Giter VIP home page Giter VIP logo

alternc-php-fpm's Introduction

Get the package

Build own package

You can compile this package with:

    apt install build-essential debhelper git
    git clone https://github.com/AlternC/alternc-php-fpm
    cd alternc-php-fpm
    dpkg-buildpackage -us -uc

From github

You can obtain nightly and last stable package from the dedicated page : releases page

From our repository

Our stable repository is avalaible at https://debian.alternc.org

echo "deb http://debian.alternc.org/ $(lsb_release -cs) main" >> /etc/apt/sources.list.d/alternc.list 
wget https://debian.alternc.org/key.txt -O - | apt-key add - 
apt update

Dependency

Prior to install this alternc-php-fpm package you need a nss sync. We provide two options :

  • alternc-nss
  • alternc-nss-sync

These packages are available at https://github.com/AlternC/alternc-nss and https://github.com/AlternC/alternc-nss/tree/nss-sync On huge hosting we suggest to prefere nss-sync version.

How to use

This package supports both Alternc 3.3 and 3.5. An autodection script adapts templating installation following AlternC version. A php-fpm type is created for each fpm version detected during installation in /etc/php/ directory. When a new phpX.Y-fpm package is detected, AlternC installs related template.

A version-agnostic php-fpm template is provided at /etc/alternc/templates/3.x/apache2 directory. All php-fpm template are declined from this template. When a php-fpm template is set you can override it. Installation process don't overwrite any php-fpm template.

If a php-X.Y-fpm package is deleted, the type is also removed from AlternC and won't be proposed any longer. All existing domains maintain their template. Admin must update subdomain by subdomain.

Sury Dependencies

This package relies heavily by the great packaging on Ondrej Sury at this address: Sury packages Ondrej provides us with all versions of php (from 5.6 to 8.x) for all current versions of debian (from oldoldstable to testing)

To use this repository :

wget https://packages.sury.org/php/README.txt -O install.sh
bash -x install.sh

In this case don't forget to pin this repository :

nano /etc/apt/preferences.d/sury
Package: *
Pin: origin "packages.sury.org"
Pin-Priority: 100

Package: libpcre*
Pin: origin "packages.sury.org"
Pin-Priority: 500

Package: libapache2-mod-php*
Pin: origin "packages.sury.org"
Pin-Priority: 500

Package: php*
Pin: origin "packages.sury.org"
Pin-Priority: 500

alternc-php-fpm's People

Contributors

camlafit avatar vincib avatar

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

webelys nono-gdv koumbit pi3rrot tobald acidburn0zzz

alternc-php-fpm's Issues

Config PHP-FPM manuelle

Dans certains cas précis (instance Nextcloud par exemple) on devrait être en mesure de pourvoir modifier le pool PHP=FPM manuellement sans que sa config soit écrasée lors du prochain cron.

En gros faire en sorte que cela fonctionne comme les VHOST Nginx notamment quand le nom du fichier de config ne contient pas .alternc. mais .manual.

Proposition de changement de présentation dasn l'interface + corr bugs

Quelques améliorations, corrections de bugs et une proposition de changement de présentation des options fpm dan l'interface Alternc.

Les propositions de changements liés à l'interface Alternc sont ici: AlternC/AlternC#351

Du côté du paquet alternc-php-fpm:

  1. J'ai ajouté à chaque template apache2 les versions http, https et both dans le cas où on utilise alternc-certbot
    Exemple pour php7.0-fpm
  • php70-fpm-http.conf
# %%fqdn%%
<Virtualhost *:443>
  ServerName %%fqdn%%
  AssignUserId #%%UID%% #%%GID%%
  SetEnv LOGIN "%%UID%%-%%LOGIN%%"
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
  KeepAlive Off

  <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php7.0-%%LOGIN%%.sock|fcgi://localhost"
  </FilesMatch>

  RewriteEngine On
  RewriteCond %{REQUEST_FILENAME} !/cgi-bin/
  RewriteCond %{REQUEST_FILENAME} !/.well-known/acme-challenge/
  RewriteRule ^/(.*)$ http://%%fqdn%%/$1 [R=301,L]

