| Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides https://forum.ivorde.com/ |
|
| PHP-FPM 5.6 from source \w Suhosin & xcache in Debian Linux https://forum.ivorde.com/php-fpm-5-6-from-source-w-suhosin-xcache-in-debian-linux-t19621.html |
Page 1 of 1 |
| Author: | mandrei99 [ Wed Jan 14, 2015 8:44 am ] |
| Post subject: | PHP-FPM 5.6 from source \w Suhosin & xcache in Debian Linux |
php-fpm is an alternative way of running php as fast cgi script, instead of, let's say, a module of apache. Visit http://php-fpm.org/ for more information on php-fpm. Xcache is a very powerful opcache engine (along with builtin opcache, APC and others). It brings significant boost to busy sites and where many php scripts are executed, the opcache engine compiles these scripts and stores them in ram memory, instead of compiling the scripts for every visitor. Suhosin is a 3rd party patch for php that has been active ever since php 4 iirc. It provides many security enhancements that no php site should run without. More info on suhosin website http://www.suhosin.org/stories/install.html. Installing prerequisites to compile php-fpm, xcache and suhosin patch: Code: root@linux:/usr/src# apt-get install gcc root@linux:/usr/src# apt-get install build-essential root@linux:/usr/src# apt-get install autoconf Fetching and installing php-fpm 5.6.4: Code: root@linux:/usr/src/# wget http://au1.php.net/get/php-5.6.4.tar.gz/from/this/mirror !!!!!!!!!!!! UPS !!!!!!!!!!!!root@linux:/usr/src/# tar zxvf php-5.6.4.tar.gz root@linux:/usr/src/# cd /php-5.6.4 root@linux:/usr/src/php-5.6.4# root@linux:/usr/src/php-5.6.4# ./configure --prefix=/opt/php-5.6.4 --enable-fpm ... checking libxml2 install dir... no checking for xml2-config path... configure: error: xml2-config not found. Please check your libxml2 installation. Code: root@linux:/usr/src/php-5.6.4# apt-get install libxml2-dev root@linux:/usr/src/php-5.6.4# ./configure --prefix=/opt/php-5.6.4 --enable-fpm ... creating libtool appending configuration tag "CXX" to libtool Generating files configure: creating ./config.status creating main/internal_functions.c creating main/internal_functions_cli.c +--------------------------------------------------------------------+ | License: | | This software is subject to the PHP License, available in this | | distribution in the file LICENSE. By continuing this installation | | process, you are bound by the terms of this license agreement. | | If you do not agree with the terms of this license, you must abort | | the installation process at this point. | +--------------------------------------------------------------------+ Thank you for using PHP. config.status: creating php5.spec config.status: creating main/build-defs.h config.status: creating scripts/phpize config.status: creating scripts/man1/phpize.1 config.status: creating scripts/php-config config.status: creating scripts/man1/php-config.1 config.status: creating sapi/cli/php.1 config.status: creating sapi/fpm/php-fpm.conf config.status: creating sapi/fpm/init.d.php-fpm config.status: creating sapi/fpm/php-fpm.service config.status: creating sapi/fpm/php-fpm.8 config.status: creating sapi/fpm/status.html config.status: creating sapi/cgi/php-cgi.1 config.status: creating ext/phar/phar.1 config.status: creating ext/phar/phar.phar.1 config.status: creating main/php_config.h config.status: executing default commands root@linux:/usr/src/php-5.6.4# make root@linux:/usr/src/php-5.6.4# make install root@linux:/usr/src/php-5.6.4# cd ext The configure switch "--enable-fpm" will enable fpm functionality. Copying the configuration files php.ini and php-fpm.conf to correct destinations: Code: root@linux:~# find /usr/src/ | grep -E "php\.ini|php-fpm.conf" /usr/src/php-5.6.4/php.ini-production /usr/src/php-5.6.4/php.ini-development /usr/src/php-5.6.4/sapi/fpm/php-fpm.conf /usr/src/php-5.6.4/sapi/fpm/php-fpm.conf.in root@linux:~# cp /usr/src/php-5.6.4/php.ini-production /opt/php-5.6.4/etc/php.ini root@linux:~# cp /usr/src/php-5.6.4/sapi/fpm/php-fpm.conf /opt/php-5.6.4/etc/ Editing fpm configuration according to our needs. I will leave defaults: Code: root@linux:~# grep -v ^\; /opt/php-5.6.4/etc/php-fpm.conf | grep [a-z] [global] pid = run/php-fpm.pid [www] user = www-data group = www-data listen = 127.0.0.1:9000 pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 Make sure you use user and group that exist on the system. Some users will have "nobody" and others might have "www-data". Create a symlink to /opt/php - this is for future upgrades of php, allows to easily switch to upgraded version of php since init script will point to /opt/php instead of /opt/php-version. Code: root@linux:/usr/src/php-5.6.4/ext/suhosin-0.9.37.1# ln -sf /opt/php-5.6.4 /opt/php Since php uses "lib/php.ini" config file by default, let's create a symlink to point to /opt/php/etc/php.ini: Code: root@linux:~# ln -sf /opt/php-5.6.4/etc/php.ini /opt/php-5.6.4/lib/ Create following php-fpm init script (taken from repository and modified to match this custom php installation): Code: root@linux:~# cat /etc/init.d/php5-fpm #!