Install Apache 2.4 and PHP-FPM with owner specific pools - CentOS 7

Mod Security isn’t ready for NGINX yet, even though the ModSec website says a stable version for NGINX is available it still lacks important features. Because of this I’ve had to stick to Apache, but why not then make use if PHP-FPM. PHP-FPM, if configured accordingly, allows you to setup account specific limits.

To get this done start by install the epel-release repo:

1	yum install epel-release

Install Apache 2.4 and for good measure, install the devel package as well.

1	yum install httpd httpd-devel

Next up install php-fpm. Note: Previously you needed to install mod_fastcgi but since Apache 2.4 we use mod_proxy_fcgi

Starting from release 5.3.3 in early 2010, PHP has merged the php-fpm fastCGI process manager into its codebase, and it is now (as of 5.4.1) quite stable.

php-fpm was previously found at http://php-fpm.org/

This means that we can now run secure, fast, and dependable PHP code using only the stock apache httpd and php.net releases; no more messing around with suphp or suexec - or, indeed, mod_php.

Source: https://wiki.apache.org/httpd/PHP-FPM

Install:

1	yum install php-fpm

Enable Apache and PHP-FPM to start at startup

1 2	chkconfig httpd on chkconfig php-fpm on

Start both services:

1 2	service httpd start service php-fpm start

As of now, you’ve installed both Apache 2.4 and PHP-FPM but Apache doesn’t know how to call PHP-FPM, let’s do that below:

Create two folders inside /etc/httpd/

1 2	/etc/httpd/sites-available /etc/httpd/sites-enabled

Create a file inside /etc/httpd/sites-available named test.com.conf

# File: /etc/httpd/sites-available/test.com.conf

ServerName test.com

ServerAlias www.test.com

DocumentRoot /var/www/vhosts/test.com/httpdocs

ErrorLog /var/www/vhosts/test.com/logs/error_log

CustomLog /var/www/vhosts/test.com/logs/access.log combined

SetHandler "proxy:unix:/var/run/php-fpm/php5-fpm_test.com.sock|fcgi://test.com/"

</FilesMatch>

ProxySet connectiontimeout=5 timeout=240

</Proxy>

Order allow,deny

Allow from all

AllowOverride FileInfo All

# New directive needed in Apache 2.4.3:

Require all granted

</Directory>

</VirtualHost>

Create the required folders

mkdir /var/www/vhosts/test.com

mkdir /var/www/vhosts/test.com/httpdocs

mkdir /var/www/vhosts/test.com/logs

Create a symlink of this file to /etc/httpd/sites-enabled

1	ln -s /etc/httpd/sites-available/test.com/conf /etc/httpd/sites-enabled/test.com/conf

Configure Apache to read the conf files from the /etc/httpd/sites-enabled folder. Add the following line at the end of /etc/httpd/conf/httpd.conf

1	IncludeOptional sites-enabled/*.conf

Now, navigate to /etc/php-fpm.d and either duplicate the www.conf or create a new file test.com.conf and add the following to it

; Start a new pool named 'www'.

[test.com]

listen = /var/run/php-fpm/php5-fpm_test.com.sock

listen.allowed_clients = 127.0.0.1

user = test.com

group = test.com

pm = dynamic

pm.max_children = 50

pm.start_servers = 5

pm.min_spare_servers = 5

pm.max_spare_servers = 35

php_admin_value[error_log] = /var/www/vhosts/test.com/logs/www-error.log

php_admin_flag[log_errors] = on

php_value[session.save_handler] = files

php_value[session.save_path] = /var/lib/php/session

Now add a user to the system

1	useradd -d /var/www/vhosts/test.com/ test.com

The user in this case is test.com. Issue the following to change ownership of it’s home directory and give it to the user test.com

1	chown -R test.com:test.com /var/www/vhosts/test.com

Make sure the folder permissions are set to 0755 and file permissions to 0644. With the setup above, you won’t need to set the permission 777 to files and folders to write to them.

Restart Apache and PHP-FPM

1 2	service httpd restart service php-fpm restart

Throw a file in /var/www/vhosts/test.com/httpdocs/ to verify things work

# File test.php

<?php

phpinfo();

If everything goes fine, you should something like below

loudnoisespplyelling
Thanks for the great tutorial, I just finished running through it and have a couple of minor corrections:
1) In the step where you link the directory located within sites-available to the one located within sites-enabled, the IncludeOptional statement needs to be slightly modified for httpd to find the config. Alternately, the link needs to be adjusted so that the soft-linked conf file is located within /etc/httpd/sites-enabled instead of /etc/httpd/sites-enabled/conf for it to work with the IncludeOptional statement as written.
2) You may need to chown ownership of the socket to apache:apache after turning on php-fpm for the first time. On my system, it was created with the ownership: root:root. Not changing this will prevent mod_proxy from using the socket to transfer php-related requests to php-fpm through the socket, because it won’t have permissions to use it.
- loudnoisespplyelling
  So, after restarting php-fpm and getting the same permissions error mentioned above, I figured out that the above configuration requires a few more lines to prevent the socket from being owned by root:root.
  listen.owner = apache
  listen.group = apache
  listen.mode = 0660
  The owner and group values should match the user and group name that httpd is set to run as in the main httpd.conf file. The default is apache:apache.