  SSLEngine On
  SSLCertificateFile %%CRT%%
  SSLCertificateKeyFile %%KEY%%
  %%CHAINLINE%%

</Virtualhost>
<VirtualHost *:80>
  ServerName %%fqdn%%
  DocumentRoot "%%document_root%%"
  AssignUserId #%%UID%% #%%GID%%
  SetEnv LOGIN "%%UID%%-%%LOGIN%%"
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

  <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php7.0-%%LOGIN%%.sock|fcgi://localhost"
  </FilesMatch>

  RewriteEngine on
  RewriteCond %{QUERY_STRING} (%2d|-)d.*auto_prepend  [NC]
  RewriteRule .? - [F,L]

  <Directory "%%document_root%%">
    require all granted
    Options +MultiViews -FollowSymLinks +SymLinksIfOwnerMatch
    AllowOverride AuthConfig FileInfo Limit Options Indexes
    php_admin_flag engine off
  </Directory>
</VirtualHost>
  • php70-fpm-https.conf
# %%fqdn%%
<Virtualhost *:80>
  ServerName %%fqdn%%
  AssignUserId #%%UID%% #%%GID%%
  SetEnv LOGIN "%%UID%%-%%LOGIN%%"
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
  KeepAlive Off

  <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php7.0-%%LOGIN%%.sock|fcgi://localhost"
  </FilesMatch>

  RewriteEngine On
  RewriteCond %{REQUEST_FILENAME} !/cgi-bin/
  RewriteCond %{REQUEST_FILENAME} !/.well-known/acme-challenge/
  RewriteRule ^/(.*)$ https://%%fqdn%%/$1 [R=301,L]

</Virtualhost>
<VirtualHost *:443>
  ServerName %%fqdn%%
  DocumentRoot "%%document_root%%"
  AssignUserId #%%UID%% #%%GID%%
  SetEnv LOGIN "%%UID%%-%%LOGIN%%"
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

  <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php7.0-%%LOGIN%%.sock|fcgi://localhost"
  </FilesMatch>

  RewriteEngine on
  RewriteCond %{QUERY_STRING} (%2d|-)d.*auto_prepend  [NC]
  RewriteRule .? - [F,L]

  <Directory "%%document_root%%">
    require all granted
    Options +MultiViews -FollowSymLinks +SymLinksIfOwnerMatch
    AllowOverride AuthConfig FileInfo Limit Options Indexes
    php_admin_flag engine off
  </Directory>

  SSLEngine On
  SSLCertificateFile %%CRT%%
  SSLCertificateKeyFile %%KEY%%
  %%CHAINLINE%%

</VirtualHost>
  • php70-fpm-both.conf
# %%fqdn%%
<VirtualHost *:80>
  ServerName %%fqdn%%
  DocumentRoot "%%document_root%%"
  AssignUserId #%%UID%% #%%GID%%
  SetEnv LOGIN "%%UID%%-%%LOGIN%%"
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

  <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php7.0-%%LOGIN%%.sock|fcgi://localhost"
  </FilesMatch>

  RewriteEngine on
  RewriteCond %{QUERY_STRING} (%2d|-)d.*auto_prepend  [NC]
  RewriteRule .? - [F,L]

  <Directory "%%document_root%%">
    require all granted
    Options +MultiViews -FollowSymLinks +SymLinksIfOwnerMatch
    AllowOverride AuthConfig FileInfo Limit Options Indexes
    php_admin_flag engine off
  </Directory>
</VirtualHost>
<VirtualHost *:443>
  ServerName %%fqdn%%
  DocumentRoot "%%document_root%%"
  AssignUserId #%%UID%% #%%GID%%
  SetEnv LOGIN "%%UID%%-%%LOGIN%%"
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

  <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php7.0-%%LOGIN%%.sock|fcgi://localhost"
  </FilesMatch>

  RewriteEngine on
  RewriteCond %{QUERY_STRING} (%2d|-)d.*auto_prepend  [NC]
  RewriteRule .? - [F,L]

  <Directory "%%document_root%%">
    require all granted
    Options +MultiViews -FollowSymLinks +SymLinksIfOwnerMatch
    AllowOverride AuthConfig FileInfo Limit Options Indexes
    php_admin_flag engine off
  </Directory>

