Production LAMP system: Lighttpd + PHP + MySQL: Difference between revisions

From Alpine Linux
No edit summary
Line 1: Line 1:
In production web, '''LAMP''' means '''L'''inux + '''A'''pache + '''M'''ysql + '''P'''hp installed and integrated, but today the "A" of ''apache'' are more used as ''Nginx'' or ''Lighttpd'', and the "M" of ''MySQL'' are more used as ''Mariadb'', the ''LAMP'' focused documents are:
In production web, '''LAMP''' means '''L'''inux + '''A'''pache + '''M'''ysql + '''P'''hp installed and integrated, but today, more and more, ''Apache'' is being replaced by ''Nginx'' or ''Lighttpd'' and ''MySQL'' by ''Mariadb''. The ''LAMP'' documents are:


== 1. The web server part: Lighttpd ==
== 1. The web server: Lighttpd ==


[http://www.lighttpd.net/ lighttpd] is a simple, standards-compliant, secure, and flexible web server, Nginx is the most used due to beeing manageable by ISP panel's software, but '''lighttpd performs always better. Nginx could not process fast-cgi programs'''. for more complete lighttpd information consult the [[Production Web server: Lighttpd]] wiki page.
[http://www.lighttpd.net/ lighttpd] is a simple, standards-compliant, secure, and flexible web server, Nginx is the most used due to beeing manageable by ISP panel's software, but '''lighttpd performs better. Nginx cannot process fast-cgi programs'''. For more lighttpd information, consult the [[Production Web server: Lighttpd]] wiki page.


=== Lighttpd Installation ===
=== Lighttpd Installation ===


Production environment only will handle need packages.. so no doc or manages allowed:
Production environment will handle only needed packages. So no doc or managers allowed:


# run apk for need packages
# run apk for needed packages


<pre>
<pre>
Line 20: Line 20:


# make the htdos public web root directories  
# make the htdos public web root directories  
# change default port to production one, http are used with 80
# change default port to production one, http is used with 80
# use FAM style (gamin) file alteration monitor, increases performance '''ONLY ON 3.4 to 3.8 releases!!!'''
# use FAM style (gamin) file alteration monitor, increases performance '''ONLY ON 3.4 to 3.8 releases!!!'''
# use linux event handler, increases performance due Alpine are linux only
# use linux event handler, increases performance due Alpine are linux only
# added the service to the default runlevel, not to boot, because need networking activated
# added the service to the default runlevel, not to boot, because networking needs to be active first
# started the web server service
# started the web server service
# Enable the mod_status at the config files
# Enable the mod_status at the config files
Line 59: Line 59:
</pre>
</pre>


'''For testing open a browser and go to <code><nowiki>http://<webserveripaddres></nowiki></code> and you will see "it works"'''. The "webserveripaddres" are the ip address of your setup/server machine.
'''For testing, open a browser and go to <code><nowiki>http://<webserveripaddres></nowiki></code>. You will see "it works"'''. The "webserveripaddres" is the ip address of your setup/server machine.


'''There's a problem in Alpine linux, FAM (gamin) are activated as a lighttpd only service''', that's make sense in dockers but in servers could be a problem if FAM (gamin) are also need for others services at the same time.
'''There's a problem in Alpine linux, FAM (gamin) is activated as a lighttpd only service''', that makes sense in docker, but on a server, it could be a problem if FAM (gamin) is also needed for other services at the same time.


'''OPTIONAL:''' alpine packagers are a mess, removed fam on recents, soolder releases of alpine can use compiled fam packages with <code>sed -i -r 's#.*server.stat-cache-engine.*=.*# server.stat-cache-engine = "fam"#g' /etc/lighttpd/lighttpd.conf</code>
'''OPTIONAL:''' alpine packagers are a mess, removed FAM on recent, so older releases of alpine can use compiled FAM packages with <code>sed -i -r 's#.*server.stat-cache-engine.*=.*# server.stat-cache-engine = "fam"#g' /etc/lighttpd/lighttpd.conf</code>


== 2. The php scripting part: PHP fpm ==
== 2. php scripting: PHP fpm ==


In Alpine there's two main language for programming dynamic web pages: PHP and LUA. Alpine are minimalist so not all PHP packages are need in most cases, both repositories must be enabled (main and community), here are explained the most common used in production, for PHP at development please watch the [[Alpine_newbie_developer]] wiki page.
In Alpine there are two main languages for programming dynamic web pages: PHP and LUA. Alpine is minimalist so not all PHP packages are need in most cases.
Both repositories must be enabled (main and community). Here we explain the most common use in production. For PHP development, see the [[Alpine_newbie_developer]] wiki page.


