From d8e1e6edf4d1fff4cbb51770a87b34fae4809a86 Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Fri, 17 May 2024 22:32:51 +0200 Subject: [PATCH] web: split php pools into www and spaceapi prevent deadloks from crawlers that open lots of wiki pages which in turn query the spaceapi discovery and fix by voidptr --- group_vars/all/vars.yml | 3 + group_vars/all/vault.yml | 213 ++++---- .../files/php/8.2/fpm/pool.d/spaceapi.conf | 491 ++++++++++++++++++ roles/web/files/php/8.2/fpm/pool.d/www.conf | 491 ++++++++++++++++++ roles/web/files/vhost | 37 +- roles/web/handlers/main.yml | 3 + roles/web/tasks/main.yml | 15 + 7 files changed, 1147 insertions(+), 106 deletions(-) create mode 100644 roles/web/files/php/8.2/fpm/pool.d/spaceapi.conf create mode 100644 roles/web/files/php/8.2/fpm/pool.d/www.conf diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index a644ee1..fa8256d 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -25,6 +25,9 @@ dhcp_omapi_key: "{{ vault_dhcp_omapi_key }}" dss_domain: dss.binary-kitchen.de dss_secret: "{{ vault_dss_secret }}" +fpm_status_user: admin +fpm_status_pass: "{{ vault_fpm_status_pass }}" + gitea_domain: git.binary-kitchen.de gitea_dbname: gogs gitea_dbuser: gogs diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 2672cc9..57841a1 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,106 +1,109 @@ $ANSIBLE_VAULT;1.1;AES256 -61333062333563653966393334326633643564313063346266663461633538366662623937373738 -3732396164303638643362316564393236353737346235380a666361396631656563303733343032 -66396531313139343062363639636334373836306237363733393635346261313832366330303436 -6362383638363931380a323066343834363138356662656439343131353330366532626538653434 -64663834333563333263356532326262333938613432356233656238313365663661636334333066 -63653561316239356638653834646261643564316535306133633832666365383238303364346466 -63393164646330623061633039316638656566346663616661633464303237386261316262623533 -63306266333063373333323030666264323564663032333637343134306231373964666630333538 -63626363383836363639663830643530376361613466613666303933363563663763636635363132 -36666432646233313663613563663565313537316164313964656461666336326331303035343062 -35323363373130333935373035663635626666613236376261623934366235633738323430666330 -33323130363839386331613334636531396665316336376265333231343763656637396437653733 -64366565336132333131346463356236343934663332633830373939616434613561613564313837 -34333039363962643333343961636165323766343531336465306438306365636137636662303165 -35346530313134346432303862643735376331376432616136306537653266333434336663373931 -35373235333937646165663238636232656336393330386161636435666637356632333832646137 -30333233636266623165663538303639663466363337323330383962383139643532623462663564 -63313262366236623232303732373136393139323562313733623763363864646432653037316465 -34306261303035306436396262333131366562643166333130393438393636623034656163653131 -65363530613064633462633238343834336538353766353766336132303333383164326363316365 -31303532363838306338626662313234343134306531353765333237303962303339366233366632 -35643565353766353962386135323765356130393731363633373238626332356637363339356437 -30386361363837373434363939373361343862393364316537633463653862666164613730306565 -36343762326337333235643862626566346235333934656631306461633934306230333365343731 -64643835323061613230336234343438383938653761393133656137626434653532636466313439 -31363362306539643635386237353466343733616334303762343964636533636662333661653839 -34663264613033373965336635663131396334616432653462346634626535393761666237623936 -31666439356261303134343938333433323538653337653937333830656163633965353235653539 -65353937333463343236636237313736313565613833653530333135623233363564393266353363 -33323236643634616263303133663631386638356561373730653930646265616634356364366361 -37666362363230313664343633343464383334386539616132636562626465326364353436356338 -61383736663733643132656266633837646366343637303264363465633536633962353235303336 -38376430343733386631623334386564616264386234613664366631313334626436313865356565 -33663433663963653835376666303664656438623337663536376234356465396534306362346162 -62323262323933336232376636353831633834656536633666643961396365306464303730626463 -36363631336236353730393035613333666465653861373766393731373863353330656366306263 -62316636333230366563623836316232323831393233366539363662646564373436623230343761 -61626235656438373566646365353761376139383962353635393439666365333332313035653433 -64316638363061613561306534616465646661326637633332333734626562353664666432616137 -32643636356261613430376535633837646437626132373735323366313738633134303962306163 -30366230333533663433616664343862346232363733623239353035656134366437313662353933 -32663261663937663437643233383562656537333364643435356639616136623036306231633839 -38386631643264636535323766643661626566323661313831326530636532383330633066336130 -39306631636433376361636637633135316662306636306137366531333662303238613434333534 -35633162316363333934623663303839343366376263343536333563663833323734356566623663 -64646437343935306230333034636431396439366237643839363035313164393666616235393034 -33323333626537633730303961613263363835343030363331633165663035336633613831326632 -35363738336534663934616338363764353562306139613464663533323863326331646464333533 -36363962653830613864393565623561646233313135386163623932363865343861313534663234 -32313466656532616638376238363937613264346265316135336137363961386161376364343063 -33316662343066336438336137353262646264656434333364343334373762303062386165663530 -63313666356633633936366162366332333163656164306533356530666166353635616364643830 -66336339663737616664616430373162386238636134303137386331393837353462623336663335 -34303038323037363165613935376262376464383265323462373638313530396537633031653530 -63613135373639623138333635343035303734383932336333303063666662333164643430393637 -64393262363235616666303366346137633132313066613731333064346139646361363832343730 -39666338303339663665363033653735346130313431306131306261636430396465323937623062 -32343433376438623965363338633639383738326561376665623461653539383666636535656663 -37353665363663356464366331313236653430313034613733363665633239656361623931646432 -30653632643062366333663830326663623766646535666534613933663333366466333033383165 -33373039303564656562636432303934383132666665656161323535333930346265623639316366 -38393764346265653734373136636538346361363966393732323362323733386631623762313366 -63313733653730336536393335623138383365303934303730343136613734663062326166316461 -35313363656335643531343561336662663434353031623733353035633063396366376664303364 -36643262633832363362306263376135346632386631346432333137623631343234333337643536 -35353135303330626663663963366139363265666434363364303266613564373337616564366566 -30646635633834616536333361303361313934316434393330333231613038346466306531646537 -39303131396562656334303536613964363936643435613035623065323963633764623432373235 -37393564626239333761626131643366306131346339356364373061353865653966326362613164 -62366562326234303865323934353734613364653161316131363964666439636561663361396239 -30353266303764396265656635616462653563613630616537353530613835656333353364333632 -39663939376633613133623839353133613066633333633135316132636435363330393966396431 -30656638653662356164393038323538643661333734623937653430643931623061666330633631 -63323834313733353635363535613666643361356363386465383961626331303435333363396230 -37313835633136323134623261626432653965366230656266356333653437386463396563613563 -62656562626131336230383965303962383464643832333361343838393338353365663766373031 -31633265653262356139323564663834616164313439346133386135333563323264313261336336 -39393166613865353164376130303536373931643436633133313361356166393432363631666361 -36366537363630333830333432333466363266666636643932636565613738346239383736306533 -32333838396638656134643538313033336137316638326232303837386537393737316237356237 -62646561333430303765656537373738316131306664626533646461333261306665626336376537 -35633736303262656236303230653564386130666362303132646166306432393962306366663432 -64353366353839643366376433646661376434313266326665343063653534343531623033316461 -37306439373366303236666338616364343163663165626665613761333838333366336238343633 -38663066623532353464653164616237353464363539313762396162653139393133323438643331 -66306562346136346363396235356264303164636662386166666436316338323462656537386335 -36373763313935666539643834653237336130336530653834643263373264353233643938393965 -30313637366236383433313161386531623936356161333462636566633036383635616638316434 -66313434393365333633336231656536353138303235616439643535376338326262663632313564 -65306534356531303835373231623234356337623234366137386437303864643764613731326137 -65376337386133353739376661353766343931383135363038353839376666306337323835613935 -33303730623132613462363538666638313533333564656164363731323463613230366230373664 -31303331396264353162383138643063313737366635333664343836346338353537366362613937 -35623934646239356339343339653337656330616565616232633232373036383562393362343332 -39316661623563333234656633666365303964366338303862333730656366626533326334613038 -39663332623862626230373135623235363064636163373737316262613233663031383366363563 -34613730343564373230306237656662636130333736393136366138333864313636343362613631 -64636266626637366530363763323930643336313339613930623835326431643663356365353865 -35653238333131363262346565653066383834633131303466636232653234363366646635656338 -31386163616237316361643134396230386338643339633562376436333238346665363938323462 -32336435663138393230366632633132333834303539303439313764623163383661396536383461 -31636365633765346262616235336666363932336366373438643531663539333431663231326362 -32326230363965356434343833383662393430333535636536323066373439653330373937636565 -61306565663734636630633730383736653736383765326638656433646637393033356665633831 -66353338633833346436666134343465623236626339613363623834333261313531 +63626562396631623335303064393137396262393239366236373634323333343264343335306330 +3861326430303265376564306139323064356339653039330a613335323233356361303066663139 +34386465306537666464643736656230356632633239363865386166373834653030363736613834 +6339303364363166620a626134303835346130386238653232316663346633313631653164336336 +34653639363635663537356639646333616438336438333463656537326134343531393435663266 +64366333346130653730613865346134356161373237343539373965623036656231653939303365 +62326638666431333265343639326461313433656639393839396366633431616435393263336231 +66303634656536636165636462396637656331666336623734333139316533636664306262326566 +36616366663933613561336164386463393635636264613737316464666535366361613065363362 +30316566323663623133346130393032646237353934363531326530396263363130326638393032 +30633832663134613964323733623230363831636664373661633966366264373766326161623862 +39396331313231633237313735636261653531313961616230626565623633636638643936326237 +62333066366439643163336233353361343662326237376332396461393663623761613962333237 +65633039363636323235356632326563376163386161373362383466346339356463636437646262 +38313164393036393661336633373265303536316165623330643236313936666139376237366164 +31373364663136356139356433386132343630396531373961616131343333663463616262373439 +34393161323334333732383866653463656265393761346533663530613530313062626330356535 +65393037636665303564316536376531386561366466643961666439326462353864643635353934 +66616432303966643731386133613430313737356539386331623832656132663461393538363962 +64313935613063373832343862373734316634663333313835323836386466336663643661656436 +61353663646165623165663035383461376331373439666433386433376234613163396234373632 +61646230363163366338653332373834386534333436373737383463363335356436313463626333 +63393166316663323066323863373830393937353864376366313535663565613031643932383364 +62623633353662323965393563363261623564396632643662663032613032666162616132336130 +39376430663833303264306135643832383231623336613734373964653736376235653334333639 +63376661636561383236633365303031326630356661633062663564396133313633323738333539 +66303235613562313636343766356263383132643962393232396263393665666334633438383632 +38646635643030303464396634356161333836376364333361356461346664303563346463333838 +34356139373233313631653533356633643730663438646630373331313065363136663938306439 +38336563363966653632613436356530316234326365666438326635313537343665663233363731 +36646565393937326336626333383863656565323832303937323536346366303839633236663566 +32373632646463363634363031626635383233656361336532636366653434623562623937656137 +66303663316165633932643365623732323430376334303036303961396264303664616433356361 +64366135376232313265376563633163373933343066653939313433366539396163656163346663 +30626331333034316131343361636364653936373235623562336366336237353966613536316637 +61343530326139636365613434386263383430626663333932386431313164346532666562346537 +32623538353365383030396332386133343464643732653038623337353135663964643566396439 +64633435623763666461356331306539373638383034343735373765373333656562326338613763 +63633732373765316238633539316665623431616333363364316531306630343735393335616630 +36613362336566393866623566666430336639376662633233656130653837313161653462346335 +63396532663633393363626136373161303235613761373235633831393736343630353031613364 +32353463383934313961313638613533623638383062343936616336646431383935393938623138 +31383032326365333136666165633832333836346231636332353830336264636235383162356630 +38316137623935633863363162376239623932373233663663323830363162313665613830623763 +63656237343662616130326339386231376564613164666163393232653762613932343561343031 +66386431343139373734626430656139353635636233336236653438353066393732663637323435 +63303434376634366262646662616162343664666365373934346530343239653330356234373065 +31373934363731373136346665623334306631626134613334633135666461636462303164653662 +36323132376532613431653063643965636233373165333639323966663333633563303438396466 +64633761376164383835613038633630623439643364323232633437386334346138343361306638 +38626632326137303839306531633536643161656231636662383461373964646333303936343733 +36333863316162393134646563316235663164613062303734346662386466656461346364356564 +35326234336439623961383938316136633037343863363933616663366536613866666165376664 +30306438666365333333636632643832303463356533343033623938653365663732336164303033 +65653936363839323239306463366533653439663437343536393564336163313962313935636534 +34346330393637343834323931353762613839366166353139303535376230356466646261363464 +33386337616230623537376665663835373766316332363433313234326461313935636666363261 +30653433333436306564653461303165656163363331643536323535623062396561643662323334 +35626565616538396566363433363732656538313531636632643163633637303339656431346466 +61353030666638393361613833353532656130643866636135643434366562386363656434323366 +36343764316136316630353338363735646533346362386266643136626366356331656363393133 +35636633353662393435346365663432656166646136346331363563363539326162633166393164 +34303164353632373437613564336266373934396236383962376530613631633932626431333864 +64623439336638613337383763353531376133343436346330373362313034616166616537636366 +30306132613333633261326630323038323431643163373365376662623339396136313531366332 +66663037643036303836376632646132383563316262393438636432666661333836376663666130 +31316135366562633134306633333834636132623739373131626161633636313737646334376434 +33376337393630663338643366316465353266346365333830613533393139333235366237323339 +66346465313462373334316535383633343165373733313230373461366336353664306537306538 +32653538366565663764353031303763613835366461666163336665656436333563613835653438 +65376265303131376239616536353933346633393438643466343439643039313236373033323034 +64316364663139353664653564393262323565646235356431326331343433373639316234363938 +65633034666532306137353431613732663166323936356433323733376261386161383265663264 +35643038663565646135343233623530396165336263303931653037393934343833623337343834 +31343631343563626561393763356463393930616338623861363835343635376238653337653133 +31393834343536396536363533363739306639646333313836393331306566393534383265613234 +31623238306531383936343836336466343336396530633033323063346261366633343936316637 +30343165333861346635623934363537383531323637313461663964353338653639366562306236 +30363265393038633564626463393166333665396538663639346665353736336134643862663630 +62393037363963613263313939613865393066323830656362656464643730636535623639636131 +63343263333134336364323236656639613635323165383164636465353438653134646334643962 +35306463626336626664383638323865633631346437613139623239663538666363313237323663 +39323734353363643334343538303635366637373530383832393861346164666666306631643563 +63306565306337383539636330623933666266353635396238656435373563383830666636616335 +39386134383938626439366437383138303062333236306436336163393832613532303332303833 +39323539396235383765613234303765303136653064336361333035643365386232613766356362 +30656437376537623165626530623365393463626337383139663734396331396363396162383330 +31663636383037613563346330323063393637616334356439666263623662383666376265313732 +63343837306336313264313934653836363665616264396662633761363237366437653962626664 +38383462313435383133613465656435363563373765313361623565636564616236313666633264 +37393165386163393666376636343963333932346463303661373339303765303938636135323363 +35663731656431656330336366383330616163353934333564356633613165396463393066396533 +32396264653265333865643365346233633863333335383735396134663062343166656233613931 +35633133336337343531313266323663363830353236323035313031646434303761343737633139 +30343439323330353531633337353365363031666635653364326235316435383835663139376136 +39343361636662346166363432366162666631366431623563363936336164323836376232326162 +39316337343436386363643064653337613131346266353636333664373262326563386264303831 +65343534616464633232373532313865363732663235376534396436333531633261393066313263 +38316437643232336234343663666536353134626139623138636234396661613261326437303065 +36383331323061643632323339383530626430343132613039393434333939383065623464646362 +65303135313962613564666261356533313961323464623535393631613337663366626136343364 +61363035333636366439313961326462633463616237343133356437303234323363306337343237 +61376138323336663839623539633866313133346338313165623039336335663666313532636261 +36383332346636373936366632393364323331303866623533643062666361613133383262383538 +64343665333761326134303566656638633362643031306535333661623437636139353565623435 +39323631393132336636653731636264356637373031633037653466383163663865626339323731 +34623137386338343038373464613832363761643362623434373136376638663537623762646266 +63306439363039303461 diff --git a/roles/web/files/php/8.2/fpm/pool.d/spaceapi.conf b/roles/web/files/php/8.2/fpm/pool.d/spaceapi.conf new file mode 100644 index 0000000..1fa2f6c --- /dev/null +++ b/roles/web/files/php/8.2/fpm/pool.d/spaceapi.conf @@ -0,0 +1,491 @@ +; Start a new pool named 'www'. +; the variable $pool can be used in any directive and will be replaced by the +; pool name ('www' here) +[spaceapi] + +; Per pool prefix +; It only applies on the following directives: +; - 'access.log' +; - 'slowlog' +; - 'listen' (unixsocket) +; - 'chroot' +; - 'chdir' +; - 'php_values' +; - 'php_admin_values' +; When not set, the global prefix (or /usr) applies instead. +; Note: This directive can also be relative to the global prefix. +; Default Value: none +;prefix = /path/to/pools/$pool + +; Unix user/group of the child processes. This can be used only if the master +; process running user is root. It is set after the child process is created. +; The user and group can be specified either by their name or by their numeric +; IDs. +; Note: If the user is root, the executable needs to be started with +; --allow-to-run-as-root option to work. +; Default Values: The user is set to master process running user by default. +; If the group is not set, the user's group is used. +user = www-data +group = www-data + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = /run/php/php8.2-fpm-spaceapi.sock + +; Set listen(2) backlog. +; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD) +;listen.backlog = 511 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. Many +; BSD-derived systems allow connections regardless of permissions. The owner +; and group can be specified either by name or by their numeric IDs. +; Default Values: Owner is set to the master process running user. If the group +; is not set, the owner's group is used. Mode is set to 0660. +listen.owner = www-data +listen.group = www-data +;listen.mode = 0660 + +; When POSIX Access Control Lists are supported you can set