Configuring PHP5-FPM Pools with Suhosin / Custom php.ini Settings

Suhosin

If you have followed my server setup guide you should already have php5-fpm installed using some pretty basic settings. Pools are very powerful and you can do a lot more with them if you choose. You can configure new pools that are only used by specific domain names, you might want this if you have a website that gets a lot more traffic than others on your server. Dedicated pools could make the website more stable and guarantee resources. You can also configure specific php.ini settings on a specific pool if you need to for instance lock down a specific domain so it can’t use certain functions, increase / decrease memory allowance, etc. It can be very useful.

Suhosin is an extension for the web server that allows you to further lock down various aspects of your PHP install. You can disable eval() which you can not do with the php.ini as it’s not a “real” function it’s a language construct. Basically Suhosin gives you a lot more power and flexibility, that normally you would not be able to attain. Suhosin works very well with php5-fpm pools, you can set it’s configuration variables just the same as you would with php.ini settings.

Configure / Restructure FPM Pools

To begin, I like to trim my www.conf down to the minimum. Make a backup of the original somewhere in case you want to look at some of the commented out settings.

Replace the contents of /etc/php5/fpm/pool.d/www.conf with

[www]

user = www-data
group = www-data

listen.owner = www-data
listen.group = www-data

pm = dynamic

chdir = /

pm.max_children = 10
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

listen = /var/run/php5-fpm.sock

Now create a new file at /etc/php5/fpm/pool.d/www2.conf and paste in the following


[www2]

user = www-data
group = www-data

listen.owner = www-data
listen.group = www-data

pm = dynamic

chdir = /

;commented out for after we install suhosin
;php_flag[suhosin.executor.disable_eval] = On

pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 3

listen = /var/run/php5-fpm-www2.sock

You’ve now made a second pool with tweaked settings. Next up is installing suhosin.

Installing suhosin

Go download the latest version of suhosin from their download page.


cd ~/installs
wget http://download.suhosin.org/suhosin-0.9.36.tgz
tar -xvf suhosin-0.9.36.tgz
cd suhosin-0.9.36
phpize
./configure
make
make install

Now we need to enable the extension. Create a new file at /etc/php5/mods-available/suhosin.ini put this in the file

extension=suhosin.so

Now we need to create a symlink pointing to it.

sudo ln -s /etc/php5/mods-available/suhosin.ini /etc/php5/fpm/conf.d/suhosin.ini

Now edit your www2.conf and uncomment the line that is commented out to disable eval on that pool’s php config. You can actually put any settings that would normally go in php.ini into this pool file to change specific php settings only on certain domains. Example: php_flag[disabled_functions] = “phpinfo” would disable the phpinfo() function.

Then, open up the domain’s vhost file. /etc/nginx/sites-available/[domain].conf and change the socket line to match the new pool you created.

fastcgi_pass unix:/var/run/php5-fpm-www2.sock;

Reboot your nginx and restart php5-fpm

sudo service nginx restart
sudo service php5-fpm restart

Suhosin should be enabled now, try looking at a phpinfo file to verify. You should see a Suhosin section that lists “suhosin.executor.disable_eval” as being turned on.

Posted in Server Admin, Web Application Development Tagged with: , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*