Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Sun Jan 29, 2023 1:36 am


Username:
Subject:
Message body:
Enter your message here, it may contain no more than 60000 characters. 

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:
Font size:
 
Font colour
Options:
BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON
Disable BBCode
Disable smilies
Do not automatically parse URLs
Confirmation code
Confirmation code:
In an effort to prevent automatic submissions, we require that you enter both of the words displayed into the text field underneath.
     

Topic review - PHP-FPM 5.6 from source \w Suhosin & xcache in Debian Linux
Author Message
Post subject: PHP-FPM 5.6 from source \w Suhosin & xcache in Debian Linux  |  Post Posted: Wed Jan 14, 2015 8:44 am
php-fpm is an alternative way of running php as fast cgi script, instead of, let's say, a module of apache.

Visit http://php-fpm.org/ for more information on php-fpm.

Xcache is a very powerful opcache engine (along with builtin opcache, APC and others). It brings significant boost to busy sites and where many php scripts are executed, the opcache engine compiles these scripts and stores them in ram memory, instead of compiling the scripts for every visitor.

Suhosin is a 3rd party patch for php that has been active ever since php 4 iirc. It provides many security enhancements that no php site should run without. More info on suhosin website http://www.suhosin.org/stories/install.html.

Installing prerequisites to compile php-fpm, xcache and suhosin patch:
Code:
root@linux:/usr/src# apt-get install gcc
root@linux:/usr/src# apt-get install build-essential
root@linux:/usr/src# apt-get install autoconf

Fetching and installing php-fpm 5.6.4:
Code:
root@linux:/usr/src/# wget http://au1.php.net/get/php-5.6.4.tar.gz/from/this/mirror
root@linux:/usr/src/# tar zxvf php-5.6.4.tar.gz
root@linux:/usr/src/# cd /php-5.6.4
root@linux:/usr/src/php-5.6.4#

root@linux:/usr/src/php-5.6.4# ./configure --prefix=/opt/php-5.6.4 --enable-fpm
...
checking libxml2 install dir... no
checking for xml2-config path...
configure: error: xml2-config not found. Please check your libxml2 installation.
!!!!!!!!!!!! UPS !!!!!!!!!!!!
Code:
root@linux:/usr/src/php-5.6.4# apt-get install libxml2-dev
root@linux:/usr/src/php-5.6.4# ./configure --prefix=/opt/php-5.6.4 --enable-fpm
...
creating libtool
appending configuration tag "CXX" to libtool

Generating files
configure: creating ./config.status
creating main/internal_functions.c
creating main/internal_functions_cli.c
+--------------------------------------------------------------------+
| License:                                                           |
| This software is subject to the PHP License, available in this     |
| distribution in the file LICENSE.  By continuing this installation |
| process, you are bound by the terms of this license agreement.     |
| If you do not agree with the terms of this license, you must abort |
| the installation process at this point.                            |
+--------------------------------------------------------------------+

Thank you for using PHP.

config.status: creating php5.spec
config.status: creating main/build-defs.h
config.status: creating scripts/phpize
config.status: creating scripts/man1/phpize.1
config.status: creating scripts/php-config
config.status: creating scripts/man1/php-config.1
config.status: creating sapi/cli/php.1
config.status: creating sapi/fpm/php-fpm.conf
config.status: creating sapi/fpm/init.d.php-fpm
config.status: creating sapi/fpm/php-fpm.service
config.status: creating sapi/fpm/php-fpm.8
config.status: creating sapi/fpm/status.html
config.status: creating sapi/cgi/php-cgi.1
config.status: creating ext/phar/phar.1
config.status: creating ext/phar/phar.phar.1
config.status: creating main/php_config.h
config.status: executing default commands

root@linux:/usr/src/php-5.6.4# make
root@linux:/usr/src/php-5.6.4# make install
root@linux:/usr/src/php-5.6.4# cd ext

