Php – Debian 9 Stretch LAMP Setup With Sandboxed Users using FPM

I'm trying to set up Apache and FPM on Debian 9 the way we had previously done with Debian 7 and 8. Due to, I believe, the deprecation of mod_fastcgi in favor of mod_proxy_fcgi in Apache 2.4 and the subsequent removal of it from the Debian 9 apt repos, I have been unable to accomplish our previous setup. Basically, we were using FPM to sandbox multiple sites on a single server (a staging/dev server). The end result was that each site was owned and grouped to one user each and FPM ran the site under processes for that particular user.

Here is an example Apache vhost we were using:

FastCgiExternalServer /home/siteusername/www/php5-fcgi -socket /tmp/php5-fpm-siteusername.sock -pass-header Authorization

<VirtualHost *:80>
   DocumentRoot /home/username/www/domain.com/public_html/
   ServerName www.domain.com

   <Directory /home/siteusername/www/domain.com/public_html/>
      AllowOverride all
   </Directory>

   <Directory /home/siteusername/www/>
       Require all granted
       AllowOverride all
   </Directory>

   AddHandler php5-fcgi .php
   Action php5-fcgi /php5-fcgi
   Alias /php5-fcgi /home/siteusername/www/php5-fcgi

   <ifModule mod_headers.c>
      Header set X-Robots-Tag "noindex"
   </ifModule>
</VirtualHost>

Here is an example FPM config we were using:

[siteusername]
listen = /tmp/php5-fpm-siteusername.sock

listen.allowed_clients = 127.0.0.1
listen.owner = www-data
listen.group = www-data

user = siteusername
group = siteusername

pm = ondemand
pm.max_children = 50

php_admin_value[upload_tmp_dir] = /home/siteusername/tmp/upload
php_admin_value[session.save_path] = /home/siteusername/tmp/session

That exact setup on Debian 9 with Apache 2.4, PHP 7.0, FPM 7.0, with mod_proxy_fcgi (and updated version numbers) results in an error when starting Apache:

Invalid command 'FastCgiExternalServer', perhaps misspelled or defined by a module not included in the server configuration

I'm assuming that command was part of mod_fastcgi and without it, I seem unable to run the sites under their own users. Instead, they run under www-data as any normally configured Apache site would.

I have so far been unable to find the documentation on how to accomplish this configuration. Does anyone have any idea what the updated configs for mod_proxy_fcgi is?

FastCgiExternalServer /home/siteusername/www/php5-fcgi -socket /tmp/php5-fpm-siteusername.sock -pass-header Authorization ... AddHandler php5-fcgi .php Action php5-fcgi /php5-fcgi Alias /php5-fcgi /home/siteusername/www/php5-fcgi

Best Answer

Try this.

In your FPM definition, ADAPT the socket name to match the correct php version

[siteusername]
listen = /tmp/php7-fpm-siteusername.sock

(In Debian 9 it's no longer php5 but php7)

In your Vhost definition REMOVE the following

In the same vhost definition ADD the following

<FilesMatch \.php$>
   SetHandler "proxy:unix:/tmp/php7-fpm-siteusername.sock|fcgi://localhost"
</FilesMatch>

As alternative, you can ADD the following in your vhost definition

ProxyPassMatch "^/(.*\.php(/.*)?)$" "unix:/tmp/php7-fpm-siteusername.sock|fcgi://localhost/home/siteusername/www/"

Be sure to have the modules mod_proxy and mod_proxy_fcgi enabled

a2enmod proxy proxy_fcgi

Best Answer

Related Solutions

Apache ProxyPass worker name too long

Apache 2.4 virtualhost_alias with php5-fpm and proxy_fcgi

Related Topic