=== PHP Installation ===
=== PHP Installation ===


Since version v3.5, PHP 7 is available along with PHP 5.6 coexisting together, until version v3.9 where the latter was removed. So for Alpine 3.5+m we will assume PHP7, if you need PHP5.6 still could use it, that wil be cover in the special [[Production LAMP system: Lighttpd + PHP5 + MySQL]] wiki page for older Alpine systems and some specific php softwares.
Since version v3.5, PHP 7 is available along with PHP 5.6 coexisting, until version v3.9 where the latter was removed. For Alpine 3.5+m we will assume PHP7, if you need PHP 5.6, you can still use it. That wil be covered in the special [[Production LAMP system: Lighttpd + PHP5 + MySQL]] wiki page for older Alpine systems and some specific php software.


<pre><nowiki>
<pre><nowiki>
Line 77: Line 78:
</nowiki></pre>
</nowiki></pre>


{{Note|'''The below packages are only for specific situations.. only install when need (specially php-pear one)''', by example, <code>cacti</code> and <code>cacti-php7</code> are in edge that depends on <code>php7</code>, but you must only install from edge only the cacti package, all the depends must be previously installed from stable.}}
{{Note|'''The packages below are only for specific situations. Install them only when needed (especially php-pear)''', for example, <code>cacti</code> and <code>cacti-php7</code> depend on <code>php7</code>, but you must install '''only''' the cacti package, all the dependencies must be previously installed from stable.}}


<pre><nowiki>
<pre><nowiki>
Line 83: Line 84:
</nowiki></pre>
</nowiki></pre>


{{Note|'''The below packages are only for databases access using php in specific ways.. only install when need (specially php--pdo ones)''', by example, <code>cacti</code> and <code>cacti-php7</code> are in edge that depends on <code>php7-mysqli</code>, but you must only install from edge only the cacti package, all the depends like <code>php7</code> and <code>php7-mysqli</code> must be previously installed from stable.}}
{{Note|'''The packages below are only for database access using php in specific ways. Install them only if you need them (specially php--pdo ones)'''. For example, <code>cacti</code> and <code>cacti-php7</code> depend on <code>php7-mysqli</code>, but you must install only the cacti package, all the dependencies like <code>php7</code> and <code>php7-mysqli</code> must be previously installed from stable.}}


<pre><nowiki>
<pre><nowiki>
Line 89: Line 90:
</nowiki></pre>
</nowiki></pre>


A special case it's the <code>php7-odbc</code>, unless the others, that are able php to connect to only specific database, '''[[Production DataBases : unixodbc|unixodbc]]''' are a universal way to do so, the most important difference are that by example, <code>php7-mysqli</code> package has better functions to manage data into the php software usage.
A special case is <code>php7-odbc</code>. Unless the others, that are able php to connect to only specific database, '''[[Production DataBases : unixodbc|unixodbc]]''' is a universal way to do so. The most important difference is, for example, the <code>php7-mysqli</code> package has better functions to manage data via php.


=== PHP Global Configuration ===
=== PHP Global Configuration ===
Line 96: Line 97:
# Set safe mode off
# Set safe mode off
# Dont expose php code if something fails
# Dont expose php code if something fails
# Set amount of memory limit for execution to 536Mb (most servers are minimal of 1Gb of RAM)
# Set amount of memory limit for execution to 536Mb (most servers are minimum of 1 GB of RAM)
# So then set upload size to 128Mb as maximun.
# Set upload size to 128Mb as maximun.
# Set then POST max size to 256Mb based on the upload max size limit.
# Set POST max size to 256Mb based on the upload max size limit.
# Turn on the url open method
# Turn on the URL open method
# Set default charset to UTF-8 more compatible
# Set default charset to UTF-8 for increased compatibility
# Increase the execution time and the input time for.
# Increase the execution time and the input time for.


