1. StackScripts
  2. Hardened PHP-FPM Library for RH Derivatives

Hardened PHP-FPM Library for RH Derivatives

by eclubb
32 deployments · 4 still active · last rev. 7 years ago

Installs a feature-rich PHP patched with Suhosin+extension, and PHP-FPM. Extracted from rnolen's LEMP_lib and ported to CentOS/Fedora.

Compatible with: No distros currently supported 
						#!/bin/bash

#############
#  PHP-FPM  #
#############

function php-fpm_install {
  #check for versions of: libevent; php-fpm; php; suhosin; suhosin patch.
  #the naming conventions php-fpm have changed at random in the past. be careful.
  #
  # http://monkey.org/~provos/libevent/
  # http://launchpad.net/php-fpm/
  # http://php.net/
  # http://www.hardened-php.net/suhosin/download.html
  #
  #and alter variables as necessary

  export LIBEVENT_VER=1.4.13-stable
  export PHP_FPM_VER=0.6
  export PHP_VER=5.3.2
  export SUHOSIN_PATCH_VER=0.9.9.1
  export SUHOSIN_VER=0.9.29
  #PHP-FPM for specific PHP versions are no longer, so using the latest applicable which seems to work fine (read: I use it in production)
  export PHP_VER_IND=5.3.1

  #dependencies for all the stuff to be included with php
  yum install -y libxml2-devel bzip2-devel curl-devel libjpeg-devel libpng-devel libXpm-devel freetype-devel t1lib-devel libmcrypt-devel libxslt-devel

  #create directory to play in
  mkdir /tmp/phpstuff
  cd /tmp/phpstuff

  #need stable libevent.
  wget "http://www.monkey.org/~provos/libevent-$LIBEVENT_VER.tar.gz"
  tar -xzvf "libevent-$LIBEVENT_VER.tar.gz"
  cd "libevent-$LIBEVENT_VER"
  ./configure
  make
  DESTDIR=$PWD make install
  export LIBEVENT_SEARCH_PATH="$PWD/usr/local"

  #don't want to build in libevent directory
  cd ../

  #grab php.
  wget "http://us.php.net/get/php-$PHP_VER.tar.bz2/from/us.php.net/mirror"
  tar -xjvf "php-$PHP_VER.tar.bz2"

  #grab suhosin.
  wget "http://download.suhosin.org/suhosin-patch-$PHP_VER-$SUHOSIN_PATCH_VER.patch.gz"
  gunzip "suhosin-patch-$PHP_VER-$SUHOSIN_PATCH_VER.patch.gz"

  #patch php with suhosin.
  cd "php-$PHP_VER"
  patch -p 1 -i "../suhosin-patch-$PHP_VER-$SUHOSIN_PATCH_VER.patch"

  #build php
  mkdir php-build
  cd php-build
  ../configure --with-config-file-path=/usr/local/lib/php --with-curl --enable-exif --with-gd --with-jpeg-dir --with-png-dir --with-zlib --with-xpm-dir --with-freetype-dir --with-t1lib --with-mcrypt --with-mhash --with-mysql=mysqlnd --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-openssl --enable-sysvmsg --enable-wddx --with-xsl --enable-zip --with-bz2 --enable-bcmath --enable-calendar --enable-ftp --enable-mbstring --enable-soap --enable-sockets --enable-sqlite-utf8 --with-gettext --enable-shmop --with-xmlrpc
  make

  #grab php-fpm and build
  wget "http://launchpad.net/php-fpm/master/$PHP_FPM_VER/+download/php-fpm-$PHP_FPM_VER~$PHP_VER_IND.tar.gz"
  tar -xzvf "php-fpm-$PHP_FPM_VER~$PHP_VER_IND.tar.gz"
  cd "php-fpm-$PHP_FPM_VER-$PHP_VER_IND"
  mkdir fpm-build
  cd fpm-build
  ../configure --srcdir=../ --with-php-src="../../../" --with-php-build="../../" --with-libevent="$LIBEVENT_SEARCH_PATH" --with-fpm-bin=/usr/local/sbin/php-fpm  --with-fpm-init=/etc/init.d/php-fpm
  make

  #install php
  cd ../../
  make install

  #move php.ini to where php-fpm looks for it
  cp "/tmp/phpstuff/php-$PHP_VER/php.ini-production" /usr/local/lib/php/php.ini

  #set permissions
  chmod 644 /usr/local/lib/php/php.ini

  #install php-fpm
  cd "php-fpm-$PHP_FPM_VER-$PHP_VER_IND"
  cd fpm-build
  make install

  #grab and install suhosin extension.
  cd ../../../../
  wget "http://download.suhosin.org/suhosin-$SUHOSIN_VER.tgz"
  tar -xzvf "suhosin-$SUHOSIN_VER.tgz"
  cd "suhosin-$SUHOSIN_VER"
  /usr/local/bin/phpize
  ./configure --with-php-config="/usr/local/bin/php-config"
  make
  make install

  #make php use it.
  echo "extension = suhosin.so" >> /usr/local/lib/php/php.ini

  #have /etc/init.d/php-fpm run on boot
  chkconfig --level 35 php-fpm on

  #/etc/php-fpm.conf stuff
  #
  #sockets > ports. Using the 127.0.0.1:9000 stuff needlessly introduces TCP/IP overhead.
  sed -i 's/<value\ name="listen_address">127.0.0.1:9000<\/value>/<value\ name="listen_address">\/var\/run\/php-fpm.sock<\/value>/' /etc/php-fpm.conf
  #
  #nice strict permissions
  sed -i 's/<value\ name="mode">0666<\/value>/<value\ name="mode">0600<\/value>/' /etc/php-fpm.conf
  #
  #matches available processors. Will not make a 360 melt.
  sed -i 's/<value\ name="max_children">5<\/value>/<value\ name="max_children">4<\/value>/' /etc/php-fpm.conf
  #
  #i like to know when scripts are slow.
  sed -i 's/<value\ name="request_slowlog_timeout">0s<\/value>/<value name="request_slowlog_timeout">2s<\/value>/' /etc/php-fpm.conf
  #
  #edited to include PHP path
  sed -i 's/<value\ name="PATH">\/usr\/local\/bin:\/usr\/bin:\/bin<\/value>/<value\ name="PATH">\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/sbin<\/value>/' /etc/php-fpm.conf

  #Engage.
  /etc/init.d/php-fpm start

  #remove build crap
  rm -rf /tmp/phpstuff
}