The configure switch "--enable-fpm" will enable fpm functionality.
Copying the configuration files php.ini and php-fpm.conf to correct destinations:
Code:
root@linux:~# find /usr/src/ | grep -E "php\.ini|php-fpm.conf"
/usr/src/php-5.6.4/php.ini-production
/usr/src/php-5.6.4/php.ini-development
/usr/src/php-5.6.4/sapi/fpm/php-fpm.conf
/usr/src/php-5.6.4/sapi/fpm/php-fpm.conf.in
root@linux:~# cp /usr/src/php-5.6.4/php.ini-production /opt/php-5.6.4/etc/php.ini
root@linux:~# cp /usr/src/php-5.6.4/sapi/fpm/php-fpm.conf /opt/php-5.6.4/etc/

Editing fpm configuration according to our needs. I will leave defaults:
Code:
root@linux:~# grep -v ^\; /opt/php-5.6.4/etc/php-fpm.conf | grep [a-z]
[global]
pid = run/php-fpm.pid
[www]
user = www-data
group = www-data
listen = 127.0.0.1:9000
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

Make sure you use user and group that exist on the system. Some users will have "nobody" and others might have "www-data".

Create a symlink to /opt/php - this is for future upgrades of php, allows to easily switch to upgraded version of php since init script will point to /opt/php instead of /opt/php-version.
Code:
root@linux:/usr/src/php-5.6.4/ext/suhosin-0.9.37.1# ln -sf /opt/php-5.6.4 /opt/php

Since php uses "lib/php.ini" config file by default, let's create a symlink to point to /opt/php/etc/php.ini:
Code:
root@linux:~# ln -sf /opt/php-5.6.4/etc/php.ini /opt/php-5.6.4/lib/

Create following php-fpm init script (taken from repository and modified to match this custom php installation):
Code:
root@linux:~# cat /etc/init.d/php5-fpm
#!/bin/sh
### BEGIN INIT INFO
# Provides:          php-fpm php5.6-fpm
# Required-Start:    $remote_fs $network
# Required-Stop:     $remote_fs $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts php5-fpm
# Description:       Starts PHP5 FastCGI Process Manager Daemon
### END INIT INFO

# Author: Ondrej Sury <ondrej@debian.org>

#PATH=/sbin:/usr/sbin:/bin:/usr/bin
PATH=/opt/php/sbin:/sbin:/usr/sbin:/bin:/usr/bin
DESC="PHP5 FastCGI Process Manager"
#NAME=php5-fpm
NAME=php-fpm
DAEMON=/opt/php/sbin/$NAME
#DAEMON_ARGS="--fpm-config /etc/php5/fpm/php-fpm.conf"
DAEMON_ARGS="--fpm-config /opt/php/etc/php-fpm.conf"PIDFILE=/var/run/php5-fpm.pid
TIMEOUT=30
SCRIPTNAME=/etc/init.d/$NAME

# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

#
# Function to check the correctness of the config file
#
do_check()
{
    [ "$1" != "no" ] && $DAEMON $DAEMON_ARGS -t 2>&1 | grep -v "\[ERROR\]"
    FPM_ERROR=$($DAEMON $DAEMON_ARGS -t 2>&1 | grep "\[ERROR\]")

    if [ -n "${FPM_ERROR}" ]; then
        echo "Please fix your configuration file..."
        $DAEMON $DAEMON_ARGS -t 2>&1 | grep "\[ERROR\]"
        return 1
    fi
    return 0
}

#
# Function that starts the daemon/service
#
do_start()
{
        # Return
        #   0 if daemon has been started
        #   1 if daemon was already running
        #   2 if daemon could not be started
        start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
                || return 1
        start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
                $DAEMON_ARGS 2>/dev/null \
                || return 2
        # Add code here, if necessary, that waits for the process to be ready
        # to handle requests from services started subsequently which depend
        # on this one.  As a last resort, sleep for some time.
}