Line 143: Line 144:




The PHP-FPM defined a master process with some pool of process for each service resuests, by default there's only one pool of processes, the www pool process.
The PHP-FPM defines a master process with a process pool for each service request. By default, there's only one process pool, www.


Default values are good for starting, but later will need tuning, the best it's static one but need test and set until get right configuration.
Default values are good for starting, but will need tuning later. The best is a static one, but testing is needed to get the right configuration.


=== Lighttpd + PHP-FPM ===
=== Lighttpd + PHP-FPM ===


The web server comes to and very unmantained config file so we must handle all the required settings:
The web server comes with a minimal config file, so we must handle all the required settings:


# enable the mod_alias at the config file, due need of a specific path for cgi files into security
# enable the mod_alias at the config file, a specific path is needed for cgi file security
# be sure and disable the fastcgi-php module by cgi only
# be sure and disable the fastcgi-php module by cgi only
# and then enable the fastcgi-php-fpm specific module then
# and then enable the fastcgi-php-fpm specific module then
# write a much much better approach of the php handler in the local server using the socket
# write a much much better approach of the php handler in the local server using the socket
# configure the php to use also the socket too for direct connection locally
# configure the php to use also the socket for direct connection locally
# restart the service to see changes at the browser
# restart the service to see changes at the browser


Line 198: Line 199:
</pre>
</pre>


'''For testing open a browser and go to <code><nowiki>http://<webserveripaddres>/info.php</nowiki></code> and you will see only the minimal info due in production there's no need for too much information to crackers. The "webserveripaddres" are the ip address of your setup/server machine.
'''For testing, open a browser and go to <code><nowiki>http://<webserveripaddres>/info.php</nowiki></code>. You will see the info as used in production.
There's no sense givig too much information to crackers. The "webserveripaddres" is the ip address of your setup/server machine.


After that, all the files with php will be proceses faster than used a host based, also under the <code>/var/www/localhost/cgi-bin</code> directory will be showed as <nowiki>http://localhost/cgi-bin/</nowiki> path.
After that, all the files with php will be procesed faster than used a host based. Under the <code>/var/www/localhost/cgi-bin</code> directory will be shown as <nowiki>http://localhost/cgi-bin/</nowiki> path.


=== Multiple PHP-FPM cluster ===
=== Multiple PHP-FPM cluster ===


As we said, in FPM it is managed by process pools, but the connection can be over the network or over a direct n socket, the configuration for a powerful server of average requests is with socket and localhost, but for high availability it is required CAT6 wired network connections of 1000Mbps and php-fpm by network connections in roundrobin mode.
As we said, FPM is managed by process pools, but the connection can be over a network or over a direct n socket. The configuration for a typical server that can handle an average number requests is with socket and localhost. For high availability, a CAT6 wired network connection of 1000Mbps and php-fpm by network connection in roundrobin mode is needed.


For php fpm pool will be on a specific machine and the web server(s) will simply connect to these machines with php to serve the php pages, the result is that we have a cluster of lighttpd web servers against other php-fpm process clusters, the php project can be the same code on all web servers and connected to a single database.
The PHP FPM pool will be on a specific machine and the web server(s) will simply connect to these machines with PHP to serve the PH pages. The result is a cluster of lighttpd web servers against other PHP-FPM process clusters. The PHP project can be the same code on all web servers and connected to a single database.


At the Linux console the change are, by example two machines 10.10.1.10 and 10.10.2.10 both have php and lighttpd, so then in each one will setup the php of the other:
At the Linux console the changes are, for example, two machines 10.10.1.10 and 10.10.2.10 both have php and lighttpd, so each will set up the php of the other:


<pre>
<pre>
Line 254: Line 256:
== 3. The DBMS part: mysql/mariadb ==
== 3. The DBMS part: mysql/mariadb ==


Alpine Linux has dummy counterparts packages for those that are not close to that change from ''mysql'' to ''mariadb'' naming packages.
Alpine Linux has dummy counterpart packages for those not changed from ''mysql'' to ''mariadb''.


=== Installation ===
=== Installation ===


Take in consideration that the user <code>mysql</code> was created during instalation of packages, in the initialization section two users will be created in database init: <code>root</code> and <code>mysql</code>, and in that point only if are in their respective system accounts, will be able to connect to the database service.
Take into consideration the user <code>mysql</code> was created during package instalation. In the initialization section two users will be created in database init: <code>root</code> and <code>mysql</code>, and at that point only if they are in their respective system accounts, will they be able to connect to the database service.


