Instalasi Nginx-PHP pada Linux¶
Persiapan¶
Proses¶
Repositori - Nginx & PHP¶
Variabel
PHP_VER="7.4"
DIREKTORI_PENGGUNA="/lokasi/direktori/pengguna"
EKSPOSUR_PHP="Off"
BATAS_MEMORI="128M"
ZONA_WAKTU="Asia/Jakarta"
PENGGUNA_GRUP="nginx"
# Total memory > pm.max_children * memory_limit
PM_MAX_CHILDREN="6"
# Default Value: min_spare_servers + (max_spare_servers – min_spare_servers) / 2
PM_START_SERVERS="3"
PM_MIN_SPARE_SERVERS="2"
PM_MAX_SPARE_SERVERS="4"
PM_MAX_REQUESTS="200"
POLICY_PACKAGE="nginx-php-fpm"
Menambahkan repositori terbaru
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf install -y https://rpms.remirepo.net/enterprise/remi-release-8.rpm
yum install -y yum-utils
tee /etc/yum.repos.d/nginx.repo <<EOF
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
EOF
add-apt-repository -y ppa:ondrej/php
add-apt-repository -y ppa:ondrej/nginx
#wget http://nginx.org/keys/nginx_signing.key
#apt-key add nginx_signing.key
#DEB_DISTRO="ubuntu"
#DEB_CNAME=$(lsb_release -sc)
#echo "deb http://nginx.org/packages/mainline/${DEB_DISTRO}/ ${DEB_CNAME} nginx" > /etc/apt/#sources.list.d/nginx.list
Instalasi - Nginx & PHP¶
Instalasi
dnf module reset -y php
dnf module install -y php:remi-7.4
dnf install -y nginx php-{curl,zip,pecl-json,bcmath,gd,mysqlnd,opcache}
PHPVER="7.4"
apt-get remove --purge nginx
apt-get update && apt-get install nginx php$PHPVER-{fpm,bcmath,curl,gd,mbstring,opcache,xml,zip}
nginx -v && nginx -t
curl -I 127.0.0.1
Meningkatkan kapasitas konsumsi memori PHP
cp -v /etc/php.ini{,.`date +%Y%m%d%H%M`}
sed -i -r "s#^expose_php =.*#expose_php = $EKSPOSUR_PHP#g" /etc/php.ini
sed -i -r "s#^memory_limit =.*#memory_limit = $BATAS_MEMORI#g" /etc/php.ini
sed -i -r "s#^;date.timezone =.*#date.timezone = $ZONA_WAKTU#g" /etc/php.ini
INIPATH="/etc/php/$PHPVER/fpm/php.ini"
cp -v $INIPATH{,.`date +%Y%m%d%H%M`}
sed -i -r "s#^expose_php =.*#expose_php = $EKSPOSUR_PHP#g" $INIPATH
sed -i -r "s#^memory_limit =.*#memory_limit = $BATAS_MEMORI#g" $INIPATH
sed -i -r "s#^;date.timezone =.*#date.timezone = $ZONA_WAKTU#g" $INIPATH
Konfigurasi Zend OPcache
cp -v /etc/php.d/10-opcache.ini{,.`date +%Y%m%d%H%M`}
cat << EOF >> /etc/php.d/10-opcache.ini
opcache.validate_timestamps=1
opcache.revalidate_freq=60
opcache.max_accelerated_files=10000
opcache.memory_consumption=64
opcache.interned_strings_buffer=8
opcache.fast_shutdown=1
EOF
systemctl restart php-fpm
OPCACHEPATH="/etc/php/$PHPVER/mods-available/opcache.ini"
cp -v $OPCACHEPATH{,.`date +%Y%m%d%H%M`}
cat << EOF >> $OPCACHEPATH
opcache.validate_timestamps=1
opcache.revalidate_freq=60
opcache.max_accelerated_files=10000
opcache.memory_consumption=64
opcache.interned_strings_buffer=8
opcache.fast_shutdown=1
EOF
systemctl restart php7.4-fpm
Optimasi PHP-FPM - Dynamic Process
cp -v /etc/php-fpm.d/www.conf{,.`date +%Y%m%d%H%M`}
cat << EOF > /etc/php-fpm.d/www.conf
[www]
user = $PENGGUNA_GRUP
group = $PENGGUNA_GRUP
listen = /run/php-fpm/www.sock
listen.acl_users = apache,nginx
listen.allowed_clients = 127.0.0.1
pm = dynamic
; Total memory > pm.max_children * memory_limit
pm.max_children = $PM_MAX_CHILDREN
; Default Value: min_spare_servers + (max_spare_servers – min_spare_servers) / 2
pm.start_servers = $PM_START_SERVERS
pm.min_spare_servers = $PM_MIN_SPARE_SERVERS
pm.max_spare_servers = $PM_MAX_SPARE_SERVERS
pm.max_requests = $PM_MAX_REQUESTS
slowlog = /var/log/php-fpm/www-slow.log
; php_admin_value[disable_functions] = exec,passthru,shell_exec,system
php_admin_value[disable_functions] = passthru,shell_exec,system
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[allow_url_fopen] = off
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session
php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache
php_value[opcache.file_cache] = /var/lib/php/opcache
EOF
systemctl restart php-fpm
WWWCONFPATH="/etc/php/$PHPVER/fpm/pool.d/www.conf"
mkdir -p /var/log/php-fpm
touch /var/log/php-fpm/www-{slow,error}.log
cp -v $WWWCONFPATH{,.`date +%Y%m%d%H%M`}
cat << EOF > $WWWCONFPATH
[www]
user = www-data
group = www-data
listen = /run/php/php$PHPVER-fpm.sock
;listen.owner = www-data
;listen.group = www-data
listen.acl_users = www-data
listen.allowed_clients = 127.0.0.1
pm = dynamic
; Total memory > pm.max_children * memory_limit
