{"id":220,"date":"2014-11-19T23:13:13","date_gmt":"2014-11-20T04:13:13","guid":{"rendered":"http:\/\/devroar.com\/?p=220"},"modified":"2014-11-20T11:57:58","modified_gmt":"2014-11-20T16:57:58","slug":"configuring-php5-fpm-pools-with-suhosin-custom-php-ini-settings","status":"publish","type":"post","link":"http:\/\/devroar.com\/index.php\/2014\/11\/19\/configuring-php5-fpm-pools-with-suhosin-custom-php-ini-settings\/","title":{"rendered":"Configuring PHP5-FPM Pools with Suhosin \/ Custom php.ini Settings"},"content":{"rendered":"

\"Suhosin\"<\/a><\/p>\n

If you have followed my server setup guide you should already have php5-fpm installed using some pretty basic settings. Pools are very powerful and you can do a lot more with them if you choose. You can configure new pools that are only used by specific domain names, you might want this if you have a website that gets a lot more traffic than others on your server. Dedicated pools could make the website more stable and guarantee resources. You can also configure specific php.ini settings on a specific pool if you need to for instance lock down a specific domain so it can’t use certain functions, increase \/ decrease memory allowance, etc. It can be very useful. <\/p>\n

Suhosin<\/a> is an extension for the web server that allows you to further lock down various aspects of your PHP install. You can disable eval() which you can not do with the php.ini as it’s not a “real” function it’s a language construct. Basically Suhosin gives you a lot more power and flexibility, that normally you would not be able to attain. Suhosin works very well with php5-fpm pools, you can set it’s configuration variables just the same as you would with php.ini settings.<\/p>\n

<\/p>\n

Configure \/ Restructure FPM Pools<\/h3>\n

To begin, I like to trim my www.conf down to the minimum. Make a backup of the original somewhere in case you want to look at some of the commented out settings.<\/p>\n

Replace the contents of \/etc\/php5\/fpm\/pool.d\/www.conf<\/em> with
\n
\n[www]<\/p>\n

user = www-data
\ngroup = www-data<\/p>\n

listen.owner = www-data
\nlisten.group = www-data<\/p>\n

pm = dynamic<\/p>\n

chdir = \/<\/p>\n

pm.max_children = 10
\npm.start_servers = 2
\npm.min_spare_servers = 1
\npm.max_spare_servers = 3<\/p>\n

listen = \/var\/run\/php5-fpm.sock
\n<\/code><\/p>\n

Now create a new file at \/etc\/php5\/fpm\/pool.d\/www2.conf<\/em> and paste in the following<\/p>\n


\n[www2]<\/p>\n

user = www-data
\ngroup = www-data<\/p>\n

listen.owner = www-data
\nlisten.group = www-data<\/p>\n

pm = dynamic<\/p>\n

chdir = \/<\/p>\n

;commented out for after we install suhosin
\n;php_flag[suhosin.executor.disable_eval] = On<\/p>\n

pm.max_children = 5
\npm.start_servers = 1
\npm.min_spare_servers = 1
\npm.max_spare_servers = 3<\/p>\n

listen = \/var\/run\/php5-fpm-www2.sock
\n<\/code><\/p>\n

You’ve now made a second pool with tweaked settings. Next up is installing suhosin.<\/p>\n

Installing suhosin<\/h3>\n

Go download the latest version of suhosin from their download<\/a> page.<\/p>\n


\ncd ~\/installs
\nwget http:\/\/download.suhosin.org\/suhosin-0.9.36.tgz
\ntar -xvf suhosin-0.9.36.tgz
\ncd suhosin-0.9.36
\nphpize
\n.\/configure
\nmake
\nmake install
\n<\/code><\/p>\n

Now we need to enable the extension. Create a new file at \/etc\/php5\/mods-available\/suhosin.ini<\/em> put this in the file
\n
\nextension=suhosin.so
\n<\/code><\/p>\n

Now we need to create a symlink pointing to it.
\n
\nsudo ln -s \/etc\/php5\/mods-available\/suhosin.ini \/etc\/php5\/fpm\/conf.d\/suhosin.ini
\n<\/code><\/p>\n

Now edit your www2.conf and uncomment the line that is commented out to disable eval on that pool’s php config. You can actually put any settings that would normally go in php.ini into this pool file to change specific php settings only on certain domains. Example: php_flag[disabled_functions] = “phpinfo” would disable the phpinfo() function.<\/em><\/p>\n

Then, open up the domain’s vhost file. \/etc\/nginx\/sites-available\/[domain].conf<\/em> and change the socket line to match the new pool you created.
\n
\nfastcgi_pass unix:\/var\/run\/php5-fpm-www2.sock;
\n<\/code><\/p>\n

Reboot your nginx and restart php5-fpm
\n
\nsudo service nginx restart
\nsudo service php5-fpm restart
\n<\/code><\/p>\n

Suhosin should be enabled now, try looking at a phpinfo file to verify. You should see a Suhosin section that lists “suhosin.executor.disable_eval” as being turned on.<\/p>\n","protected":false},"excerpt":{"rendered":"

Download article as PDF If you have followed my server setup guide you should already have php5-fpm installed using some pretty basic settings. Pools are very powerful and you can do a lot more with them if you choose. You…<\/span><\/p>\n

Read more ›<\/a><\/div>\n

<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[2,53],"tags":[130,36,127,129,44,128,131,132,126],"_links":{"self":[{"href":"http:\/\/devroar.com\/index.php\/wp-json\/wp\/v2\/posts\/220"}],"collection":[{"href":"http:\/\/devroar.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/devroar.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/devroar.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/devroar.com\/index.php\/wp-json\/wp\/v2\/comments?post=220"}],"version-history":[{"count":17,"href":"http:\/\/devroar.com\/index.php\/wp-json\/wp\/v2\/posts\/220\/revisions"}],"predecessor-version":[{"id":248,"href":"http:\/\/devroar.com\/index.php\/wp-json\/wp\/v2\/posts\/220\/revisions\/248"}],"wp:attachment":[{"href":"http:\/\/devroar.com\/index.php\/wp-json\/wp\/v2\/media?parent=220"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/devroar.com\/index.php\/wp-json\/wp\/v2\/categories?post=220"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/devroar.com\/index.php\/wp-json\/wp\/v2\/tags?post=220"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}