<pre><nowiki>
<pre><nowiki>
Line 266: Line 268:
=== Initialization ===
=== Initialization ===


The ''datadir'' are located to <code>/var/lib/mysql</code> must be owned by the mysql user and group. You can modify this behavior but must edit the service file at <code>/etc/init.d</code> directory. Also, you need to set <code><nowiki>datadir=<YOUR_DATADIR></nowiki></code> under section <code>[mysqld]</code> at the config file.
The ''datadir'' located at <code>/var/lib/mysql</code> must be owned by the mysql user and group. You can modify this behavior but you must edit the service file at <code>/etc/init.d</code> directory. Also, you need to set <code><nowiki>datadir=<YOUR_DATADIR></nowiki></code> under section <code>[mysqld]</code> at the config file.


# Initialize the main mysql database, and the data dir as standardized to <code>/var/lib/mysql</code> by the rc script
# Initialize the main mysql database, and the data dir as standardized to <code>/var/lib/mysql</code> by the rc script
# Then initialize the service, root account and socket connection are enabled without password at this point
# Then initialize the service, root account and socket connection are enabled without password at this point
# Setup the root account by asignes a proper password, this are purely paranoid. due next step already do that!
# Set up the root account by asigning a proper password. This is pure paranoia. the next step does just that!
# Setup and init the installation by running the <code>mysql_secure_installation</code>
# Set up and init the installation by running the <code>mysql_secure_installation</code>
# Setup permissions for manage others users and databases
# Set up permissions for managing other users and databases
# Run the <code>mysql_secure_installation</code> script and answer the questions (see section below)
# Run the <code>mysql_secure_installation</code> script and answer the questions (see section below)


Line 287: Line 289:
</pre>
</pre>


# '''Enter current password for root (enter for none):''' must be provided due we already set previously. correct respond are <code>OK, successfully used password, moving on...</code>
# '''Enter current password for root (enter for none):''' must be provided because we set it previously. Correct response is <code>OK, successfully used password, moving on...</code>
#  '''Switch to unix_socket authentication [Y/n]''' this are not the case and must be disabled, '''so answer NO''', and response will be <code>... skipping.</code>
#  '''Switch to unix_socket authentication [Y/n]''' this must be disabled, '''so answer NO''', and response will be <code>... skipping.</code>
# '''Change the root password? [Y/n]''' Just press "n" only if you provided a good password, otherwise just change it!
# '''Change the root password? [Y/n]''' Just press "n" only if you provided a good password, otherwise change it!
# '''Remove anonymous users? [Y/n]''' In any case, '''production system must remove it, so answer Y''' and proper respond mus be  <code>... Success!</code>.
# '''Remove anonymous users? [Y/n]''' In any case, '''production system must remove it, so answer Y''' and proper respond mus be  <code>... Success!</code>.
# '''Disallow root login remotely? [Y/n]''' For sure answer Y''' and proper respond mus be  <code>... Success!</code>.
# '''Disallow root login remotely? [Y/n]''' For sure answer Y''' and proper respond mus be  <code>... Success!</code>.

Revision as of 01:00, 24 June 2021

In production web, LAMP means Linux + Apache + Mysql + Php installed and integrated, but today, more and more, Apache is being replaced by Nginx or Lighttpd and MySQL by Mariadb. The LAMP documents are:

1. The web server: Lighttpd

lighttpd is a simple, standards-compliant, secure, and flexible web server, Nginx is the most used due to beeing manageable by ISP panel's software, but lighttpd performs better. Nginx cannot process fast-cgi programs. For more lighttpd information, consult the Production Web server: Lighttpd wiki page.

