Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- content:apache_phpfpm [2021/06/24 11:35] – [Howto setup a LAMP-Server in 2018-2020] Daniel
+++ content:apache_phpfpm [2022/03/19 10:55] – [Tell Apache to use php-fpm] Daniel
@@ Zeile 1: / Zeile 1: @@
-====== Small Apache PHP- FPM- Serverguide ======
+====== Apache PHP- FPM- Serverguide ======
 ===== Howto setup a LAMP-Server in 2018-2020 =====
-This documentation is about how to set up a LAMP- Server (Linux, Apache, MySql, PhP) in the current, most stable way. The Reason for me writing this is, that default Installations of common Distruibutions are often based on an old way in Server- Configuration, which is not the way it could be done today, leading to instability and complex configuration.
+This documentation is about how to set up a LAMP- Server (Linux, Apache, MySql aka MariaDB, PhP) in the current, most stable way for home office usage. The reason for me writing this is, that default Installations of common Distruibutions are often based on an old styled configuration, which is not the way it could be done today, leading to instability and complex configuration and dependencies that make it hard to update components individually.
 To get the Differences, this is how my Distro (OpenSuSE) delivers the Packages by default and which disadvanteages it has:
   * Apache-Prefork. That way, Apache is one Application with many threads - which is slower, consumes more memory and doesn't scale good
-  * PHP-Module integrated in the Apche- Server which is not released as stable and may crash the whole Apache- Server on Errors
+  * PHP-Module integrated in the Apache- Server which is not released as stable and may crash the whole Apache- Server on Errors. This module must be released to match the Apache- version, so the versions are tied together
-      * Using Network Connection to connect to
+  * PHP- Modules, which must be compiled againt the apache-mod_php- module. Updating mod_php means updating all modules.
+      * Using Network Connections with overhead to connect to
   * MariaDB
@@ Zeile 30: / Zeile 30: @@
   - Install the System with standard Desktop- Packages (KDE)
   - Boot into new Linux and Set Up Desktop as you like
 ==== Basic System- Scaling thoughts ====
@@ Zeile 75: / Zeile 74: @@
 For a local setup, you should use Sockets and disable networking. To do this, set
 <code>
 socket = /run/mysql/mysql.sock
@@ Zeile 85: / Zeile 84: @@
 Start Mysql with "rcmysqld start" at the command line as root, it should work now.
-After that had worked you should secure your Database by giving a password as it was explained by the step above when starting it. If not shure just run "<font inherit/monospace;;inherit;;#000000background-color:#ffffff;>/usr/bin/mysql_secure_installation</font>".
+After that had worked you should secure your Database by giving a password as it was explained by the step above when starting it. If not shure just run " <font inherit/monospace;;inherit;;#000000background-color:#ffffff;>/usr/bin/mysql_secure_installation</font> ".
 ==== Install Apache ====
@@ Zeile 101: / Zeile 99: @@
   * Commit the Changes
   * in /etc/apache2/server-tuning.conf the module will be configured. Event and Worker is nearby the same. I use the following parameters for the event/worker module:
 <code>
 #This Config is for event or worker MPMs.
 #ServerLimit is the maximum number of apache-servers running beside the one controlling server. So 31 will make max. 32 Processes in total.
@@ Zeile 188: / Zeile 186: @@
 </code>
 ==== PHP Configuration ====
@@ Zeile 222: / Zeile 219: @@
 For making Apache use php-fpm as php-server, you use the module "proxy_fcgi", which should be included in the apache MPM- Package.
-Caution: this has noting to do with "mod_fcgi"! You will not need mod_fcgi, as this would manage php itself in a new server, which we dont' want! "proxy_fcgi" offers the fcgi- interface and tunnels it to php-fpm. Thus, it will be a small wrapper, not having to manage something as big as php.
+Caution: this has noting to do with "mod_fcgi" or "fastcgi"! You will not need those, as this would execute php itself in the webserver, which we dont' want! "proxy_fcgi" offers the fcgi- interface and tunnels it to php-fpm via socket or ip-interface. Thus, it will be a small wrapper, not having to manage something as big as php.