  SSLEngine On
  SSLCertificateFile %%CRT%%
  SSLCertificateKeyFile %%KEY%%
  %%CHAINLINE%%

</VirtualHost>
  1. Modifié les templates apache2 existants (exemple pour fpm-7.0)
# %%fqdn%%
<VirtualHost *:80>
  ServerName %%fqdn%%
  DocumentRoot "%%document_root%%"
  AssignUserId #%%UID%% #%%GID%%
  SetEnv LOGIN "%%UID%%-%%LOGIN%%"
  SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
    
  <FilesMatch \.php$>
        SetHandler "proxy:unix:/run/php/php7.0-%%LOGIN%%.sock|fcgi://localhost"
  </FilesMatch>

  RewriteEngine on
  RewriteCond %{QUERY_STRING} (%2d|-)d.*auto_prepend  [NC]
  RewriteRule .? - [F,L]

  <Directory "%%document_root%%">
    require all granted
    Options +MultiViews -FollowSymLinks +SymLinksIfOwnerMatch
    AllowOverride AuthConfig FileInfo Limit Options Indexes
    php_admin_flag engine off
  </Directory>
</VirtualHost>
  • retiré des options qui se retrouvent dans la config du pool fpm
  1. Modifé les templates fpm (exemple pour fpm-7.0)
[%%LOGIN%%]
user = %%LOGIN%%
group = %%LOGIN%%
listen = /run/php/php7.0-%%LOGIN%%.sock
listen.owner = %%LOGIN%%
listen.group = %%LOGIN%%
pm = ondemand
pm.max_children = 10
pm.process_idle_timeout = 60s
pm.max_requests = 1000
catch_workers_output = yes
php_admin_value[open_basedir] = "%%account_root%%"
php_admin_value[upload_tmp_dir] = %%account_root%%/tmp
env[TMP] = %%account_root%%/tmp
env[TMPDIR] = %%account_root%%/tmp
env[TEMP] = %%account_root%%/tmp
php_admin_value[sys_temp_dir] = %%account_root%%/tmp
php_admin_value[sendmail_path] = '/usr/lib/alternc/sendmail "%%mail_account%%" '
php_admin_flag[mail.add_x_header] = on
  1. Problème de droits sur le dossier /var/run/php.
    Les sockets doivent pouvoir être accédés par tous les utilisateurs alternc.
    0750 sur ce dossier ne permet pas ça.

J'ai changé les droits vers 0755.
Il existe peut-être une meilleure approche. Niveau sécurité, c'est peut-être pas bon de faire comme-ceci.

  1. script php7-fpm appellé par le cron:
while ($db->next_record()) {
      $version=substr($db->f("type"),3,1).".".substr($db->f("type"),4,1);
      $user=$db->f("login");
      $allpools[$version][]=$user;
      if ($force || !is_file("/etc/php/".$version."/fpm/pool.d/".$user.".alternc.conf")) {
          myecho("Creating php $version fpm pool for user $user");
          $content=file_get_contents("/etc/alternc/templates/php/fpm-".$version);
          $content=str_replace("%%LOGIN%%",$user,$content);

          $account_root=ALTERNC_HTML . substr($user, 0, 1) . "/" . $user;
          $content=str_replace("%%account_root%%",$account_root,$content);

          $mail_account=$user."@".$L_FQDN;
          $content=str_replace("%%mail_account%%",$mail_account,$content);

          file_put_contents("/etc/php/".$version."/fpm/pool.d/".$user.".alternc.conf",$content);

          $reload[$version]=$version;
      }
}
  • On doit récupérer plusieurs variables à remplacer dans le template fpm.
// now delete pools we don't need anymore
foreach($allversions as $version) {
    $d=opendir("/etc/php/$version/fpm/pool.d"   );
    while (($c=readdir($d))!==false) {
        if (preg_match('#/?([^\.]*).alternc.conf$#',$c,$mat)) {
            $user=$mat[1];
            if (! isset($allpools[$version]) || !in_array($user,$allpools[$version])) {
                echo("Deleting php $version fpm pool for user $user");
                @unlink("/etc/php/".$version."/fpm/pool.d/".$user.".alternc.conf");
                $reload[$version]=$version;
            }
        }
    }
}
  • ajouté un ? dans le preg_match pour ne pas rendre le / obligatoire (je ne sais pas pourquoi on veut qu'il y ai un / à ce stade où si c'est juste une erreur),
  • "if (! isset($allpools[$version]) || !in_array($user,$allpools[$version])) {" -> rajouté un test isset pour éviter un mail avec un php notice
// now reloads php fpm versions
foreach($reload as $service) {
    passthru("systemctl reload php".$service."-fpm");
}
  • plus sure pour redémarrer les service fpm. On a par exemple pas les scripts dans init.d pour toutes les versions fpm installées, ils n'étaient jamais redémarrés.