Lighttpd Installation

Production environment will handle only needed packages. So no doc or managers allowed:

  1. run apk for needed packages

apk add lighttpd gamin

Lighttpd pre php configuration

  1. make the htdos public web root directories
  2. change default port to production one, http is used with 80
  3. use FAM style (gamin) file alteration monitor, increases performance ONLY ON 3.4 to 3.8 releases!!!
  4. use linux event handler, increases performance due Alpine are linux only
  5. added the service to the default runlevel, not to boot, because networking needs to be active first
  6. started the web server service
  7. Enable the mod_status at the config files
  8. change path in the config file, we are using security by obfuscation
  9. restart the service to see changes at the browser

mkdir -p /var/www/localhost/htdocs/stats /var/log/lighttpd /var/lib/lighttpd

sed -i -r 's#\#.*server.port.*=.*#server.port          = 80#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#\#.*server.event-handler = "linux-sysepoll".*#server.event-handler = "linux-sysepoll"#g' /etc/lighttpd/lighttpd.conf

chown -R lighttpd:lighttpd /var/www/localhost/

chown -R lighttpd:lighttpd /var/lib/lighttpd

chown -R lighttpd:lighttpd /var/log/lighttpd

rc-update add lighttpd default

rc-service lighttpd restart

echo "it works" > /var/www/localhost/htdocs/index.html

sed -i -r 's#\#.*mod_status.*,.*#    "mod_status",#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*status.status-url.*=.*#status.status-url  = "/stats/server-status"#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*status.config-url.*=.*#status.config-url  = "/stats/server-config"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart

For testing, open a browser and go to http://<webserveripaddres>. You will see "it works". The "webserveripaddres" is the ip address of your setup/server machine.

There's a problem in Alpine linux, FAM (gamin) is activated as a lighttpd only service, that makes sense in docker, but on a server, it could be a problem if FAM (gamin) is also needed for other services at the same time.

OPTIONAL: alpine packagers are a mess, removed FAM on recent, so older releases of alpine can use compiled FAM packages with sed -i -r 's#.*server.stat-cache-engine.*=.*# server.stat-cache-engine = "fam"#g' /etc/lighttpd/lighttpd.conf

2. php scripting: PHP fpm

In Alpine there are two main languages for programming dynamic web pages: PHP and LUA. Alpine is minimalist so not all PHP packages are need in most cases. Both repositories must be enabled (main and community). Here we explain the most common use in production. For PHP development, see the Alpine_newbie_developer wiki page.

PHP Installation

Since version v3.5, PHP 7 is available along with PHP 5.6 coexisting, until version v3.9 where the latter was removed. For Alpine 3.5+m we will assume PHP7, if you need PHP 5.6, you can still use it. That wil be covered in the special Production LAMP system: Lighttpd + PHP5 + MySQL wiki page for older Alpine systems and some specific php software. 

apk add php7 php7-bcmath php7-bz2 php7-ctype php7-curl php7-dom php7-enchant php7-exif php7-fpm php7-gd php7-gettext php7-gmp php7-iconv php7-imap php7-intl php7-json php7-mbstring php7-opcache php7-openssl php7-phar php7-posix php7-pspell php7-recode php7-session php7-simplexml php7-sockets php7-sysvmsg php7-sysvsem php7-sysvshm php7-tidy php7-xml php7-xmlreader php7-xmlrpc php7-xmlwriter php7-xsl php7-zip php7-sqlite3
Note: The packages below are only for specific situations. Install them only when needed (especially php-pear), for example, cacti and cacti-php7 depend on php7, but you must install only the cacti package, all the dependencies must be previously installed from stable.
apk add php7-pgsql php7-mysqli php7-mysqlnd php7-snmp php7-soap php7-ldap php7-pcntl php7-pear php7-shmop php7-wddx php7-cgi php7-pdo php7-snmp php7-tokenizer
Note: The packages below are only for database access using php in specific ways. Install them only if you need them (specially php--pdo ones). For example, cacti and cacti-php7 depend on php7-mysqli, but you must install only the cacti package, all the dependencies like php7 and php7-mysqli must be previously installed from stable.
apk add php7-dba php7-sqlite3 php7-mysqli php7-mysqlnd php7-pgsql php7-pdo_dblib php7-pdo_odbc php7-pdo_pgsql php7-pdo_sqlite

A special case is php7-odbc. Unless the others, that are able php to connect to only specific database, unixodbc is a universal way to do so. The most important difference is, for example, the php7-mysqli package has better functions to manage data via php.

