PHP-FPM – Nicovs' Blog

phpRedmin with apache, php5-fpm and mod_proxy_fcgi

With apache 2.4 and PHP5-FPM, the way to go is using mod_proxy_fcgi.

Since configuration of a normal proxy vhost configuration is out of the scope of this article, I will not explain how to do this. There are lots of resources out there to find on how to impelement this. If i find the time to make an article on this, i will do so… 😉

So, today we were trying to configure phpredmin (imo the best Redis manamement tool out there) to work with Apache 2.4 using mod_proxy_fcgi to connect to PHP5-FPM.

We were having some issues with the configuration…The homepage was accessible, but all subpages were not proxied they they should. Pretty weird, as phpmemcachedadmin, phpmyadmin,… work without any special configuration on the apache side.

Hours of research led to the following fix: We created an extra vhost, and made some specific proxy rules in it:

VirtualHost *:80>

        ServerName phpredmin.servername.tld
        DocumentRoot /var/www/default/wwwroot/phpredmin


        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        LogLevel alert
        DirectoryIndex index.php
        Options -Indexes +FollowSymLinks +MultiViews
        RewriteEngine on

        Alias /phpredmin /var/www/default/wwwroot/phpredmin/public
        <Directory /var/www/default/wwwroot/phpredmin/public>
                 RewriteCond %{REQUEST_FILENAME} !-f
                 RewriteCond %{REQUEST_FILENAME} !-d
                 RewriteRule . fcgi://127.0.0.1:9000/var/www/default/wwwroot/phpredmin/public/index.php [P,L]


                 RewriteRule ^/?(.*\.php)$ fcgi://127.0.0.1:9000/var/www/default/wwwroot/phpredmin/public/$1 [P,L]
                 RewriteCond %{REQUEST_FILENAME} -d
                 RewriteRule ^/?(.*)$ fcgi://127.0.0.1:9000/var/www/default/wwwroot/phpredmin/public/$1 [P,L]

                 DirectoryIndex disabled
                 ProxyErrorOverride on
                 require ip 192.168.2.0/24
                 require ip 192.168.10.0/24
        </Directory>

</VirtualHost>

VirtualHost *:80>

ServerName phpredmin.servername.tld

DocumentRoot /var/www/default/wwwroot/phpredmin

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

LogLevel alert

DirectoryIndex index.php

Options -Indexes +FollowSymLinks +MultiViews

RewriteEngine on

Alias /phpredmin /var/www/default/wwwroot/phpredmin/public

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . fcgi://127.0.0.1:9000/var/www/default/wwwroot/phpredmin/public/index.php [P,L]

RewriteRule ^/?(.*\.php)$ fcgi://127.0.0.1:9000/var/www/default/wwwroot/phpredmin/public/$1 [P,L]

RewriteCond %{REQUEST_FILENAME} -d

RewriteRule ^/?(.*)$ fcgi://127.0.0.1:9000/var/www/default/wwwroot/phpredmin/public/$1 [P,L]

DirectoryIndex disabled

ProxyErrorOverride on

require ip 192.168.2.0/24

require ip 192.168.10.0/24

</Directory>

</VirtualHost>

Credits to Carl V 😉

Configure a site with SSL on an Nginx server

This post describes how to setup a server block on nginx with a Thawte SSL123 certificate.

This how to can of course also be used with other SSL vendors (comodo, digicert, …) but you’ll have to change some steps of course 🙂

First, we’ll start with the certificate request.

To create your request, use the openssl command:

openssl req -newkey rsa:2048 -nodes -keyout www.securedomain.com.pem -out www.securedomain.com.csr

1	openssl req -newkey rsa:2048 -nodes -keyout www.securedomain.com.pem -out www.securedomain.com.csr

And follow the SSL csr generation process:

Generating a 2048 bit RSA private key
................ 2013/25106/ <a href="http://s4gambling.com/it/giochi-da-casino">giochi da casino gratis</a> /LTT del 1° ottobre 2013 - Avviso di annullamento di biglietti di lotteria istantanea oggetto di furto11-10-2013 - Lotterie istantanee Nota Prot........................................................+++
..............................+++
writing new private key to 'www.securedomain.com.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:VL
Locality Name (eg, city) []:Brussels
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Company Name
Organizational Unit Name (eg, section) []:IT Dpt
Common Name (e.g. server FQDN or YOUR name) []:www.securedomain.com
Email Address []:it@securedomain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Generating a 2048 bit RSA private key

................ 2013/25106/ <a href="http://s4gambling.com/it/giochi-da-casino">giochi da casino gratis</a> /LTT del 1° ottobre 2013 - Avviso di annullamento di biglietti di lotteria istantanea oggetto di furto11-10-2013 - Lotterie istantanee Nota Prot........................................................+++

..............................+++

writing new private key to 'www.securedomain.com.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:BE

State or Province Name (full name) [Some-State]:VL

Locality Name (eg, city) []:Brussels

Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT Company Name

Organizational Unit Name (eg, section) []:IT Dpt

Common Name (e.g. server FQDN or YOUR name) []:www.securedomain.com

Email Address []:it@securedomain.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Now, if you look inside of your CSR files, you’ll see something like

-----BEGIN CERTIFICATE REQUEST-----
...
...
...
-----END CERTIFICATE REQUEST-----

-----BEGIN CERTIFICATE REQUEST-----

...