Avec tout ça, on a maintenant un php-fpm + certbot fonctionnels et les utilisateurs peuvent choisir la version php qu'ils veulent, c'est vraiment chouette.

Missing PHP 8.0 dependencies

Commit #27c3b5e introduces PHP 8.0 support, but the dependencies are missing in debian/control.
I'll push a PR for that.

phpx.x-fpm services fail to reload

If the services are not running, /usr/lib/alternc/php7-fpm will fail with, for instance:

Reloading phpx.x-fpm configuration (via systemctl): phpx.x-fpm.servicephpx.x-fpm.service is not active, cannot reload.
 failed!

An easy way is to add an OR in the reload call to ensure the service is started if not running:
passthru("/etc/init.d/php".$service."-fpm reload || /etc/init.d/php".$service."-fpm start");

Which works properly:

Reloading php8.2-fpm configuration (via systemctl): php8.2-fpm.servicephp8.2-fpm.service is not active, cannot reload.                                                          
 failed!
Starting php8.2-fpm (via systemctl): php8.2-fpm.service.

Allow catch error 40x 50X

Hi

On some case if an user try to override ErroDocument feature in its .htacess, As ErrorDocument 404 /404.php
Any wrong url with php extension will be catch by fpm and not errordocument, as we have set a <FilesMatch \.php$> on Virtualhost. This directive as precedence about .htaccess

Looks natural to change this behavior and we have two options to change fpm template :

<FilesMatch \.php$>
<If \"-f %{REQUEST_FILENAME}\">
SetHandler "proxy:unix:/run/php/php7.3-user.sock|fcgi://localhost"
</If>
</FilesMatch>

ProxyErrorOverride On

ProxyErrorOverride looks easier, but I'm not sure about errodocument managed directly by an CMS.
If test looks more accurate but could impact performance.

To discuss before provide any global solution

Retours de test

C'est vraiment chouette !

Deux petites choses:

  • Choisir la version de php en https ne fonctionne pas.
  • Ce serait sans doute utile de permettre de choisir la version de PHP de manière plus simple

Hébergé localement /www/monsite.tld / Selection HTTP-S / Selection version PHP

adding MaxClientsVHost for apache templates

http://mpm-itk.sesse.net/ says :

MaxClientsVHost: A separate MaxClients for the vhost. This can be useful if, say, half of your vhosts depend on some NFS server; if the NFS server goes down, you do not want the children waiting forever on NFS to take the non-NFS-dependent hosts down. This can thus act as a safety measure, giving “server too busy” on the NFS-dependent vhosts while keeping the other ones happily running. (Of course, you could use it to simply keep one site from eating way too much resources, but there are probably better ways of doing that.)

AlternC used to have this in the vhost configuration file for apache (with a limit of 40)

we should add those to the FPM configuration templates for apache too

Check php service before to reload/restart it

php7-fpm must do a check before to reload pool.
To each php-fpm service will must check it before to reload.

We have --test argument to check configuration

Note : reload act as a restart and any check is done.

Alternc-nss

Hello

we have yet a project to manage our alternc account as posix
alternc-nss

Could be interessting to mutualize our work :)

Error during alternc.install 

ln: impossible de créer le lien symbolique '/etc/php7.3/apache2/conf.d/alternc.ini': Aucun fichier ou dossier de ce type
ln: impossible de créer le lien symbolique '/etc/php7.3/cli/conf.d/alternc.ini': Aucun fichier ou dossier de ce type

with master branch

Enable .php.ini local config

As we isolate php by account, could be interresting to enable .php.ini file in local directory.