/bin/sh ### BEGIN INIT INFO # Provides: php-fpm php5.6-fpm # Required-Start: $remote_fs $network # Required-Stop: $remote_fs $network # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: starts php5-fpm # Description: Starts PHP5 FastCGI Process Manager Daemon ### END INIT INFO # Author: Ondrej Sury <ondrej@debian.org> #PATH=/sbin:/usr/sbin:/bin:/usr/bin PATH=/opt/php/sbin:/sbin:/usr/sbin:/bin:/usr/bin DESC="PHP5 FastCGI Process Manager" #NAME=php5-fpm NAME=php-fpm DAEMON=/opt/php/sbin/$NAME #DAEMON_ARGS="--fpm-config /etc/php5/fpm/php-fpm.conf" DAEMON_ARGS="--fpm-config /opt/php/etc/php-fpm.conf"PIDFILE=/var/run/php5-fpm.pid TIMEOUT=30 SCRIPTNAME=/etc/init.d/$NAME # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 # Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME # Load the VERBOSE setting and other rcS variables . /lib/init/vars.sh # Define LSB log_* functions. # Depend on lsb-base (>= 3.0-6) to ensure that this file is present. . /lib/lsb/init-functions # # Function to check the correctness of the config file # do_check() { [ "$1" != "no" ] && $DAEMON $DAEMON_ARGS -t 2>&1 | grep -v "\[ERROR\]" FPM_ERROR=$($DAEMON $DAEMON_ARGS -t 2>&1 | grep "\[ERROR\]") if [ -n "${FPM_ERROR}" ]; then echo "Please fix your configuration file..." $DAEMON $DAEMON_ARGS -t 2>&1 | grep "\[ERROR\]" return 1 fi return 0 } # # Function that starts the daemon/service # do_start() { # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ || return 1 start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ $DAEMON_ARGS 2>/dev/null \ || return 2 # Add code here, if necessary, that waits for the process to be ready # to handle requests from services started subsequently which depend # on this one. As a last resort, sleep for some time. } # # Function that stops the daemon/service # do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred start-stop-daemon --stop --quiet --retry=QUIT/$TIMEOUT/TERM/5/KILL/5 --pidfile $PIDFILE --name $NAME RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 # Wait for children to finish too if this is a daemon that forks # and if the daemon is only ever run from this initscript. # If the above conditions are not satisfied then add some other code # that waits for the process to drop all resources that could be # needed by services started subsequently. A last resort is to # sleep for some time. start-stop-daemon --stop --quiet --oknodo --retry=0/30/TERM/5/KILL/5 --exec $DAEMON [ "$?" = 2 ] && return 2 # Many daemons don't delete their pidfiles when they exit. rm -f $PIDFILE return "$RETVAL" } # # Function that sends a SIGHUP to the daemon/service # do_reload() { # # If the daemon can reload its configuration without # restarting (for example, when it is sent a SIGHUP), # then implement that here. # start-stop-daemon --stop --signal USR2 --quiet --pidfile $PIDFILE --name $NAME return 0 } case "$1" in start) [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" do_check $VERBOSE case "$?" in 0) do_start case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; 1) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" do_stop case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; check) do_check yes ;; reload|force-reload) log_daemon_msg "Reloading $DESC" "$NAME" do_reload log_end_msg $? ;; reopen-logs) log_daemon_msg "Reopening $DESC logs" $NAME if start-stop-daemon --stop --signal USR1 --oknodo --quiet \ --pidfile $PIDFILE --exec $DAEMON then log_end_msg 0 else log_end_msg 1 fi ;; restart) log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) do_start case "$?" in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 ;; esac ;; *) echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2 exit 1 ;; esac : Now we create startup links for all runlevels and make the script executable: Code: root@linux:~# chmod 755 /etc/init.d/php5-fpm root@linux:~1# insserv php5-fpm Let's start php-fpm: Code: root@linux:~# /etc/init.d/php5-fpm start root@linux:~# ps alxw | grep php 1 0 30013 1 20 0 15956 2116 - Ss ? 