PHP Global Configuration

  1. Use fix.pathinfo
  2. Set safe mode off
  3. Dont expose php code if something fails
  4. Set amount of memory limit for execution to 536Mb (most servers are minimum of 1 GB of RAM)
  5. Set upload size to 128Mb as maximun.
  6. Set POST max size to 256Mb based on the upload max size limit.
  7. Turn on the URL open method
  8. Set default charset to UTF-8 for increased compatibility
  9. Increase the execution time and the input time for.
sed -i -r 's|.*cgi.fix_pathinfo=.*|cgi.fix_pathinfo=1|g' /etc/php*/php.ini
sed -i -r 's#.*safe_mode =.*#safe_mode = Off#g' /etc/php*/php.ini
sed -i -r 's#.*expose_php =.*#expose_php = Off#g' /etc/php*/php.ini
sed -i -r 's#memory_limit =.*#memory_limit = 536M#g' /etc/php*/php.ini
sed -i -r 's#upload_max_filesize =.*#upload_max_filesize = 128M#g' /etc/php*/php.ini
sed -i -r 's#post_max_size =.*#post_max_size = 256M#g' /etc/php*/php.ini
sed -i -r 's#^file_uploads =.*#file_uploads = On#g' /etc/php*/php.ini
sed -i -r 's#^max_file_uploads =.*#max_file_uploads = 12#g' /etc/php*/php.ini
sed -i -r 's#^allow_url_fopen = .*#allow_url_fopen = On#g' /etc/php*/php.ini
sed -i -r 's#^.default_charset =.*#default_charset = "UTF-8"#g' /etc/php*/php.ini
sed -i -r 's#^.max_execution_time =.*#max_execution_time = 150#g' /etc/php*/php.ini
sed -i -r 's#^max_input_time =.*#max_input_time = 90#g' /etc/php*/php.ini

PHP-FPM Configuration

  1. Create directory for php socket and pid files, MUST BE EQUAL to openrc defined!
  2. Set into configuration file the socket path, MUST BE EQUAL to openrc defined!
  3. Set into configuration file the pid file path, MUST BE EQUAL to openrc defined!

mkdir -p /var/run/php-fpm7/

chown lighttpd:root /var/run/php-fpm7

sed -i -r 's|^.*listen =.*|listen = /run/php-fpm7/php7-fpm.sock|g' /etc/php*/php-fpm.d/www.conf

sed -i -r 's|^pid =.*|pid = /run/php-fpm7/php7-fpm.pid|g' /etc/php*/php-fpm.conf

sed -i -r 's|^.*listen.mode =.*|listen.mode = 0640|g' /etc/php*/php-fpm.d/www.conf

rc-update add php-fpm7 default

service php-fpm7 restart


The PHP-FPM defines a master process with a process pool for each service request. By default, there's only one process pool, www.

Default values are good for starting, but will need tuning later. The best is a static one, but testing is needed to get the right configuration.

Lighttpd + PHP-FPM

The web server comes with a minimal config file, so we must handle all the required settings:

  1. enable the mod_alias at the config file, a specific path is needed for cgi file security
  2. be sure and disable the fastcgi-php module by cgi only
  3. and then enable the fastcgi-php-fpm specific module then
  4. write a much much better approach of the php handler in the local server using the socket
  5. configure the php to use also the socket for direct connection locally
  6. restart the service to see changes at the browser

mkdir -p /var/www/localhost/cgi-bin

sed -i -r 's#\#.*mod_alias.*,.*#    "mod_alias",#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*include "mod_cgi.conf".*#   include "mod_cgi.conf"#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*include "mod_fastcgi.conf".*#\#   include "mod_fastcgi.conf"#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*include "mod_fastcgi_fpm.conf".*#   include "mod_fastcgi_fpm.conf"#g' /etc/lighttpd/lighttpd.conf

cat > /etc/lighttpd/mod_fastcgi_fpm.conf << EOF
server.modules += ( "mod_fastcgi" )
index-file.names += ( "index.php" )
fastcgi.server = (
    ".php" => (
      "localhost" => (
        "socket"                => "/var/run/php-fpm7/php7-fpm.sock",
        "broken-scriptfilename" => "enable"
      ))
)
EOF

sed -i -r 's|^.*listen =.*|listen = /var/run/php-fpm7/php7-fpm.sock|g' /etc/php*/php-fpm.d/www.conf

sed -i -r 's|^.*listen.owner = .*|listen.owner = lighttpd|g' /etc/php*/php-fpm.d/www.conf

sed -i -r 's|^.*listen.group = .*|listen.group = lighttpd|g' /etc/php*/php-fpm.d/www.conf

sed -i -r 's|^.*listen.mode = .*|listen.mode = 0660|g' /etc/php*/php-fpm.d/www.conf

rc-service php-fpm7 restart

rc-service lighttpd restart

echo "<?php echo phpinfo(); ?>" > /var/www/localhost/htdocs/info.php

For testing, open a browser and go to http://<webserveripaddres>/info.php. You will see the info as used in production. There's no sense givig too much information to crackers. The "webserveripaddres" is the ip address of your setup/server machine.