-----END CERTIFICATE REQUEST-----

Now it’s time to go and buy your certificate at your favorite SSL reseller…

Be sure to have a mailbox to be able to send your certificate approval email to (mainly this is: admin@securedomain.com or webmaster@, hostmaster@, administrator@,…)

Once you have received your SSL Certificate from Thawte, create a new file and paste in the certificate.

So paste it inside of www.securedomain.com.crt

Thawte has upgraded their root hierarchy to 2048bit RSA Keys (more information), so you need the Intermediate CA to support old web browsers. For the nginx web server you can download the file from Thawte here by:

wget https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL123_CA_Bundle.pem

1	wget https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL123_CA_Bundle.pem

One you have this file, echo the contents and paste it at the end of your crt file.

cat SSL123_CA_Bundle.pem >>  www.securedomein.com.crt

1	cat SSL123_CA_Bundle.pem >> www.securedomein.com.crt

Now enable SSL in your nginx server block by:

server {
  listen 80;
  listen 443 default ssl;

  ssl_certificate     /var/www/www.securedomain.com/ssl/www.securedomain.com.crt;
  ssl_certificate_key /var/www/www.securedomain.com/ssl/www.securedomain.com.pem;

  server_name     www.securedomain.com
                  ;

  root   /var/www/www.securedomain.com/wwwroot;

  index   index.php index.html;

...

server {

listen 80;

listen 443 default ssl;

ssl_certificate /var/www/www.securedomain.com/ssl/www.securedomain.com.crt;

ssl_certificate_key /var/www/www.securedomain.com/ssl/www.securedomain.com.pem;

server_name www.securedomain.com

;

root /var/www/www.securedomain.com/wwwroot;

index index.php index.html;

...

In my example, your site will listen to both Port 80 and 443 (SSL), you can of course redirect http to https by adding this in your nginx server block config:

###Add Redirect SSL
server {
  listen   80;

  server_name securedomain.com
              www.securedomain.com;

			   rewrite ^ https://www.securedomain.com$request_uri? permanent;
}
### End Redirect to SSL
server {
  listen 443 default ssl;

  ssl_certificate     /var/www/www.securedomain.com/ssl/www.securedomain.com.crt;
  ssl_certificate_key /var/www/www.securedomain.com/ssl/www.securedomain.com.pem;

  server_name     www.securedomain.com
                  ;

  root   /var/www/www.securedomain.com/wwwroot;

  index   index.php index.html;

  ...
  ...

###Add Redirect SSL

server {

listen 80;

server_name securedomain.com

www.securedomain.com;

rewrite ^ https://www.securedomain.com$request_uri? permanent;

}

### End Redirect to SSL

server {

listen 443 default ssl;

ssl_certificate /var/www/www.securedomain.com/ssl/www.securedomain.com.crt;

ssl_certificate_key /var/www/www.securedomain.com/ssl/www.securedomain.com.pem;

server_name www.securedomain.com

;

root /var/www/www.securedomain.com/wwwroot;

index index.php index.html;

...

Install Zend Optimizer for php 5.2 and earlier

Zend Optimizer has been updated and renamed to Zend Guard since PHP 5.3.

However, you might still have some older projects running PHP 5.2, where Zend Optimizer is still needed.

Here’s a small how to install for Ubuntu 12.04 LTS with PHP 5.2.

First of all, download Zend Optimizer 3.3.3 through this link: Zend

Unpack it on your server with this command:

tar -xvf ZendOptimizer-3.3.9-linux-glibc23-x86_64.tar.gz

1	tar -xvf ZendOptimizer-3.3.9-linux-glibc23-x86_64.tar.gz

Navigate into the data directory, and correct php version, eg:

cd ZendOptimizer-3.3.9-linux-glibc23-x86_64/data/5_2_x_comp

1	cd ZendOptimizer-3.3.9-linux-glibc23-x86_64/data/5_2_x_comp

copy the so file to the php path:

cp ZendOptimizer.so /usr/lib/php5/20060613/

1	cp ZendOptimizer.so /usr/lib/php5/20060613/

Enable zend optimizer throught /etc/php5/conf.d by typing:

echo zend_extension=/usr/lib/php5/20060613/ZendOptimizer.so > /etc/php5/conf.d/zend_optimizer.ini

1	echo zend_extension=/usr/lib/php5/20060613/ZendOptimizer.so > /etc/php5/conf.d/zend_optimizer.ini

Enable Zend optimizer by reloading apache

service apache2 reload

1	service apache2 reload

Check if Zend Optimizer is enabled by:

php -v
PHP 5.2.4-2ubuntu5 with Suhosin-Patch 0.9.6.2 (cli) (built: Feb 27 2008 20:46:51)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
    with Zend Optimizer v3.3.9, Copyright (c) 1998-2009, by Zend Technologies

php -v

PHP 5.2.4-2ubuntu5 with Suhosin-Patch 0.9.6.2 (cli) (built: Feb 27 2008 20:46:51)