#
# Function that stops the daemon/service
#
do_stop()
{
        # Return
        #   0 if daemon has been stopped
        #   1 if daemon was already stopped
        #   2 if daemon could not be stopped
        #   other if a failure occurred
        start-stop-daemon --stop --quiet --retry=QUIT/$TIMEOUT/TERM/5/KILL/5 --pidfile $PIDFILE --name $NAME
        RETVAL="$?"
        [ "$RETVAL" = 2 ] && return 2
        # Wait for children to finish too if this is a daemon that forks
        # and if the daemon is only ever run from this initscript.
        # If the above conditions are not satisfied then add some other code
        # that waits for the process to drop all resources that could be
        # needed by services started subsequently.  A last resort is to
        # sleep for some time.
        start-stop-daemon --stop --quiet --oknodo --retry=0/30/TERM/5/KILL/5 --exec $DAEMON
        [ "$?" = 2 ] && return 2
        # Many daemons don't delete their pidfiles when they exit.
        rm -f $PIDFILE
        return "$RETVAL"
}

#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
        #
        # If the daemon can reload its configuration without
        # restarting (for example, when it is sent a SIGHUP),
        # then implement that here.
        #
        start-stop-daemon --stop --signal USR2 --quiet --pidfile $PIDFILE --name $NAME
        return 0
}

case "$1" in
    start)
        [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
        do_check $VERBOSE
        case "$?" in
            0)
                do_start
                case "$?" in
                    0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                    2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
                esac
                ;;
            1) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
        ;;
    stop)
        [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
        do_stop
        case "$?" in
                0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
        ;;
    status)
        status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
        ;;
    check)
        do_check yes
        ;;
    reload|force-reload)
        log_daemon_msg "Reloading $DESC" "$NAME"
        do_reload
        log_end_msg $?
        ;;
    reopen-logs)
        log_daemon_msg "Reopening $DESC logs" $NAME
        if start-stop-daemon --stop --signal USR1 --oknodo --quiet \
            --pidfile $PIDFILE --exec $DAEMON
        then
            log_end_msg 0
        else
            log_end_msg 1
        fi
        ;;
    restart)
        log_daemon_msg "Restarting $DESC" "$NAME"
        do_stop
        case "$?" in
          0|1)
                do_start
                case "$?" in
                        0) log_end_msg 0 ;;
                        1) log_end_msg 1 ;; # Old process is still running
                        *) log_end_msg 1 ;; # Failed to start
                esac
                ;;
          *)
                # Failed to stop
                log_end_msg 1
                ;;
        esac
        ;;
    *)
        echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2
        exit 1
    ;;
esac

:

Now we create startup links for all runlevels and make the script executable:
Code:
root@linux:~# chmod 755 /etc/init.d/php5-fpm
root@linux:~1# insserv php5-fpm

Let's start php-fpm:
Code:
root@linux:~# /etc/init.d/php5-fpm start                   
root@linux:~# ps alxw | grep php               
1     0 30013     1  20   0  15956  2116 -      Ss   ?          0:00 php-fpm: master process (/opt/php/etc/php-fpm.conf)         
5    33 30014 30013  20   0  15956  1676 -      S    ?          0:00 php-fpm: pool www                                           
5    33 30015 30013  20   0  15956  1676 -      S    ?          0:00 php-fpm: pool www                                           
0     0 30017  2651  20   0   3556   760 -      S+   pts/1      0:00 grep php

Downloading and installing xcache and suhosin php extensions:
Code:
root@linux:/usr/src# cd /usr/src/php-5.6.4/ext/
root@linux:/usr/src/php-5.6.4/ext# wget https://xcache.lighttpd.net/pub/Releases/3.2.0/xcache-3.2.0.tar.gz

root@linux:/usr/src/php-5.6.4/ext# tar zxvf xcache-3.2.0.tar.gz
root@linux:/usr/src/php-5.6.4/ext# cd xcache-3.2.0

root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# /opt/php-5.6.4/bin/phpize
Configuring for:
PHP Api Version:         20131106
Zend Module Api No:      20131226
Zend Extension Api No:   220131226
Cannot find autoconf. Please check your autoconf installation and the
$PHP_AUTOCONF environment variable. Then, rerun this script.

root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# apt-get install autoconf

root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# /opt/php-5.6.4/bin/phpize
Configuring for:
PHP Api Version:         20131106
Zend Module Api No:      20131226
Zend Extension Api No:   220131226

root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# ./configure --with-php-config=/opt/php-5.6.4/bin/php-config
root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# make && make install