Could be done by enabling in each pool configuration :
php_value[user_ini.filename] = ".php.ini"
php_value[user_ini.cache_ttl] = 300

Domains type names conflics with alternc

Names for domaines_type in BDD are made whit a "-":

alternc-php-fpm/debian/postinst

Lines 10 to 15 in 392f45c

INSERT IGNORE INTO domaines_type SET name='php56-fpm', description='PHP 5.6 FPM', target='DIRECTORY', entry='%SUB% IN A @@PUBLIC_IP@@', compatibility='txt,defmx,defmx2,mx,mx2', enable='ALL', need_dns=0, has_https_option=1;
INSERT IGNORE INTO domaines_type SET name='php70-fpm', description='PHP 7.0 FPM', target='DIRECTORY', entry='%SUB% IN A @@PUBLIC_IP@@', compatibility='txt,defmx,defmx2,mx,mx2', enable='ALL', need_dns=0, has_https_option=1;
INSERT IGNORE INTO domaines_type SET name='php71-fpm', description='PHP 7.1 FPM', target='DIRECTORY', entry='%SUB% IN A @@PUBLIC_IP@@', compatibility='txt,defmx,defmx2,mx,mx2', enable='ALL', need_dns=0, has_https_option=1;
INSERT IGNORE INTO domaines_type SET name='php72-fpm', description='PHP 7.2 FPM', target='DIRECTORY', entry='%SUB% IN A @@PUBLIC_IP@@', compatibility='txt,defmx,defmx2,mx,mx2', enable='ALL', need_dns=0, has_https_option=1;
INSERT IGNORE INTO domaines_type SET name='php73-fpm', description='PHP 7.3 FPM', target='DIRECTORY', entry='%SUB% IN A @@PUBLIC_IP@@', compatibility='txt,defmx,defmx2,mx,mx2', enable='ALL', need_dns=0, has_https_option=1;
INSERT IGNORE INTO domaines_type SET name='php74-fpm', description='PHP 7.4 FPM', target='DIRECTORY', entry='%SUB% IN A @@PUBLIC_IP@@', compatibility='txt,defmx,defmx2,mx,mx2', enable='ALL', need_dns=0, has_https_option=1;

AlternC doesn't apreciate this:
https://github.com/AlternC/AlternC/blob/3c83f33935bdaf0f601b5d5ba096936cfcac0597/bureau/class/m_dom.php#L552

Now three choices:

  • add an sql upgrade in alternc-php-fpm Debian packaging
  • remove name limitation in alternc
  • authorize '-' in name in alternc

MX compatibility

Hi

We can't enable mail service after a php-fpm activation.
mx type is not compatible with any php-fpm version, could break when site is hosting on root domain and not as www subdomain.

Exit when mysql is absent

Hi

For different reason, mysql could be down during php7-fpm execution.
In this case, all pool are deleted and break all sites hosted.

We must check mysql state and ran script only we are sure mysql state

trigger php installation

We can't code all php version on the world
dpkg provide a trigger sytem, then when we should be detect any php installation and enable relative vhost about this.

Erreur à l'install

ERROR 1136 (21S01) at line 2: Column count doesn't match value count at row 1

erreur dans la requête d'insertion des version de php-fpm (si alternc-ssl est installé?)

alternc-php-fpm/debian/postinst

Line 10 in ea3951c

INSERT IGNORE INTO domaines_type VALUES ('php56-fpm','PHP 5.6 FPM','DIRECTORY','%SUB% IN A @@PUBLIC_IP@@','txt,defmx,defmx2,mx,mx2','ALL',0,0,0,0,0);

Les requêtes d'insertion ont un champ trop peu:

#1136 - Column count doesn't match value count at row 1

Alternc-certbot qui ajoute cette colonne?
J'ai rajouté un 1 en dernière colonne pour avoir l'accès http et/ou https pour les vhost php-fpm

INSERT IGNORE INTO domaines_type VALUES ('php70-fpm','PHP 7.0 FPM','DIRECTORY','%SUB% IN A @@PUBLIC_IP@@','txt,defmx,defmx2,mx,mx2','ALL',0,0,0,0,0,1)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.