   * To enable this and all its dependencies, use
-<code>
-sudo a2enmod setenvif rewrite proxy proxy_fcgi
+<code>
+sudo a2enmod setenvif
+sudo a2enmod rewrite
+sudo a2enmod proxy
+sudo a2enmod proxy_fcgi
 </code>
@@ Zeile 238: / Zeile 238: @@
 # Don't use "ProxyPassMatch", while non-ascii-urls will not work!
 # This is to forward all PHP to php-fpm
- <FilesMatch \.php$>
+<FilesMatch \.php$>
-   SetHandler "proxy:unix:/var/run/php-fpm/php-fpm.sock|fcgi://localhost/"
+  SetHandler "proxy:unix:/var/run/php-fpm/php-fpm.sock|fcgi://localhost/"
- </FilesMatch>
+</FilesMatch>
+DirectoryIndex index.php
 # Don't use "Reuse" cause of timeouts and php-fpm manages reuse of php automagically!
 # <Proxy fcgi://localhost enablereuse=on max=10>
- <Proxy fcgi://localhost>
+<Proxy fcgi://localhost>
-    #6 Hours = 21600
+   #6 Hours = 21600
-    #Make this high, as upload will stop after that amount of time
+   #Make this high, as upload will stop after that amount of time
-    ProxySet connectiontimeout=30 timeout=21600
+   ProxySet connectiontimeout=30 timeout=21600
- </Proxy>
+</Proxy>
- # If the php file doesn't exist, disable the proxy handler.
+# If the php file doesn't exist, disable the proxy handler.
- # This will allow .htaccess rewrite rules to work and
+# This will allow .htaccess rewrite rules to work and
- # the client will see the default 404 page of Apache
+# the client will see the default 404 page of Apache
- RewriteCond %{REQUEST_FILENAME} \.php$
+RewriteCond %{REQUEST_FILENAME} \.php$
- RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-f
+RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-f
- RewriteRule (.*) - [H=text/html]
+RewriteRule (.*) - [H=text/html]
 </code>
 ==== Start and check Apache ====
@@ Zeile 299: / Zeile 301: @@
 Well: You are done. Now its up to you to fill Apache with content. Have fun!
 ==== Manage Database with phpMyAdmin ====
-To manage your local Database, it would be nice to have phpMyAdmin installed first (via Package-manager). After that, copy the config.sample.inc.php to config.inc.php under /srv/www/htdocs/phpMyAdmin to use the socket <font inherit/monospace;;inherit;;#000000background-color:#ffffff;>/run/mysql/mysql.sock</font> you specified before for mysql.
+To manage your local Database, it would be nice to have phpMyAdmin installed first (via Package-manager). After that, copy the config.sample.inc.php to config.inc.php under /srv/www/htdocs/phpMyAdmin to use the socket
+ <font inherit/monospace;;inherit;;#000000background-color:#ffffff;>/run/mysql/mysql.sock</font>  you specified before for mysql.
 You can finish the setup of your phpMyAdmin by visiting [[http://localhost/phpMyAdmin/index.php|http://localhost/phpMyAdmin/index.php]]
+==== About security of your WEB- Page (Scripts) ====
+There are really a lot of important Documentations about security of your Webserver going in Details for each functionality. They are important - as functions should be set as tight as possible.
+But there are more basic security settings that may prevent damage if the functional security is breached. So the basic security might be very important - and here especially the file permissions. One big security-hole that is very common misunderstand at permissions is this one:
+**If you make a file ONLY readable for the user of the webserver (400) and make that user own that file, you may expect this user to not be able to write to that file. THIS IS WRONG !**
+Instead, in Linux/Unix the user owning a file can ALWAYs change its permissions. So the user will be able to make it writeable again and write to that file. The ONLY way to prevent the webservers- user form writing to files is not to make this user own that file. So you should make your file owned by root and use groups for controlling the access.
+If you need more detailled file permissions, you may have a look at file acls, which are very powerful and can solve permission- restrictions tha ugo may cause.
@@ Zeile 313: / Zeile 327: @@
 You may download the file, extract the contents (e.g. to ~/eclipse) and run the installer there in userspace (no superuser is required).
 ===== Filling Content to your Server =====
 This is a demo to install some small Software to your Server. I will use the github- Project [[https://github.com/obel1x/ep3-bs.git|EP3-BS]] for testing.
 ==== Install git-web ====