After that, all the files with php will be procesed faster than used a host based. Under the /var/www/localhost/cgi-bin directory will be shown as http://localhost/cgi-bin/ path.

Multiple PHP-FPM cluster

As we said, FPM is managed by process pools, but the connection can be over a network or over a direct n socket. The configuration for a typical server that can handle an average number requests is with socket and localhost. For high availability, a CAT6 wired network connection of 1000Mbps and php-fpm by network connection in roundrobin mode is needed.

The PHP FPM pool will be on a specific machine and the web server(s) will simply connect to these machines with PHP to serve the PH pages. The result is a cluster of lighttpd web servers against other PHP-FPM process clusters. The PHP project can be the same code on all web servers and connected to a single database.

At the Linux console the changes are, for example, two machines 10.10.1.10 and 10.10.2.10 both have php and lighttpd, so each will set up the php of the other: 


mkdir -p /var/www/localhost/cgi-bin

sed -i -r 's#\#.*mod_alias.*,.*#    "mod_alias",#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*include "mod_cgi.conf".*#   include "mod_cgi.conf"#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*include "mod_fastcgi.conf".*#\#   include "mod_fastcgi.conf"#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*include "mod_fastcgi_fpm.conf".*#   include "mod_fastcgi_fpm.conf"#g' /etc/lighttpd/lighttpd.conf

cat > /etc/lighttpd/mod_fastcgi_fpm.conf << EOF
server.modules += ( "mod_fastcgi" )
index-file.names += ( "index.php" )
fastcgi.server = ( ".php" => 
  (
    ( "host" => "10.10.1.10",
      "port" => 9000
    ),
    ( "host" => "10.10.2.10",
      "port" => 9000 )
    )
  )
EOF

sed -i -r 's|^.*listen =.*|listen = 9000|g' /etc/php*/php-fpm.d/www.conf

sed -i -r 's|^.*listen.owner = .*|listen.owner = lighttpd|g' /etc/php*/php-fpm.d/www.conf

sed -i -r 's|^.*listen.group = .*|listen.group = lighttpd|g' /etc/php*/php-fpm.d/www.conf

sed -i -r 's|^.*listen.mode = .*|listen.mode = 0660|g' /etc/php*/php-fpm.d/www.conf

rc-service php-fpm7 restart

rc-service lighttpd restart

echo "<?php echo phpinfo(); ?>" > /var/www/localhost/htdocs/info.php

3. The DBMS part: mysql/mariadb

Alpine Linux has dummy counterpart packages for those not changed from mysql to mariadb.

Installation

Take into consideration the user mysql was created during package instalation. In the initialization section two users will be created in database init: root and mysql, and at that point only if they are in their respective system accounts, will they be able to connect to the database service. 

apk add mysql mysql-client

Initialization

The datadir located at /var/lib/mysql must be owned by the mysql user and group. You can modify this behavior but you must edit the service file at /etc/init.d directory. Also, you need to set datadir=<YOUR_DATADIR> under section [mysqld] at the config file.

  1. Initialize the main mysql database, and the data dir as standardized to /var/lib/mysql by the rc script
  2. Then initialize the service, root account and socket connection are enabled without password at this point
  3. Set up the root account by asigning a proper password. This is pure paranoia. the next step does just that!
  4. Set up and init the installation by running the mysql_secure_installation
  5. Set up permissions for managing other users and databases
  6. Run the mysql_secure_installation script and answer the questions (see section below)

mysql_install_db --user=mysql --datadir=/var/lib/mysql

rc-service mariadb start

mysqladmin -u root password toor

mysql_secure_installation
  1. Enter current password for root (enter for none): must be provided because we set it previously. Correct response is OK, successfully used password, moving on...
  2. Switch to unix_socket authentication [Y/n] this must be disabled, so answer NO, and response will be ... skipping.
  3. Change the root password? [Y/n] Just press "n" only if you provided a good password, otherwise change it!
  4. Remove anonymous users? [Y/n] In any case, production system must remove it, so answer Y and proper respond mus be ... Success!.
  5. Disallow root login remotely? [Y/n] For sure answer Y and proper respond mus be ... Success!.
  6. Remove test database and access to it? [Y/n] Should be removed, so answer Y and proper respond mus be ... Success!.
  7. Reload privilege tables now? [Y/n] Aanswer Y and proper respond mus be ... Success!.