pm.max_children = $PM_MAX_CHILDREN
; Default Value: min_spare_servers + (max_spare_servers – min_spare_servers) / 2
pm.start_servers = $PM_START_SERVERS
pm.min_spare_servers = $PM_MIN_SPARE_SERVERS
pm.max_spare_servers = $PM_MAX_SPARE_SERVERS
pm.max_requests = $PM_MAX_REQUESTS
slowlog = /var/log/php-fpm/www-slow.log
; php_admin_value[disable_functions] = exec,passthru,shell_exec,system
php_admin_value[disable_functions] = passthru,shell_exec,system
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[allow_url_fopen] = off
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/session
php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache
php_value[opcache.file_cache] = /var/lib/php/opcache
EOF
systemctl restart php7.4-fpm
Optimasi PHP-FPM - Threshold control
cp -v /etc/php-fpm.conf{,.`date +%Y%m%d%H%M`}
cat << EOF > /etc/php-fpm.conf
include=/etc/php-fpm.d/*.conf
[global]
pid = /run/php-fpm/php-fpm.pid
error_log = /var/log/php-fpm/error.log
emergency_restart_threshold = 10
emergency_restart_interval = 1m
process_control_timeout = 10s
daemonize = yes
EOF
systemctl restart php-fpm
FPMCONFPATH="/etc/php/7.4/fpm/php-fpm.conf"
cp -v $FPMCONFPATH{,.`date +%Y%m%d%H%M`}
cat << EOF > $FPMCONFPATH
include=/etc/php-fpm.d/*.conf
[global]
pid = /run/php/php$PHPVER-fpm.pid
error_log = /var/log/php-fpm/error.log
emergency_restart_threshold = 10
emergency_restart_interval = 1m
process_control_timeout = 10s
daemonize = yes
EOF
systemctl restart php7.4-fpm
SELinux - setsebool
setsebool -P httpd_unified 1
# worker_rlimit_nofile and SELinux
setsebool -P httpd_enable_homedirs 1
setsebool -P httpd_setrlimit 1
setsebool -P httpd_read_user_content 1
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
semanage fcontext -a -t httpd_sys_rw_content_t /var/lib/php/session
# NGINX listen sockets
semanage fcontext -a -t httpd_var_run_t "/var/run/nginx(/.*)?"
#
restorecon -v /var/run/nginx.pid
restorecon -v /var/lib/php/session
Optimasi Nginx - Soft & Hard limit
cat << EOF >> /etc/security/limits.conf
nginx soft nofile 65535
nginx hard nofile 65535
EOF
Penyelesaian¶
SELinux - Debug
tail -F /var/log/messages | grep -E 'setroubleshoot|preventing|denied'
grep -E 'setroubleshoot|preventing' /var/log/messages
semanage fcontext -l | grep -E 'httpd_|nginx|wordpress|php-fpm'
systemctl enable --now nginx php-fpm
ausearch -c 'nginx' --raw | audit2allow -M nginx && semodule -i nginx.pp
ausearch -c 'php-fpm' --raw | audit2allow -M php-fpm && semodule -i php-fpm.pp
systemctl restart nginx php-fpm
SELinux - policy package
cd $DIREKTORI_PENGGUNA
cat << EOF > $POLICY_PACKAGE.te
module $POLICY_PACKAGE 1.6;
require {
type httpd_t;
type httpd_config_t;
type httpd_log_t;
type httpd_sys_rw_content_t;
type httpd_sys_script_exec_t;
type httpd_sys_script_t;
type httpd_user_content_t;
type httpd_user_htaccess_t;
type mysqld_port_t;
type user_tmp_t;
type user_home_t;
type var_run_t;
class dir { create add_name remove_name write setattr };
class file { open create read write rename unlink execute getattr setattr };
class tcp_socket name_connect;
}
allow httpd_sys_script_t httpd_sys_rw_content_t:file execute;
allow httpd_t var_run_t:file { open read write unlink };
allow httpd_t httpd_config_t:dir add_name;
allow httpd_t httpd_config_t:file { create write setattr};
allow httpd_t httpd_log_t:dir remove_name;
allow httpd_t httpd_log_t:file { unlink write };
allow httpd_t httpd_sys_script_exec_t:dir { create setattr write add_name remove_name };
allow httpd_t httpd_sys_script_exec_t:file { create setattr write unlink };
allow httpd_t httpd_user_content_t:file { getattr read };
allow httpd_t httpd_user_htaccess_t:file { setattr write };
allow httpd_t user_home_t:dir setattr;
allow httpd_t user_home_t:file { setattr write };
allow httpd_t user_tmp_t:file { create rename unlink };
allow httpd_t mysqld_port_t:tcp_socket name_connect;
EOF
#
semodule -r $POLICY_PACKAGE
rm -f $POLICY_PACKAGE.mod $POLICY_PACKAGE.pp
checkmodule -M -m -o $POLICY_PACKAGE.mod $POLICY_PACKAGE.te
semodule_package -o $POLICY_PACKAGE.pp -m $POLICY_PACKAGE.mod
semodule -i $POLICY_PACKAGE.pp
Nginx & PHP-FPM - mengaktifkan ulang layanan
systemctl restart nginx php-fpm
nginx -t && nginx -v
php -v