Installing suhosin 0.9.37 for php 5.6.4.
root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# cd ..
root@linux:/usr/src/php-5.6.4/ext# tar zxvf suhosin-0.9.37.1.tar.gz
root@linux:/usr/src/php-5.6.4/ext/suhosin-0.9.37.1# /opt/php-5.6.4/bin/phpize                                                                 
Configuring for:
PHP Api Version:         20131106
Zend Module Api No:      20131226
Zend Extension Api No:   220131226
root@linux:/usr/src/php-5.6.4/ext/suhosin-0.9.37.1# ./configure --with-php-config=/opt/php-5.6.4/bin/php-config
root@linux:/usr/src/php-5.6.4/ext/suhosin-0.9.37.1# make && make install


Enable xcache in php: the xcache.so extension needs to be added to php.ini and also xcache configuration appended at the end of php.ini.
Code:
root@linux:~# cat /usr/src/php-5.6.4/ext/xcache-3.2.0/xcache.ini >>/opt/php/etc/php.ini
root@linux:~# grep xcache.so /opt/php/etc/php.ini
extension = xcache.so
root@linux:~# /etc/init.d/php5-fpm restart


Testing xcache is loaded in php-fpm from cli (not via phpinfo()):
Code:
root@linux:~# /opt/php/sbin/php-fpm -i 2>/dev/null | grep xcache
xcache.coredump_directory => no value => no value
xcache.disable_on_crash => Off => Off
xcache.experimental => Off => Off
xcache.test => Off => Off
xcache.admin.enable_auth => On => On
xcache.allocator => bestfit => bestfit
xcache.cacher => On => On
xcache.count => 1 => 1
xcache.gc_interval => 0 => 0
xcache.mmap_path => /dev/zero => /dev/zero
xcache.readonly_protection => Off => Off
xcache.shm_scheme => mmap => mmap
xcache.size => 60M => 60M
xcache.slots => 8K => 8K
xcache.stat => On => On
xcache.ttl => 0 => 0
xcache.var_allocator => bestfit => bestfit
xcache.var_count => 1 => 1
xcache.var_gc_interval => 300 => 300
xcache.var_maxttl => 0 => 0
xcache.var_namespace => no value => no value
xcache.var_namespace_mode => 0 => 0
xcache.var_size => 4M => 4M
xcache.var_slots => 8K => 8K
xcache.var_ttl => 0 => 0


Enabling Suhosin patch in php-fpm 5.6
First we configm suhosin is not enabled in php and then enable suhosin.so extension in php.ini:
Code:
root@linux:~# /opt/php/sbin/php-fpm -i 2>/dev/null | grep suhosin
root@linux:~# vim /opt/php/etc/php.ini
...
extension=suhosin.so
...
root@linux:~# /opt/php/sbin/php-fpm -i 2>/dev/null | grep suhosin         
suhosin
suhosin.apc_bug_workaround => Off => Off
suhosin.cookie.checkraddr => 0 => 0
suhosin.cookie.cryptdocroot => On => On
suhosin.cookie.cryptkey => [ protected ] => [ protected ]
suhosin.cookie.cryptlist => no value => no value
suhosin.cookie.cryptraddr => 0 => 0
suhosin.cookie.cryptua => On => On
suhosin.cookie.disallow_nul => 1 => 1
suhosin.cookie.disallow_ws => 1 => 1
suhosin.cookie.encrypt => Off => Off
suhosin.cookie.max_array_depth => 50 => 50
suhosin.cookie.max_array_index_length => 64 => 64
suhosin.cookie.max_name_length => 64 => 64
suhosin.cookie.max_totalname_length => 256 => 256
suhosin.cookie.max_value_length => 10000 => 10000
suhosin.cookie.max_vars => 100 => 100
suhosin.cookie.plainlist => no value => no value
...


So far so good. Xcache and suhosin are enabled and php-fpm 5.6.4 is running. Next steps are to configure nginx to operate with php on the selected port (9000). Coming soon.
Jump to:  
cronNews News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO