Hardened PHP-FPM Library for RH Derivatives
by eclubb
32 deployments · 4 still active · last rev. 8 years ago
Installs a feature-rich PHP patched with Suhosin+extension, and PHP-FPM. Extracted from rnolen's LEMP_lib and ported to CentOS/Fedora.
#!/bin/bash ############# # PHP-FPM # ############# function php-fpm_install { #check for versions of: libevent; php-fpm; php; suhosin; suhosin patch. #the naming conventions php-fpm have changed at random in the past. be careful. # # http://monkey.org/~provos/libevent/ # http://launchpad.net/php-fpm/ # http://php.net/ # http://www.hardened-php.net/suhosin/download.html # #and alter variables as necessary export LIBEVENT_VER=1.4.13-stable export PHP_FPM_VER=0.6 export PHP_VER=5.3.2 export SUHOSIN_PATCH_VER=0.9.9.1 export SUHOSIN_VER=0.9.29 #PHP-FPM for specific PHP versions are no longer, so using the latest applicable which seems to work fine (read: I use it in production) export PHP_VER_IND=5.3.1 #dependencies for all the stuff to be included with php yum install -y libxml2-devel bzip2-devel curl-devel libjpeg-devel libpng-devel libXpm-devel freetype-devel t1lib-devel libmcrypt-devel libxslt-devel #create directory to play in mkdir /tmp/phpstuff cd /tmp/phpstuff #need stable libevent. wget "http://www.monkey.org/~provos/libevent-$LIBEVENT_VER.tar.gz" tar -xzvf "libevent-$LIBEVENT_VER.tar.gz" cd "libevent-$LIBEVENT_VER" ./configure make DESTDIR=$PWD make install export LIBEVENT_SEARCH_PATH="$PWD/usr/local" #don't want to build in libevent directory cd ../ #grab php. wget "http://us.php.net/get/php-$PHP_VER.tar.bz2/from/us.php.net/mirror" tar -xjvf "php-$PHP_VER.tar.bz2" #grab suhosin. wget "http://download.suhosin.org/suhosin-patch-$PHP_VER-$SUHOSIN_PATCH_VER.patch.gz" gunzip "suhosin-patch-$PHP_VER-$SUHOSIN_PATCH_VER.patch.gz" #patch php with suhosin. cd "php-$PHP_VER" patch -p 1 -i "../suhosin-patch-$PHP_VER-$SUHOSIN_PATCH_VER.patch" #build php mkdir php-build cd php-build ../configure --with-config-file-path=/usr/local/lib/php --with-curl --enable-exif --with-gd --with-jpeg-dir --with-png-dir --with-zlib --with-xpm-dir --with-freetype-dir --with-t1lib --with-mcrypt --with-mhash --with-mysql=mysqlnd --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-openssl --enable-sysvmsg --enable-wddx --with-xsl --enable-zip --with-bz2 --enable-bcmath --enable-calendar --enable-ftp --enable-mbstring --enable-soap --enable-sockets --enable-sqlite-utf8 --with-gettext --enable-shmop --with-xmlrpc make #grab php-fpm and build wget "http://launchpad.net/php-fpm/master/$PHP_FPM_VER/+download/php-fpm-$PHP_FPM_VER~$PHP_VER_IND.tar.gz" tar -xzvf "php-fpm-$PHP_FPM_VER~$PHP_VER_IND.tar.gz" cd "php-fpm-$PHP_FPM_VER-$PHP_VER_IND" mkdir fpm-build cd fpm-build ../configure --srcdir=../ --with-php-src="../../../" --with-php-build="../../" --with-libevent="$LIBEVENT_SEARCH_PATH" --with-fpm-bin=/usr/local/sbin/php-fpm --with-fpm-init=/etc/init.d/php-fpm make #install php cd ../../ make install #move php.ini to where php-fpm looks for it cp "/tmp/phpstuff/php-$PHP_VER/php.ini-production" /usr/local/lib/php/php.ini #set permissions chmod 644 /usr/local/lib/php/php.ini #install php-fpm cd "php-fpm-$PHP_FPM_VER-$PHP_VER_IND" cd fpm-build make install #grab and install suhosin extension. cd ../../../../ wget "http://download.suhosin.org/suhosin-$SUHOSIN_VER.tgz" tar -xzvf "suhosin-$SUHOSIN_VER.tgz" cd "suhosin-$SUHOSIN_VER" /usr/local/bin/phpize ./configure --with-php-config="/usr/local/bin/php-config" make make install #make php use it. echo "extension = suhosin.so" >> /usr/local/lib/php/php.ini #have /etc/init.d/php-fpm run on boot chkconfig --level 35 php-fpm on #/etc/php-fpm.conf stuff # #sockets > ports. Using the 127.0.0.1:9000 stuff needlessly introduces TCP/IP overhead. sed -i 's/<value\ name="listen_address">127.0.0.1:9000<\/value>/<value\ name="listen_address">\/var\/run\/php-fpm.sock<\/value>/' /etc/php-fpm.conf # #nice strict permissions sed -i 's/<value\ name="mode">0666<\/value>/<value\ name="mode">0600<\/value>/' /etc/php-fpm.conf # #matches available processors. Will not make a 360 melt. sed -i 's/<value\ name="max_children">5<\/value>/<value\ name="max_children">4<\/value>/' /etc/php-fpm.conf # #i like to know when scripts are slow. sed -i 's/<value\ name="request_slowlog_timeout">0s<\/value>/<value name="request_slowlog_timeout">2s<\/value>/' /etc/php-fpm.conf # #edited to include PHP path sed -i 's/<value\ name="PATH">\/usr\/local\/bin:\/usr\/bin:\/bin<\/value>/<value\ name="PATH">\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/sbin<\/value>/' /etc/php-fpm.conf #Engage. /etc/init.d/php-fpm start #remove build crap rm -rf /tmp/phpstuff }