apache: Switch to php-fpm from mod_php

Also try to automatically work for future versions of PHP. Fixes #1413 Fixes #1258 Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2026-06-03 10:50:20 +00:00 · 2018-12-10 13:36:02 -08:00 · 2018-12-10 13:36:02 -08:00 · 9e4fb5eb59
commit 9e4fb5eb59
parent c9a0fcbf7e
3 changed files with 68 additions and 16 deletions
--- a/actions/apache
+++ b/actions/apache
@ -73,8 +73,8 @@ def _sort_versions(versions):
    return sorted(versions, key=_get_sort_key_of_version, reverse=True)


-def _enable_latest_php(webserver):
-    """Disable all older PHP versions and enable the latest one.
+def _disable_mod_php(webserver):
+    """Disable all mod_php versions.

    Idempotent and harmless if all or no PHP modules are identified.
    Problematic if only some modules are found.
@ -89,12 +89,9 @@ def _enable_latest_php(webserver):

    versions = _sort_versions(versions)

-    for version in versions[1:]:
+    for version in versions:
        webserver.disable('php' + version, kind='module')

-    if versions:
-        webserver.enable('php' + versions[0], kind='module')
-

 def subcommand_setup(arguments):
    """Setup Apache configuration."""
@ -109,14 +106,20 @@ def subcommand_setup(arguments):
        ], check=True)

    with action_utils.WebserverChange() as webserver:
+        # Disable mod_php as we have switched to mod_fcgi + php-fpm. Disable
+        # before switching away from mpm_prefork otherwise switching fails due
+        # dependency.
+        _disable_mod_php(webserver)
+
        # set the prefork worker model
-        webserver.disable('mpm_event', kind='module')
        webserver.disable('mpm_worker', kind='module')
-        webserver.enable('mpm_prefork', kind='module')
+        webserver.disable('mpm_prefork', kind='module')
+        webserver.enable('mpm_event', kind='module')

        # enable miscellaneous modules.
        webserver.enable('proxy', kind='module')
        webserver.enable('proxy_http', kind='module')
+        webserver.enable('proxy_fcgi', kind='module')
        webserver.enable('rewrite', kind='module')

        # enable GnuTLS
@ -134,12 +137,8 @@ def subcommand_setup(arguments):
        webserver.enable('cgi', kind='module')
        webserver.enable('authnz_ldap', kind='module')

-        # Workaround for bug https://bugs.debian.org/893481 . Ideally, don't
-        # explicitly enable module php and rely on the package
-        # libapache2-mod-php installing the current version of the package and
-        # enabling it. This ensures that when PHP version changes, the code is
-        # not broken.
-        _enable_latest_php(webserver)
+        # enable configuration for PHP-FPM
+        webserver.enable('php-fpm-freedombox', kind='config')

        # enable users to share files uploaded to ~/public_html
        webserver.enable('userdir', kind='module')
--- a/data/etc/apache2/conf-available/php-fpm-freedombox.conf
+++ b/data/etc/apache2/conf-available/php-fpm-freedombox.conf
@ -0,0 +1,53 @@
+# Proxy all PHP file requests through PHP-FPM.
+#
+# Based on /etc/apache2/conf-available/php7.3-fpm.conf but modified to not break
+# when PHP version upgrade happens due to php-fpm package depending on the
+# latest version of PHP. Since PHP-FPM unix sockets have version number their
+# path, to work with future version of PHP, hack assuming some future versions.
+
+# Redirect to local php-fpm if mod_php is not available
+<IfModule !mod_php7.c>
+<IfModule proxy_fcgi_module>
+    # Enable http authorization headers
+    <IfModule setenvif_module>
+    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
+    </IfModule>
+
+    <FilesMatch ".+\.ph(ar|p|tml)$">
+        <IfFile /etc/php/7.3>
+            SetHandler "proxy:unix:/run/php/php7.3-fpm.sock|fcgi://localhost"
+        </IfFile>
+        <IfFile /etc/php/7.4>
+            SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
+        </IfFile>
+        <IfFile /etc/php/7.5>
+            SetHandler "proxy:unix:/run/php/php7.5-fpm.sock|fcgi://localhost"
+        </IfFile>
+        <IfFile /etc/php/7.6>
+            SetHandler "proxy:unix:/run/php/php7.6-fpm.sock|fcgi://localhost"
+        </IfFile>
+        <IfFile /etc/php/8.0>
+            SetHandler "proxy:unix:/run/php/php8.0-fpm.sock|fcgi://localhost"
+        </IfFile>
+        <IfFile /etc/php/8.1>
+            SetHandler "proxy:unix:/run/php/php8.1-fpm.sock|fcgi://localhost"
+        </IfFile>
+        <IfFile /etc/php/8.2>
+            SetHandler "proxy:unix:/run/php/php8.2-fpm.sock|fcgi://localhost"
+        </IfFile>
+        <IfFile /etc/php/8.3>
+            SetHandler "proxy:unix:/run/php/php8.3-fpm.sock|fcgi://localhost"
+        </IfFile>
+    </FilesMatch>
+    <FilesMatch ".+\.phps$">
+        # Deny access to raw php sources by default
+        # To re-enable it's recommended to enable access to the files
+        # only in specific virtual host or directory
+        Require all denied
+    </FilesMatch>
+    # Deny access to files without filename (e.g. '.php')
+    <FilesMatch "^\.ph(ar|p|ps|tml)$">
+        Require all denied
+    </FilesMatch>
+</IfModule>
+</IfModule>
--- a/plinth/modules/apache/init.py
+++ b/plinth/modules/apache/init.py
@ -20,11 +20,11 @@ FreedomBox app for Apache server.

 from plinth import actions

-version = 3
+version = 4

 is_essential = True

-managed_packages = ['apache2', 'libapache2-mod-gnutls', 'libapache2-mod-php']
+managed_packages = ['apache2', 'libapache2-mod-gnutls', 'php-fpm']


 def setup(helper, old_version=None):