them using +; these options, value is a comma separated list of user/group names. +; When set, listen.owner and listen.group are ignored +;listen.acl_users = +;listen.acl_groups = + +; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. +; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address +; must be separated by a comma. If this value is left blank, connections will be +; accepted from any ip address. +; Default Value: any +;listen.allowed_clients = 127.0.0.1 + +; Set the associated the route table (FIB). FreeBSD only +; Default Value: -1 +;listen.setfib = 1 + +; Specify the nice(2) priority to apply to the pool processes (only if set) +; The value can vary from -19 (highest priority) to 20 (lower priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool processes will inherit the master process priority +; unless it specified otherwise +; Default Value: no set +; process.priority = -19 + +; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or +; PROC_TRACE_CTL procctl for FreeBSD) even if the process user +; or group is different than the master process user. It allows to create process +; core dump and ptrace the process for the pool user. +; Default Value: no +; process.dumpable = yes + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives. With this process management, there will be +; always at least 1 children. +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; pm.max_spawn_rate - the maximum number of rate to spawn child +; processes at once. +; ondemand - no children are created at startup. Children will be forked when +; new requests will connect. The following parameter are used: +; pm.max_children - the maximum number of children that +; can be alive at the same time. +; pm.process_idle_timeout - The number of seconds after which +; an idle process will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +pm.max_children = 20 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: (min_spare_servers + max_spare_servers) / 2 +pm.start_servers = 5 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 5 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 15 + +; The number of rate to spawn child processes at once. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +; Default Value: 32 +;pm.max_spawn_rate = 32 + +; The number of seconds after which an idle process will be killed. +; Note: Used only when pm is set to 'ondemand' +; Default Value: 10s +;pm.process_idle_timeout = 10s; + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +;pm.max_requests = 500 + +; The URI to view the FPM status page. If this value is not set, no URI will be +; recognized as a status page. It shows the following information: +; pool - the name of the pool; +; process manager - static, dynamic or ondemand; +; start time - the date and time FPM has started; +; start since - number of seconds since FPM has started; +; accepted conn - the number of request accepted by the pool; +; listen queue - the number of request in the queue of pending +; connections (see backlog in listen(2)); +; max listen queue - the maximum number of requests in the queue +; of pending connections since FPM has started; +; listen queue len - the size of the socket queue of pending connections; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes; +; max active processes - the maximum number of active processes since FPM +; has started; +; max children reached - number of times, the process limit has been reached, +; when pm tries to start more children (works only for +; pm 'dynamic' and 'ondemand'); +; Value are updated in real time. +; Example output: +; pool: www +; process manager: static +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 62636 +; accepted conn: 190460 +; listen queue: 0 +; max listen queue: 1 +; listen queue len: 42 +; idle processes: 4 +; active processes: 11 +; total processes: 15 +; max active processes: 12 +; max children reached: 0 +; +; By default the status page output is formatted as text/plain. Passing either +; 'html', 'xml' or 'json' in the query string will return the corresponding +; output syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; http://www.foo.bar/status?xml +; +; By default the status page only outputs short status. Passing 'full' in the +; query string will also return status for each pool process. +; Example: +; http://www.foo.bar/status?full +; http://www.foo.bar/status?json&full +; http://www.foo.bar/status?html&full +; http://www.foo.bar/status?xml&full +; The Full status returns for each process: +; pid - the PID of the process; +; state - the state of the process (Idle, Running, ...); +; start time - the date and time the process has started; +; start since - the number of seconds since the process has started; +; requests - the number of requests the process has served; +; request duration - the duration in µs of the requests; +; request method - the request method (GET, POST, ...); +; request URI - the request URI with the query string; +; content length - the content length of the request (only with POST); +; user - the user (PHP_AUTH_USER) (or '-' if not set); +; script - the main script called (or '-' if not set); +; last request cpu - the %cpu the last request consumed +; it's always 0 if the process is not in Idle state +; because CPU calculation is done when the request +; processing has terminated; +; last request memory - the max amount of memory the last request consumed +; it's always 0 if the process is not in Idle state +; because memory calculation is done when the request +; processing has terminated; +; If the process is in Idle state, then informations are related to the +; last request the process has served. Otherwise informations are related to +; the current request being served. +; Example output: +; ************************ +; pid: 31330 +; state: Running +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 63087 +; requests: 12808 +; request duration: 1250261 +; request method: GET +; request URI: /test_mem.php?N=10000 +; content length: 0 +; user: - +; script: /home/fat/web/docs/php/test_mem.php +; last request cpu: 0.00 +; last request memory: 0 +; +; Note: There is a real-time FPM status monitoring sample web page available +; It's available in: /usr/share/php/8.2/fpm/status.html +; +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +pm.status_path = /fpmstatus-spaceapi + +; The address on which to accept FastCGI status request. This creates a new +; invisible pool that can handle requests independently. This is useful +; if the main pool is busy with long running requests because it is still possible +; to get the status before finishing the long running requests. +; +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Default Value: value of the listen option +;pm.status_listen = 127.0.0.1:9001 +pm.status_listen = /run/php/php8.2-fpm-spaceapi-status.sock + +; The ping URI to call the monitoring page of FPM. If this value is not set, no +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;ping.path = /ping + +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +;ping.response = pong + +; The access log file +; Default: not set +;access.log = log/$pool.access.log + +; The access log format. +; The following syntax is allowed +; %%: the '%' character +; %C: %CPU used by the request +; it can accept the following format: +; - %{user}C for user CPU only +; - %{system}C for system CPU only +; - %{total}C for user + system CPU (default) +; %d: time taken to serve the request +; it can accept the following format: +; - %{seconds}d (default) +; - %{milliseconds}d +; - %{milli}d +; - %{microseconds}d +; - %{micro}d +; %e: an environment variable (same as $_ENV or $_SERVER) +; it must be associated with embraces to specify the name of the env +; variable. Some examples: +; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e +; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e +; %f: script filename +; %l: content-length of the request (for POST request only) +; %m: request method +; %M: peak of memory allocated by PHP +; it can accept the following format: +; - %{bytes}M (default) +; - %{kilobytes}M +; - %{kilo}M +; - %{megabytes}M +; - %{mega}M +; %n: pool name +; %o: output header +; it must be associated with embraces to specify the name of the header: +; - %{Content-Type}o +; - %{X-Powered-By}o +; - %{Transfert-Encoding}o +; - .... +; %p: PID of the child that serviced the request +; %P: PID of the parent of the child that serviced the request +; %q: the query string +; %Q: the '?' character if query string exists +; %r: the request URI (without the query string, see %q and %Q) +; %R: remote IP address +; %s: status (response code) +; %t: server time the request was received +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsulated in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %T: time the log has been written (the request has finished) +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsulated in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %u: remote user +; +; Default: "%R - %u %t \"%m %r\" %s" +;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%" + +; A list of request_uri values which should be filtered from the access log. +; +; As a security precuation, this setting will be ignored if: +; - the request method is not GET or HEAD; or +; - there is a request body; or +; - there are query parameters; or +; - the response code is outwith the successful range of 200 to 299 +; +; Note: The paths are matched against the output of the access.format tag "%r". +; On common configurations, this may look more like SCRIPT_NAME than the +; expected pre-rewrite URI. +; +; Default Value: not set +;access.suppress_path[] = /ping +;access.suppress_path[] = /health_check.php + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +;slowlog = log/$pool.log.slow + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_slowlog_timeout = 0 + +; Depth of slow log stack trace. +; Default Value: 20 +;request_slowlog_trace_depth = 20 + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_terminate_timeout = 0 + +; The timeout set by 'request_terminate_timeout' ini option is not engaged after +; application calls 'fastcgi_finish_request' or when application has finished and +; shutdown functions are being called (registered via register_shutdown_function). +; This option will enable timeout limit