After reponse all the questions.. restart the service with rc-service mariadb restart

Configuration

Newer system Alpine packages can set in independent files in any case those commands always works and where are not apply just will ignore the output, for more info about that watch the MariaDB Configuration files section of the MariaDB wiki page.

  • On older Alpine system must set config files for MAX ALLOWED PACKETS to minimun proper amount:
  • Only allow local connections on cases where there's only one server or no expected to connect from others:
  • Set default charset to UTF8MB4
  • Added the service to start process but not at boot process due needs networking started.
  • Restart the service to apply changes.

sed -i "s|.*max_allowed_packet\s*=.*|max_allowed_packet = 100M|g" /etc/mysql/my.cnf
sed -i "s|.*max_allowed_packet\s*=.*|max_allowed_packet = 100M|g" /etc/my.cnf.d/mariadb-server.cnf

sed -i "s|.*bind-address\s*=.*|bind-address=127.0.0.1|g" /etc/mysql/my.cnf
sed -i "s|.*bind-address\s*=.*|bind-address=127.0.0.1|g" /etc/my.cnf.d/mariadb-server.cnf

cat > /etc/my.cnf.d/mariadb-server-default-charset.cnf << EOF
[client]
default-character-set = utf8mb4

[mysqld]
collation_server = utf8mb4_unicode_ci
character_set_server = utf8mb4

[mysql]
default-character-set = utf8mb4
EOF

rc-service mariadb restart

rc-update add mariadb default

On upgrade cases: If are unable to run any mysql command after an upgrade, it's because MySQL cannot start try run MySQL in safemode with mysqld_safe --datadir=/var/lib/mysql/ command and then run the mysql_upgrade -u root -p script. For more information watch the MariaDB upgrading section of the MariaDB wiki page.

adminer: Web Frontend administration

Adminer are a simple and single tool, tons of times faster thant PhpMysqladmin that are great but have too much security issues and lot of complext settings, we must use a more single and simpel solution easy to manage and upgrade.

Take in consideration that this needs as requisite the previous sections of web server, php scripting and mysql/mariadb engine configured and running: 



mkdir -p /var/www/webapps/adminer

wget https://github.com/vrana/adminer/releases/download/v4.7.6/adminer-4.7.6.php -O /var/www/webapps/adminer/adminer-4.7.6.php

ln -s adminer-4.7.6.php /var/www/webapps/adminer/index.php

cat > /etc/lighttpd/mod_adminer.conf << EOF
# NOTE: this requires mod_alias
alias.url += (
     "/adminer/"	    =>	    "/var/www/webapps/adminer/"
)
$HTTP["url"] =~ "^/adminer/" {
    # disable directory listings
    dir-listing.activate = "disable"
}
EOF

sed -i -r 's#\#.*mod_alias.*,.*#    "mod_alias",#g' /etc/lighttpd/lighttpd.conf

sed -i -r 's#.*include "mod_cgi.conf".*#   include "mod_cgi.conf"#g' /etc/lighttpd/lighttpd.conf

checkssl="";checkssl=$(grep 'include "mod_adminer.conf' /etc/lighttpd/lighttpd.conf);[[ "$checkssl" != "" ]] && echo listo || sed -i -r 's#.*include "mod_cgi.conf".*#include "mod_cgi.conf"\ninclude "mod_adminer.conf"#g' /etc/lighttpd/lighttpd.conf

rc-service lighttpd restart

The administrator must visit with exact url http://<ipaddress>/adminer/index.php because two main reasons: there's no directory listing and there's no direct php index reference in web server, all of this due paranoiac settings.

See Also

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Production_LAMP_system:_Lighttpd_%2B_PHP_%2B_MySQL&oldid=19676"