PHP
- These instructions assume Ubuntu LTS (currently 20.04, c. August 2021) and are easily adapted to a Docker or other container definition, Ansible playbook, etc.
There's a lot of talk about using Nginx instead of Apache, and for some things it's probably easier to configure or maintain, especially if you're writing IaC, but some things still assume or prefer Apache, particularly in PHP land. WordPress and NextCloud are example PHP applications that want to modify their .htaccess files in-place, for example to keep up with security developments.
Perhaps part of the reason for the currently fashionable dim view of Apache's performance is that PHP is often run in production using mod-php, which at best should only be used on a development workstation, if at all. Apart from being incompatible with HTTP/2, it is a CPU and memory hog, since it can only run using Apache's horribly inefficient prefork multi-process management (MPM). Apache has several modules for dealing with MPM, but can only have one MPM module enabled at a time. Other much better, multithreaded, more efficient and fast MPM modules have been around for nearly two decades, and since version 5.4 of PHP we can use Apache's Event MPM and FastCGI modules with PHP-FPM.
With PHP processes being handled much more efficiently, and by being able to finally enable HTTP/2 in Apache, it all actually goes like the clappers.
Prerequisites
Install some stuff first. To support NextCloud for example, this Apache PHP recipe also uses PostgreSQL, Redis, FastCGI with PHP FPM, and Dehydrated for managing Letsencrypt SSL certificates.
sudo apt install apache2 libapache2-mod-fcgid \ php7.4-{bcmath,bz2,curl,gd,fpm,gmp,intl,json,mbstring,opcache,pgsql,soap,tidy,xmlrpc,xsl,zip} php-{fpm,imagick,redis} composer dehydrated postgresql redis-server
Set up Apache
Enable the required Apache configurations and modules:
a2enconf php7.4-fpm a2enmod dir env headers mpm_event proxy_fcgi rewrite setenvif ssl systemctl restart apache2
You should now be able to define your virtual hosts in /etc/apache2/sites-available and enable them, with PHP support.
Deny access to git repositories
Add a global config to deny access to git repositories and other hidden stuff, in /etc/apache2/conf-available/deny-git.conf:
# /etc/apache2/conf-available/deny-git.conf RedirectMatch 404 "/\.(git|hg|bzr|svn|cvs|tag|ht)"
Then enable it with:
a2enconf deny-git systemctl restart apache2
Add a virtual host
A virtual host for a typical PHP web application should look something like this:
<VirtualHost *:443> ServerName app.example.com DocumentRoot /var/www/app <Directory "/var/www/app"> Options FollowSymLinks MultiViews AllowOverride All Require all granted </Directory> SSLEngine On SSLCertificateFile ... </VirtualHost>
Configure PHP
The configuration for PHP code hosted by Apache using PHP-FPM is located under /etc/php/7.4/fpm.
You will not be able to use mod-php php_value directives in Apache configuration; either try and do without, or set environment variables instead.
PHP works a lot better with a few extra things configured. Enable the opcache, increase the memory limit, and depending on what you're hosting, increase the maximum POST size so users can upload photos and other large files. Other fun helpful things include using Redis for PHP sessions, and tuning the FPM process parameters to make stuff more efficient under load.
Keep your PHP custom settings and tweaks separate
Since Debian now moves files around with each new version of PHP, you can keep your customisations to the php.ini file in a local configuration. For example, instead of editing /etc/php/7.4/fpm/php.ini, put these settings in /etc/php/local/php.ini:
; /etc/php/local/php.ini ; Override settings in the dist php.ini here ; symbolic link this file to /etc/php/<version>/conf.d/99-local.ini max_execution_time = 60 memory_limit = 512M post_max_size = 500M upload_max_filesize = 500M opcache.enable=1
Then we add a symbolic link in the conf.d directory where you need it, for example:
ln -s /etc/php/local/php.ini /etc/php/7.4/fpm/conf.d/99-local.ini