0:00 php-fpm: master process (/opt/php/etc/php-fpm.conf) 5 33 30014 30013 20 0 15956 1676 - S ? 0:00 php-fpm: pool www 5 33 30015 30013 20 0 15956 1676 - S ? 0:00 php-fpm: pool www 0 0 30017 2651 20 0 3556 760 - S+ pts/1 0:00 grep php Downloading and installing xcache and suhosin php extensions: Code: root@linux:/usr/src# cd /usr/src/php-5.6.4/ext/ root@linux:/usr/src/php-5.6.4/ext# wget https://xcache.lighttpd.net/pub/Releases/3.2.0/xcache-3.2.0.tar.gz root@linux:/usr/src/php-5.6.4/ext# tar zxvf xcache-3.2.0.tar.gz root@linux:/usr/src/php-5.6.4/ext# cd xcache-3.2.0 root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# /opt/php-5.6.4/bin/phpize Configuring for: PHP Api Version: 20131106 Zend Module Api No: 20131226 Zend Extension Api No: 220131226 Cannot find autoconf. Please check your autoconf installation and the $PHP_AUTOCONF environment variable. Then, rerun this script. root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# apt-get install autoconf root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# /opt/php-5.6.4/bin/phpize Configuring for: PHP Api Version: 20131106 Zend Module Api No: 20131226 Zend Extension Api No: 220131226 root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# ./configure --with-php-config=/opt/php-5.6.4/bin/php-config root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# make && make install Installing suhosin 0.9.37 for php 5.6.4. root@linux:/usr/src/php-5.6.4/ext/xcache-3.2.0# cd .. root@linux:/usr/src/php-5.6.4/ext# tar zxvf suhosin-0.9.37.1.tar.gz root@linux:/usr/src/php-5.6.4/ext/suhosin-0.9.37.1# /opt/php-5.6.4/bin/phpize Configuring for: PHP Api Version: 20131106 Zend Module Api No: 20131226 Zend Extension Api No: 220131226 root@linux:/usr/src/php-5.6.4/ext/suhosin-0.9.37.1# ./configure --with-php-config=/opt/php-5.6.4/bin/php-config root@linux:/usr/src/php-5.6.4/ext/suhosin-0.9.37.1# make && make install Enable xcache in php: the xcache.so extension needs to be added to php.ini and also xcache configuration appended at the end of php.ini. Code: root@linux:~# cat /usr/src/php-5.6.4/ext/xcache-3.2.0/xcache.ini >>/opt/php/etc/php.ini root@linux:~# grep xcache.so /opt/php/etc/php.ini extension = xcache.so root@linux:~# /etc/init.d/php5-fpm restart Testing xcache is loaded in php-fpm from cli (not via phpinfo()): Code: root@linux:~# /opt/php/sbin/php-fpm -i 2>/dev/null | grep xcache xcache.coredump_directory => no value => no value xcache.disable_on_crash => Off => Off xcache.experimental => Off => Off xcache.test => Off => Off xcache.admin.enable_auth => On => On xcache.allocator => bestfit => bestfit xcache.cacher => On => On xcache.count => 1 => 1 xcache.gc_interval => 0 => 0 xcache.mmap_path => /dev/zero => /dev/zero xcache.readonly_protection => Off => Off xcache.shm_scheme => mmap => mmap xcache.size => 60M => 60M xcache.slots => 8K => 8K xcache.stat => On => On xcache.ttl => 0 => 0 xcache.var_allocator => bestfit => bestfit xcache.var_count => 1 => 1 xcache.var_gc_interval => 300 => 300 xcache.var_maxttl => 0 => 0 xcache.var_namespace => no value => no value xcache.var_namespace_mode => 0 => 0 xcache.var_size => 4M => 4M xcache.var_slots => 8K => 8K xcache.var_ttl => 0 => 0 Enabling Suhosin patch in php-fpm 5.6 First we configm suhosin is not enabled in php and then enable suhosin.so extension in php.ini: Code: root@linux:~# /opt/php/sbin/php-fpm -i 2>/dev/null | grep suhosin root@linux:~# vim /opt/php/etc/php.ini ... extension=suhosin.so ... root@linux:~# /opt/php/sbin/php-fpm -i 2>/dev/null | grep suhosin suhosin suhosin.apc_bug_workaround => Off => Off suhosin.cookie.checkraddr => 0 => 0 suhosin.cookie.cryptdocroot => On => On suhosin.cookie.cryptkey => [ protected ] => [ protected ] suhosin.cookie.cryptlist => no value => no value suhosin.cookie.cryptraddr => 0 => 0 suhosin.cookie.cryptua => On => On suhosin.cookie.disallow_nul => 1 => 1 suhosin.cookie.disallow_ws => 1 => 1 suhosin.cookie.encrypt => Off => Off suhosin.cookie.max_array_depth => 50 => 50 suhosin.cookie.max_array_index_length => 64 => 64 suhosin.cookie.max_name_length => 64 => 64 suhosin.cookie.max_totalname_length => 256 => 256 suhosin.cookie.max_value_length => 10000 => 10000 suhosin.cookie.max_vars => 100 => 100 suhosin.cookie.plainlist => no value => no value ... So far so good. Xcache and suhosin are enabled and php-fpm 5.6.4 is running. Next steps are to configure nginx to operate with php on the selected port (9000). Coming soon. |
|
| Page 1 of 1 | All times are UTC - 5 hours [ DST ] |
| Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |
|