Versions Compared

Old Version 2

changes.mady.by.user Christoph Lechleitner

Saved on

compared with

New Version 3

changes.mady.by.user Christoph Lechleitner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Introduction

Thanks to the the PHP-FPM project  project and major distros picking it up (usually as as php5-fpm) newer shared hosting setups provide a set of per-user pools of PHP-FPM processes, combining the advantages of a running PHP process (caching of compiled version of .php files) and SuExec-style execution of PHP scripts under specific low-right system user (protecting shared hosting customers' data from each other).

Unfortunately, a secure FastCGI connection between Apache and PHP5-FPM requires to specify an "Action path", i.e. a filepath-style "mountpoint" (similar to a script alias)However, there about 10 different approaches to connect Apache with PHP5-FPM, and about 1000 HowTos ...

SetHandler approach

From Apache 2.4.10 (?) on it's simple. Actually painfully simple compared to earlier approaches:

No Format
# i.e. in VirtualHost
<IfModule mod_fastcgi.c>
<FilesMatch \.php$>
    SetHandler "proxy:fcgi://127.0.0.1:9000/"
    # or with socket
    # SetHandler "proxy:unix:/var/run/php5-fpm.sock|fcgi://localhost"
</FilesMatch>
</IfModule>

Based on  http://blog.remirepo.net/post/2014/03/28/PHP-FPM-and-HTTPD-2.4-improvement

You may have to enable the proxy_fcgi module.

Advantages

Simple.

Should be evaluated late enough to allow for heavy .htaccess Rewrite orgies.

More secure? (I think FilesMatch only to existing files that really end in ".php", but I'm not 100% sure yet)

Disadvantages

Not sure yet.

ProxyPass approach

To avoid what looks like a "subdirectory move" to Rewrite, one might use ProxyPassMatch (or LocationMatch + ProxyPass) instead of FastCgiExternalServer and Action, as proposed in https://wiki.apache.org/httpd/PHP-FPM

Advantages

Works before Apache 2.4.10

Disadvantages

May be evaluated too early, circumventing .htaccess Rewrite orgies.

Security risks, see bottom of https://wiki.apache.org/httpd/PHP-FPM

FastCgiExternalServer / Action approach

Advantages

 

Works before Apache 2.4.10

Definitely evaluated late enough to allow for .htaccess Rewrite orgies, but works as a Rewrite itself which can lead to Rewrite loops.

 

Disadvantages

Complicated to configure.

 

Works as a Rewrite itself which can lead to Rewrite loops.

 

Details

This was the first almost-satisfying approach I found, but it has major disadvantages.

A typical setup may look like this:

...

Further Reading: Action directive, FastCgiExternalServer directive.

...

Circumventing Rewrite loops, general approach

Solution in general

Exclude /php5-fcgi (or whatever virtual path the LAMP setup uses) from problematic RewriteRules:

No Format
# before RewriteRule:
RewriteCond %{REQUEST_URI} !^/php5-fcgi/*

...

Circumventing Rewrite loops in typical .htaccess WordPress

A typical .htaccess for WordPress looks like this:

...

Code Block
titleIronized .htaccess
collapsetrue
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/php5-fcgi/*
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

 

Solutions avoiding the Action approach

ProxyPassMatch

To avoid what looks like a "subdirectory move" to Rewrite, one might use ProxyPassMatch instead of FastCgiExternalServer and Action, as proposed in https://wiki.apache.org/httpd/PHP-FPM

However there seem to be security risks, see bottom of that page.

...