PHP-FPM Mod

34 posts / 0 new
Last post
#1 Fri, 07/27/2012 - 19:34
pcfreak30

PHP-FPM Mod

Ok well I have spent a long time via different methods to do this.

I tried using mod_fastcgi but then went to mod_proxy_fcgi and apache 2.4. Due to the fact that so much shit breaks in 2.4 with ruby, python, perl and many other things I have got back to 2.2.

Well out of a stoke of luck from lots of googles, i found a module to allow EXACTLY what I needed. mod_fastcgi_handler.

This requires 1 line of code and will connect to PHP-FPM via either UNIX sock or TCP/IP.

My mod uses unix for efficiency. Now an example is AddHandler fcgi:/var/php/www.com.sock .php

I have debated on whether to release this or not. I thought it would be just more hassle than its worth to keep patching files..

This is technical V2 of my mod.

Now you need apache2-dev (debian-based) or http-devel (centos/redhat/fedora).

Download https://github.com/hollow/mod_fastcgi_handler and compile via instructions. Then enable in apache2.

Take the modified files from the link at the bottom and overwrite in the virtual-server module and restart webmin. These are for virtualmin 3.93.

After you need php5-fpm/php-fpm installed.

You will find a new php mode. Use it and enjoy.

To the devs, I know ALOT of ppl have asked for this and there was no good way to do it. I don't know how this interacts with suexec, but every domain, sub-domain/sub-server has its own pool running as the user its under so permissions would apply.

I hope you add this into VM so I don't need to keep re-hacking as this is a very good system IMHO.

Thanks for reading and I hope you enjoy my work.

Peace..

Download: https://dl.dropbox.com/s/sdek89ng0giadt9/vm-modded.zip?dl=1

Fri, 07/27/2012 - 22:23
pcfreak30

Oh and I am not sure WHY this is happening but I am having to use:

if (&has_command("php-fpm") || &has_command("php5-fpm")}) {

instead of

if ((&has_command("php-fpm") || &has_command("php5-fpm")) && $apache::httpd_modules{'mod_fastcgi_handler'}) {

Because the module isn't in the hash even when enabled and it doesn't make sense. Is there an apache module cache someplace?

I also updated the zip file and made structured folders as well as a mod_fastcgi_handler.pl script for the module.

Sat, 07/28/2012 - 02:59
pcfreak30

Also a small note. You need to chmod /var/php to 755 or higher as it gets set at 000. If you don't you will get a internal server error.

Mon, 07/30/2012 - 12:07
Adub

Dude this is awesome! I've just started researching PHP FPM, and I was hoping that it had some way of running in Virtualmin. Thank you very much for releasing this! I hope the devs see it and work on incorporating it into Virtualmin!

When I have the time, I'll give this a shot on my test CentOS server.

Mon, 07/30/2012 - 12:12
Adub

Oh, and have you thought about uploading the code to a Github repository?

Mon, 07/30/2012 - 12:22
Adub

Hmm, looking at the mod_fcgi_handler link above, it looks like the author is no longer supporting the project.

Is this project the best alternative available, or would something like mod_proxy_fcgi work?

Wed, 08/01/2012 - 08:27 (Reply to #6)
pcfreak30

Thats the technical gotcha.

If you read i was on 2.2 THEN went to 2.4.

I coded this for the proxy directives bit too much shit was unsupported and I had to use custom deb's and a whole bunch of mess. That was with mod_proxy_fcgi.

This is the only way I have gotten it to work repeatedly as I can not get mod_fastcgi to work as I need.

So if its un-maintained that isn't good but I will be using this in my hosting company until apache 2.4 is more mainstream. I can't stand FCGID as its a ram hog with many websites. ATM our servers generally don't go over 1.5 GB ram and thats with everything running. At time of writing this our server with our hosting site is using 1.47 GB ram and is extremely fast.

Sat, 09/29/2012 - 11:02
vanarie

I've been working on PCI compliance and really need to upgrade to Apache 2.4.2. It's been a very frustrating process so far! My hosting company tells me that I can do it manually, but then ANY software updates will not work under the Virtualmin GUI. (I assume yum update would work fine).

Just to confirm, is this a workaround to install 2.4.2 and helpfully not break anything? Incidentally, I found a walkthrough to installing all of this from scratch (http://linuxhospital.wordpress.com/2012/09/19/installing-apache-from-sou...), but haven't tested it.

Any feedback would be appreciated. I love Webmin but dislike that the newest version isn't supported officially.

Thu, 10/04/2012 - 07:05
nk

This mod working with nginx?

Mon, 11/05/2012 - 08:29
eddieb

On a production server, is there STILL no way to run FastCGI with PHP-FPM or has something changed recently?

