Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

php-fpm is an alternative way of running php as fast cgi script, instead of, let's say, a module of apache.

Visit [url]http://php-fpm.org/[/url] for more information on php-fpm.

Xcache is a very powerful opcache engine (along with builtin opcache, APC and others). It brings significant boost to busy sites and where many php scripts are executed, the opcache engine compiles these scripts and stores them in ram memory, instead of compiling the scripts for every visitor.

Suhosin is a 3rd party patch for php that has been active ever since php 4 iirc. It provides many security enhancements that no php site should run without. More info on suhosin website [url]http://www.suhosin.org/stories/install.html[/url].

[b]Installing prerequisites to compile php-fpm, xcache and suhosin patch:[/b]
[code]root@linux:/usr/src# apt-get install gcc
root@linux:/usr/src# apt-get install build-essential
root@linux:/usr/src# apt-get install autoconf
[/code]
[b]Fetching and installing php-fpm 5.6.4:[/b]
[code]root@linux:/usr/src/# wget http://au1.php.net/get/php-5.6.4.tar.gz/from/this/mirror
root@linux:/usr/src/# tar zxvf php-5.6.4.tar.gz
root@linux:/usr/src/# cd /php-5.6.4
root@linux:/usr/src/php-5.6.4#

root@linux:/usr/src/php-5.6.4# ./configure --prefix=/opt/php-5.6.4 --enable-fpm
...
checking libxml2 install dir... no
checking for xml2-config path...
configure: error: xml2-config not found. Please check your libxml2 installation.
[/code]!!!!!!!!!!!! UPS !!!!!!!!!!!![code]
root@linux:/usr/src/php-5.6.4# apt-get install libxml2-dev
root@linux:/usr/src/php-5.6.4# ./configure --prefix=/opt/php-5.6.4 --enable-fpm
...
creating libtool
appending configuration tag "CXX" to libtool

Generating files
configure: creating ./config.status
creating main/internal_functions.c
creating main/internal_functions_cli.c
+--------------------------------------------------------------------+
| License: |
| This software is subject to the PHP License, available in this |
| distribution in the file LICENSE. By continuing this installation |
| process, you are bound by the terms of this license agreement. |
| If you do not agree with the terms of this license, you must abort |
| the installation process at this point. |
+--------------------------------------------------------------------+

Thank you for using PHP.

config.status: creating php5.spec
config.status: creating main/build-defs.h
config.status: creating scripts/phpize
config.status: creating scripts/man1/phpize.1
config.status: creating scripts/php-config
config.status: creating scripts/man1/php-config.1
config.status: creating sapi/cli/php.1
config.status: creating sapi/fpm/php-fpm.conf
config.status: creating sapi/fpm/init.d.php-fpm
config.status: creating sapi/fpm/php-fpm.service
config.status: creating sapi/fpm/php-fpm.8
config.status: creating sapi/fpm/status.html
config.status: creating sapi/cgi/php-cgi.1
config.status: creating ext/phar/phar.1
config.status: creating ext/phar/phar.phar.1
config.status: creating main/php_config.h
config.status: executing default commands

root@linux:/usr/src/php-5.6.4# make
root@linux:/usr/src/php-5.6.4# make install
root@linux:/usr/src/php-5.6.4# cd ext
[/code]
The configure switch "--enable-fpm" will enable fpm functionality.
[b]Copying the configuration files php.ini and php-fpm.conf to correct destinations:[/b]
[code]root@linux:~# find /usr/src/ | grep -E "php\.ini|php-fpm.conf"
/usr/src/php-5.6.4/php.ini-production
/usr/src/php-5.6.4/php.ini-development
/usr/src/php-5.6.4/sapi/fpm/php-fpm.conf
/usr/src/php-5.6.4/sapi/fpm/php-fpm.conf.in
root@linux:~# cp /usr/src/php-5.6.4/php.ini-production /opt/php-5.6.4/etc/php.ini
root@linux:~# cp /usr/src/php-5.6.4/sapi/fpm/php-fpm.conf /opt/php-5.6.4/etc/
[/code]
[b]Editing fpm configuration according to our needs. I will leave defaults:[/b]
[code]root@linux:~# grep -v ^\; /opt/php-5.6.4/etc/php-fpm.conf | grep [a-z]
[global]
pid = run/php-fpm.pid
[www]
user = www-data
group = www-data
listen = 127.0.0.1:9000
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3[/code]
Make sure you use user and group that exist on the system. Some users will have "nobody" and others might have "www-data".

