diff --git a/actions/apache b/actions/apache
index b39d5bf76..1a510c7f1 100755
--- a/actions/apache
+++ b/actions/apache
@@ -73,8 +73,8 @@ def _sort_versions(versions):
     return sorted(versions, key=_get_sort_key_of_version, reverse=True)
 
 
-def _enable_latest_php(webserver):
-    """Disable all older PHP versions and enable the latest one.
+def _disable_mod_php(webserver):
+    """Disable all mod_php versions.
 
     Idempotent and harmless if all or no PHP modules are identified.
     Problematic if only some modules are found.
@@ -89,12 +89,9 @@ def _enable_latest_php(webserver):
 
     versions = _sort_versions(versions)
 
-    for version in versions[1:]:
+    for version in versions:
         webserver.disable('php' + version, kind='module')
 
-    if versions:
-        webserver.enable('php' + versions[0], kind='module')
-
 
 def subcommand_setup(arguments):
     """Setup Apache configuration."""
@@ -109,14 +106,20 @@ def subcommand_setup(arguments):
         ], check=True)
 
     with action_utils.WebserverChange() as webserver:
+        # Disable mod_php as we have switched to mod_fcgi + php-fpm. Disable
+        # before switching away from mpm_prefork otherwise switching fails due
+        # dependency.
+        _disable_mod_php(webserver)
+
         # set the prefork worker model
-        webserver.disable('mpm_event', kind='module')
         webserver.disable('mpm_worker', kind='module')
-        webserver.enable('mpm_prefork', kind='module')
+        webserver.disable('mpm_prefork', kind='module')
+        webserver.enable('mpm_event', kind='module')
 
         # enable miscellaneous modules.
         webserver.enable('proxy', kind='module')
         webserver.enable('proxy_http', kind='module')
+        webserver.enable('proxy_fcgi', kind='module')
         webserver.enable('rewrite', kind='module')
 
         # enable GnuTLS
@@ -134,12 +137,8 @@ def subcommand_setup(arguments):
         webserver.enable('cgi', kind='module')
         webserver.enable('authnz_ldap', kind='module')
 
-        # Workaround for bug https://bugs.debian.org/893481 . Ideally, don't
-        # explicitly enable module php and rely on the package
-        # libapache2-mod-php installing the current version of the package and
-        # enabling it. This ensures that when PHP version changes, the code is
-        # not broken.
-        _enable_latest_php(webserver)
+        # enable configuration for PHP-FPM
+        webserver.enable('php-fpm-freedombox', kind='config')
 
         # enable users to share files uploaded to ~/public_html
         webserver.enable('userdir', kind='module')
diff --git a/data/etc/apache2/conf-available/php-fpm-freedombox.conf b/data/etc/apache2/conf-available/php-fpm-freedombox.conf
new file mode 100644
index 000000000..80c6ca636
--- /dev/null
+++ b/data/etc/apache2/conf-available/php-fpm-freedombox.conf
@@ -0,0 +1,53 @@
+# Proxy all PHP file requests through PHP-FPM.
+#
+# Based on /etc/apache2/conf-available/php7.3-fpm.conf but modified to not break
+# when PHP version upgrade happens due to php-fpm package depending on the
+# latest version of PHP. Since PHP-FPM unix sockets have version number their
+# path, to work with future version of PHP, hack assuming some future versions.
+
+# Redirect to local php-fpm if mod_php is not available
+<IfModule !mod_php7.c>
+<IfModule proxy_fcgi_module>
+    # Enable http authorization headers
+    <IfModule setenvif_module>
+    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
+    </IfModule>
+
+    <FilesMatch ".+\.ph(ar|p|tml)$">
+        <IfFile /etc/php/7.3>
+            SetHandler "proxy:unix:/run/php/php7.3-fpm.sock|fcgi://localhost"
+        </IfFile>
+        <IfFile /etc/php/7.4>
+            SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
+        </IfFile>
+        <IfFile /etc/php/7.5>
+            SetHandler "proxy:unix:/run/php/php7.5-fpm.sock|fcgi://localhost"
+        </IfFile>
+        <IfFile /etc/php/7.6>
+            SetHandler "proxy:unix:/run/php/php7.6-fpm.sock|fcgi://localhost"
+        </IfFile>
+        <IfFile /etc/php/8.0>
+            SetHandler "proxy:unix:/run/php/php8.0-fpm.sock|fcgi://localhost"
+        </IfFile>
+        <IfFile /etc/php/8.1>
+            SetHandler "proxy:unix:/run/php/php8.1-fpm.sock|fcgi://localhost"
+        </IfFile>
+        <IfFile /etc/php/8.2>
+            SetHandler "proxy:unix:/run/php/php8.2-fpm.sock|fcgi://localhost"
+        </IfFile>
+        <IfFile /etc/php/8.3>
+            SetHandler "proxy:unix:/run/php/php8.3-fpm.sock|fcgi://localhost"
+        </IfFile>
+    </FilesMatch>
+    <FilesMatch ".+\.phps$">
+        # Deny access to raw php sources by default
+        # To re-enable it's recommended to enable access to the files
+        # only in specific virtual host or directory
+        Require all denied
+    </FilesMatch>
+    # Deny access to files without filename (e.g. '.php')
+    <FilesMatch "^\.ph(ar|p|ps|tml)$">
+        Require all denied
+    </FilesMatch>
+</IfModule>
+</IfModule>
diff --git a/plinth/modules/apache/__init__.py b/plinth/modules/apache/__init__.py
index cf7ac3e3b..1b8b7e6c8 100644
--- a/plinth/modules/apache/__init__.py
+++ b/plinth/modules/apache/__init__.py
@@ -20,11 +20,11 @@ FreedomBox app for Apache server.
 
 from plinth import actions
 
-version = 3
+version = 4
 
 is_essential = True
 
-managed_packages = ['apache2', 'libapache2-mod-gnutls', 'libapache2-mod-php']
+managed_packages = ['apache2', 'libapache2-mod-gnutls', 'php-fpm']
 
 
 def setup(helper, old_version=None):