Thanks

Sun, 12/16/2012 - 00:13
aww

I am not quite following, why would you stop using mod_fastcgi and go to the mod_fastcgi_handler?

Does mod_fastcgi no longer work under Apache 2.4 ?

Oooh I see this comment on nginx "mod_fastcgi 2.4.6 no longer compiles against the Apache 2.4 tree"

Here is a version that does https://github.com/ByteInternet/libapache-mod-fastcgi

Sun, 12/16/2012 - 06:55 (Reply to #11)
eddieb

Because I want to use APC caching, and FCGID wastes memory, as it keeps one cache per process. In order to use APC properly in apache < 2.4, you need to use FASTCGI/PHP-FPM.

To sum it up: AFAIK, in Apache 2.4 you can use APC with PHP 5.3. In PHP 6 you will be able to use APC (it's built in) even with Apache < 2.4

Cheers

Sun, 12/16/2012 - 22:10 (Reply to #12)
aww

Ah okay, I definitely understand the multiple cache problem, didn't know this solved that. I think the other solution is to run it as apache/nobody which just makes one big process/cache for the one user.

Mon, 12/17/2012 - 02:05 (Reply to #13)
eddieb

But you can't do that on a shared environment, correct? Regardless, does virtualmin natively support running it as apache/nobody ?

Wed, 07/03/2013 - 20:39
diablo2nd

Hi, Are these instructions still valid? I've just run through the steps and come across a per execution error

HTTP/1.0 500 Perl execution failed Server: MiniServ/1.630 Date: Wed, 3 Jul 2013 18:37:02 GMT Content-type: text/html; Charset=iso-8859-1 Connection: close

Error - Perl execution failed

Undefined subroutine &virtual_server::get_domain_web_ssi called at /usr/libexec/webmin/virtual-server/edit_phpmode.cgi line 100.
Sun, 10/05/2014 - 10:47
skelgaard

patch for the latest version ?

also why has this not been implemented in core yet ?

Sun, 10/05/2014 - 11:25
emilorol

I just posted a working setup to get virtualmin working with NGINX and PHP-FPM:

https://virtualmin.com/node/34427

Sun, 10/05/2014 - 11:56
skelgaard

thanx emilorol, but i much prefer the other way, as it still keeps the security of virtualmin by running each website as it own user and as far as i can see in that post, it is running all on the nginx user.

Sun, 10/05/2014 - 20:56
emilorol

Yes, the setup run all sites under the nginx user and that is why I mention:

You might have to weight your needs against the benefits of this setup.

Maybe the Virtualmin developers will have mercy and finish the so needed module in a world where VPS are taking over and their price continuously dropping.

Wed, 10/08/2014 - 14:41
emilorol

Hi @skelgaard,

I found a way to have PHP-FPM run as the domain user.

http://virtualmin.com/node/34427#comment-138344

Please take a look and let me know.

Wed, 10/08/2014 - 15:51
skelgaard

yup that works if you do manually creating etch users file as far as i can see... thats what i'm using now too with manual edit

Would be so nice, if this was implemented in the core, to do it automatic.

Wed, 10/08/2014 - 16:31
emilorol

Would be so nice, if this was implemented in the core, to do it automatic.

What if we put together a fund or crowdfunding so that a Webmin developer can dedicate time to it?

And while at it benefit all the users that use or can use this feature

Sat, 10/25/2014 - 17:15 (Reply to #22)
EcchiOli

At first I was skeptical, but if the "crowdfunding a developer" idea is popular and gathers somehow enough audience, that wouldn't be bad, yeah... Though, no idea how much that would cost, first thing...

Sat, 10/25/2014 - 17:29 (Reply to #23)
skelgaard

if the coders could give an answer if they are planing om moving on this or need funding before they will would help alot

Sun, 10/26/2014 - 08:00
emilorol

I am glad you guys like the "crowdfunding a developer" idea.

Where should we put the ad, Jobs or Developers? It should also include the time and cost of the development of the module.

Note: this might become a new trend on this site. I will be even better if we can get some comment from existing developers.

Sun, 10/26/2014 - 22:24
emilorol

Just to let you know that Joe will be taking a swing at the issue:

http://virtualmin.com/node/34144#comment-139131

Sat, 01/03/2015 - 12:07
emilorol

Hi,

Just checking in to see if there is any updated about the PHP-FPM native implementation?

@Joe: is the crowdfunding set up yet?

Mon, 02/16/2015 - 19:48
Joe
Joe's picture

OK, I'm back onto this subject, while messing around with our website migration.