Create a symlink to /opt/php - this is for future upgrades of php, allows to easily switch to upgraded version of php since init script will point to /opt/php instead of /opt/php-version.
[code]root@linux:/usr/src/php-5.6.4/ext/suhosin-0.9.37.1# ln -sf /opt/php-5.6.4 /opt/php[/code]
Since php uses "lib/php.ini" config file by default, let's create a symlink to point to /opt/php/etc/php.ini:
[code]
root@linux:~# ln -sf /opt/php-5.6.4/etc/php.ini /opt/php-5.6.4/lib/
[/code]
[b]Create following php-fpm init script (taken from repository and modified to match this custom php installation):[/b]
[code]
root@linux:~# cat /etc/init.d/php5-fpm
#!/bin/sh
### BEGIN INIT INFO
# Provides: php-fpm php5.6-fpm
# Required-Start: $remote_fs $network
# Required-Stop: $remote_fs $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts php5-fpm
# Description: Starts PHP5 FastCGI Process Manager Daemon
### END INIT INFO

# Author: Ondrej Sury <ondrej@debian.org>

#PATH=/sbin:/usr/sbin:/bin:/usr/bin
PATH=/opt/php/sbin:/sbin:/usr/sbin:/bin:/usr/bin
DESC="PHP5 FastCGI Process Manager"
#NAME=php5-fpm
NAME=php-fpm
DAEMON=/opt/php/sbin/$NAME
#DAEMON_ARGS="--fpm-config /etc/php5/fpm/php-fpm.conf"
DAEMON_ARGS="--fpm-config /opt/php/etc/php-fpm.conf"PIDFILE=/var/run/php5-fpm.pid
TIMEOUT=30
SCRIPTNAME=/etc/init.d/$NAME

# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

#
# Function to check the correctness of the config file
#
do_check()
{
[ "$1" != "no" ] && $DAEMON $DAEMON_ARGS -t 2>&1 | grep -v "\[ERROR\]"
FPM_ERROR=$($DAEMON $DAEMON_ARGS -t 2>&1 | grep "\[ERROR\]")

if [ -n "${FPM_ERROR}" ]; then
echo "Please fix your configuration file..."
$DAEMON $DAEMON_ARGS -t 2>&1 | grep "\[ERROR\]"
return 1
fi
return 0
}

#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS 2>/dev/null \
|| return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one. As a last resort, sleep for some time.
}

#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=QUIT/$TIMEOUT/TERM/5/KILL/5 --pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/TERM/5/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}

#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal USR2 --quiet --pidfile $PIDFILE --name $NAME
return 0
}

case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_check $VERBOSE
case "$?" in
0)
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
1) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
check)
do_check yes
;;
reload|force-reload)
log_daemon_msg "Reloading $DESC" "$NAME"
do_reload
log_end_msg $?
;;
reopen-logs)
log_daemon_msg "Reopening $DESC logs" $NAME
if start-stop-daemon --stop --signal USR1 --oknodo --quiet \
--pidfile $PIDFILE --exec $DAEMON
then
log_end_msg 0
else
log_end_msg 1
fi
;;
restart)
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2
exit 1
;;
esac

:
[/code]
Now we create startup links for all runlevels and make the script executable:
[code]
root@linux:~# chmod 755 /etc/init.d/php5-fpm
root@linux:~1# insserv php5-fpm
[/code]
Let's start php-fpm:
[code]
root@linux:~# /etc/init.d/php5-fpm start
root@linux:~# ps alxw | grep php
1 0 30013 1 20 0 15956 2116 - Ss ? 0:00 php-fpm: master process (/opt/php/etc/php-fpm.conf)
5 33 30014 30013 20 0 15956 1676 - S ? 0:00 php-fpm: pool www
5 33 30015 30013 20 0 15956 1676 - S ? 0:00 php-fpm: pool www
0 0 30017 2651 20 0 3556 760 - S+ pts/1 0:00 grep php
[/code]
[b]Downloading and installing xcache and suhosin php extensions:[/b]
[code]
root@linux:/usr/src# cd /usr/src/php-5.6.4/ext/
root@linux:/usr/src/php-5.6.4/ext# wget https://xcache.lighttpd.net/pub/Releases/3.2.0/xcache-3.2.0.tar.gz

root@linux:/usr/src/php-5.6.4/ext# tar zxvf xcache-3.2.0.tar.gz
root@linux:/usr/src/php-5.6.4/ext# cd xcache-3.2.0

root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# /opt/php-5.6.4/bin/phpize
Configuring for:
PHP Api Version: 20131106
Zend Module Api No: 20131226
Zend Extension Api No: 220131226
Cannot find autoconf. Please check your autoconf installation and the
$PHP_AUTOCONF environment variable. Then, rerun this script.

