATION
FastCgiWrapper /usr/sbin/suexec
<Location “/fcgi-bin/php-fastcgi.fcgi”>
Order Deny,Allow
Deny from All
Allow from env=REDIRECT_STATUS
Options +ExecCGI +FollowSymLInks +SymLinksIfOwnerMatch
SetHandler fastcgi-script
</Location>
#DirectoryIndex index.html index.shtml index.cgi index.php
#AddType application/x-httpd-php .php
#AddType application/x-httpd-fastphp .php
#Action application/x-httpd-fastphp /fcgi-bin/php-fastcgi
http://learnix.net/wordpress/wp-content/plugins/sociofluid/images/digg_48.png http://learnix.net/wordpress/wp-content/plugins/sociofluid/images/reddit_48.png http://learnix.net/wordpress/wp-content/plugins/sociofluid/images/stumbleupon_48.png http://learnix.net/wordpress/wp-content/plugins/sociofluid/images/delicious_48.png http://learnix.net/wordpress/wp-content/plugins/sociofluid/images/technorati_48.png http://learnix.net/wordpress/wp-content/plugins/sociofluid/images/google_48.png http://learnix.net/wordpress/wp-content/plugins/sociofluid/images/yahoobuzz_48.png http://learnix.net/wordpress/wp-content/plugins/sociofluid/images/twitter_48.png

10 comments to Apache + suEXEC + Suhosin + FastCGI + PHP-FPM + APC – Part 1

Leave a Reply

  

  

  

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Note: Commenter is allowed to use '@User Name:' to automatically notify your reply to other commenter. e.g, if ABC is one of commenter of this post, then write '@ABC '(exclude ') will automatically send your comment to ABC. Using '@all ' to notify all previous commenters. Be sure that the value of User should exactly match with commenter's name (case sensitive).