We're going to use mod_proxy_fcgi rather than mod_fcgi_handler, so I can't really work from the example provided here. Being in Apache core for most of our current crop of systems is a killer feature, and the rationale for the creation of mod_fcgi_handle (lack of UNIX domain sockets in mod_proxy_fcgi) isn't the case anymore. It looks like UDS was added to mod_proxy_fcgi in Apach 2.4.7 or 2.4.8 (conflicting reports about exactly when, I'm researching it, so we'll know when we can use it). Configuration is no more complicated than mod_fcgid and less complicated than many other configurations we support (particularly Ruby on Rails deployments, though adding support for mod_proxy_fcgi can potentially simplify that, too).

Does anyone who has tinkered with this know if UDS has been backported to the CentOS httpd 2.4.6 packages? I need to research which version of Apache ships with the current generation of Ubuntu and Debian, as we'll need to enforce network sockets if UDS isn't available. There's also the problem in either case (which I guess can also be true in mod_fcgid, though it probably shows up differently) of network socket limits on high load servers.

There's some trickiness in that we have to have a different socket for each php-fpm process, and oddly the configuration seems to hint that we also have to have a different address:port combo, which seems weird and unnecessary, but as long as we don't make it user controllable, it should be safe.

Finally, by switching to php-fpm, we lose the ability to have a per-user php.ini, which mod_fcgid provides. I don't know how big of a deal this is...and, maybe it's even a benefit, since a user could abuse php.ini to perform DoS attacks on other users who share the system (by consuming more resources than their fair share). These values can be set in .htaccess using php_admin_value settings, but I don't think we currently make that available by default...but maybe we do. I dunno. I'll discuss it with Jamie on Thursday.

This isn't imminent; it'll be a couple of weeks before I expect to have code written, but I did want to chime in with the results of my research. I'm convinced this is a better way to run PHP on modern Apache versions, and I'm convinced that at least its developers believe it is secure enough for shared hosting environments.

--

Check out the forum guidelines!

Thu, 02/26/2015 - 17:42
pcmerc

I do things a bit differently.

After installing virtualmin create directory /etc/skel/var/run

I add the following to the apache server template config:

# FastCGI
FastCGIExternalServer /home/${DOM}/cgi-bin/fastcgi -socket /home/${DOM}/var/run/php5-fpm.sock -idle-timeout 900 -pass-header Authorization,X-Forwarded-For

# Define FastCGI interface to PHP...
AddHandler php-fastcgi .php
Action php-fastcgi /cgi-bin/fastcgi
# End FastCGI interface

I then have a script that gets executed upon creation that creates the /etc/php5/fpm/pool.d/$dom.conf
Uses sed to comment out the fcgid crap from the apache2 config that gets created & php_values as mod_php gets disabled and restarts php5-fpm.

php5-fpm is configured to use a socket not IP as that adds overhead to the network stack.

When an instance is deleted, the script removes any left over configs that were created in addition to the standard virtualmin config generation.

No need to mangle any virtualmin base code so upgrades to the virtualmin packages don't affect my configs / builds.

Fri, 04/03/2015 - 14:02
lostandfound

@Joe You asked "Does anyone who has tinkered with this know if UDS has been backported to the CentOS httpd 2.4.6 packages?"

It looks as though it has been and is shipping with CentOS 7.1 . As far as I can tell the Apache version you are looking for is "httpd-2.4.6-31.el7.x86_64.rpm" (so anything 31+) should include Unix Domain Sockets. This is confirmed by * With this update, the mod_proxy module of the Apache HTTP Server supports the Unix Domain Sockets (UDS). This allows mod_proxy back ends to listen on UDS sockets instead of TCP sockets, and as a result, mod_proxy can be used to connect UDS back ends. (BZ#1168081) which can be found at https://rhn.redhat.com/errata/RHSA-2015-0325.html .

Also, you mention the concerns over php.ini . It is worth noting that you can set php_value and php_fag values direct in the php.conf. They can be set to override or be overridden the 'normal' php.ini .

Fri, 07/31/2015 - 17:50
aedifex

Hi Joe,

Was curious, any news on this subject? When could we expect PHP-FPM support in Virtualmin (Pro)?

Thanks,

Patrick

Fri, 07/31/2015 - 22:04
andreychek

Howdy,

This is a feature we'd like to add, but not a lot of work has been done on that yet. Sorry for the delay, I know some of you are excited about seeing this.

Hopefully you'll see something in the not-too-distant future on this :-)

-Eric

Fri, 06/24/2016 - 20:39
tripkin

I am trying to get DaviCAL working, and not having FPM seems to be a big deterrant. Unless someone has done it and can give me some help. For that reason alone, I would like to have it!

Thanks, all the hard work is much appreciated!

Fri, 10/28/2016 - 14:00
sfatula

I thought php-fpm was enabled by default on certain linux distributions now? If so, hopefully you will add this feature sooner! It's extremely useful.

Topic locked