root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# apt-get install autoconf

root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# /opt/php-5.6.4/bin/phpize
Configuring for:
PHP Api Version: 20131106
Zend Module Api No: 20131226
Zend Extension Api No: 220131226

root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# ./configure --with-php-config=/opt/php-5.6.4/bin/php-config
root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# make && make install

Installing suhosin 0.9.37 for php 5.6.4.
root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# cd ..
root@linux:/usr/src/php-5.6.4/ext# tar zxvf suhosin-0.9.37.1.tar.gz
root@linux:/usr/src/php-5.6.4/ext/suhosin-0.9.37.1# /opt/php-5.6.4/bin/phpize
Configuring for:
PHP Api Version: 20131106
Zend Module Api No: 20131226
Zend Extension Api No: 220131226
root@linux:/usr/src/php-5.6.4/ext/suhosin-0.9.37.1# ./configure --with-php-config=/opt/php-5.6.4/bin/php-config
root@linux:/usr/src/php-5.6.4/ext/suhosin-0.9.37.1# make && make install
[/code]

[b]Enable xcache in php: the xcache.so extension needs to be added to php.ini and also xcache configuration appended at the end of php.ini.[/b]
[code]
root@linux:~# cat /usr/src/php-5.6.4/ext/xcache-3.2.0/xcache.ini >>/opt/php/etc/php.ini
root@linux:~# grep xcache.so /opt/php/etc/php.ini
extension = xcache.so
root@linux:~# /etc/init.d/php5-fpm restart
[/code]

[b]Testing xcache is loaded in php-fpm from cli (not via phpinfo()):[/b]
[code]
root@linux:~# /opt/php/sbin/php-fpm -i 2>/dev/null | grep xcache
xcache.coredump_directory => no value => no value
xcache.disable_on_crash => Off => Off
xcache.experimental => Off => Off
xcache.test => Off => Off
xcache.admin.enable_auth => On => On
xcache.allocator => bestfit => bestfit
xcache.cacher => On => On
xcache.count => 1 => 1
xcache.gc_interval => 0 => 0
xcache.mmap_path => /dev/zero => /dev/zero
xcache.readonly_protection => Off => Off
xcache.shm_scheme => mmap => mmap
xcache.size => 60M => 60M
xcache.slots => 8K => 8K
xcache.stat => On => On
xcache.ttl => 0 => 0
xcache.var_allocator => bestfit => bestfit
xcache.var_count => 1 => 1
xcache.var_gc_interval => 300 => 300
xcache.var_maxttl => 0 => 0
xcache.var_namespace => no value => no value
xcache.var_namespace_mode => 0 => 0
xcache.var_size => 4M => 4M
xcache.var_slots => 8K => 8K
xcache.var_ttl => 0 => 0
[/code]

[b]Enabling Suhosin patch in php-fpm 5.6[/b]
First we configm suhosin is not enabled in php and then enable suhosin.so extension in php.ini:
[code]
root@linux:~# /opt/php/sbin/php-fpm -i 2>/dev/null | grep suhosin
root@linux:~# vim /opt/php/etc/php.ini
...
extension=suhosin.so
...
root@linux:~# /opt/php/sbin/php-fpm -i 2>/dev/null | grep suhosin
suhosin
suhosin.apc_bug_workaround => Off => Off
suhosin.cookie.checkraddr => 0 => 0
suhosin.cookie.cryptdocroot => On => On
suhosin.cookie.cryptkey => [ protected ] => [ protected ]
suhosin.cookie.cryptlist => no value => no value
suhosin.cookie.cryptraddr => 0 => 0
suhosin.cookie.cryptua => On => On
suhosin.cookie.disallow_nul => 1 => 1
suhosin.cookie.disallow_ws => 1 => 1
suhosin.cookie.encrypt => Off => Off
suhosin.cookie.max_array_depth => 50 => 50
suhosin.cookie.max_array_index_length => 64 => 64
suhosin.cookie.max_name_length => 64 => 64
suhosin.cookie.max_totalname_length => 256 => 256
suhosin.cookie.max_value_length => 10000 => 10000
suhosin.cookie.max_vars => 100 => 100
suhosin.cookie.plainlist => no value => no value
...
[/code]

So far so good. Xcache and suhosin are enabled and php-fpm 5.6.4 is running. Next steps are to configure nginx to operate with php on the selected port (9000). Coming soon.