to be applied unconditionally +; even in such cases. +; Default Value: no +;request_terminate_timeout_track_finished = no + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. +; Note: relative path can be used. +; Default Value: current directory or / when chroot +;chdir = /var/www + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environment, this can cause some delay in the page +; process time (several ms). +; Default Value: no +;catch_workers_output = yes + +; Decorate worker output with prefix and suffix containing information about +; the child that writes to the log and if stdout or stderr is used as well as +; log level and time. This options is used only if catch_workers_output is yes. +; Settings to "no" will output data as written to the stdout or stderr. +; Default value: yes +;decorate_workers_output = no + +; Clear environment in FPM workers +; Prevents arbitrary environment variables from reaching FPM worker processes +; by clearing the environment in workers before env vars specified in this +; pool configuration are added. +; Setting to "no" will make all environment variables available to PHP code +; via getenv(), $_ENV and $_SERVER. +; Default Value: yes +;clear_env = no + +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; execute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 .php7 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or /usr) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +;php_admin_value[error_log] = /var/log/fpm-php.www.log +;php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 32M diff --git a/roles/web/files/php/8.2/fpm/pool.d/www.conf b/roles/web/files/php/8.2/fpm/pool.d/www.conf new file mode 100644 index 0000000..e42388f --- /dev/null +++ b/roles/web/files/php/8.2/fpm/pool.d/www.conf @@ -0,0 +1,491 @@ +; Start a new pool named 'www'. +; the variable $pool can be used in any directive and will be replaced by the +; pool name ('www' here) +[www] + +; Per pool prefix +; It only applies on the following directives: +; - 'access.log' +; - 'slowlog' +; - 'listen' (unixsocket) +; - 'chroot' +; - 'chdir' +; - 'php_values' +; - 'php_admin_values' +; When not set, the global prefix (or /usr) applies instead. +; Note: This directive can also be relative to the global prefix. +; Default Value: none +;prefix = /path/to/pools/$pool + +; Unix user/group of the child processes. This can be used only if the master +; process running user is root. It is set after the child process is created. +; The user and group can be specified either by their name or by their numeric +; IDs. +; Note: If the user is root, the executable needs to be started with +; --allow-to-run-as-root option to work. +; Default Values: The user is set to master process running user by default. +; If the group is not set, the user's group is used. +user = www-data +group = www-data + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = /run/php/php8.2-fpm-www.sock + +; Set listen(2) backlog. +; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD) +;listen.backlog = 511 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. Many +; BSD-derived systems allow connections regardless of permissions. The owner +; and group can be specified either by name or by their numeric IDs. +; Default Values: Owner is set to the master process running user. If the group +; is not set, the owner's group is used. Mode is set to 0660. +listen.owner = www-data +listen.group = www-data +;listen.mode = 0660 + +; When POSIX Access Control Lists are supported you can set them using +; these options, value is a comma separated list of user/group names. +; When set, listen.owner and listen.group are ignored +;listen.acl_users = +;listen.acl_groups = + +; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. +; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address +; must be separated by a comma. If this value is left blank, connections will be +; accepted from any ip address. +; Default Value: any +;listen.allowed_clients = 127.0.0.1 + +; Set the associated the route table (FIB). FreeBSD only +; Default Value: -1 +;listen.setfib = 1 + +; Specify the nice(2) priority to apply to the pool processes (only if set) +; The value can vary from -19 (highest priority) to 20 (lower priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool processes will inherit the master process priority +; unless it specified otherwise +; Default Value: no set +; process.priority = -19 + +; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or +; PROC_TRACE_CTL procctl for FreeBSD) even if the process user +; or group is different than the master process user. It allows to create process +; core dump and ptrace the process for the pool user. +; Default Value: no +; process.dumpable = yes + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives. With this process management, there will be +; always at least 1 children. +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; pm.max_spawn_rate - the maximum number of rate to spawn child +; processes at once. +; ondemand - no children are created at startup. Children will be forked when +; new requests will connect. The following parameter are used: +; pm.max_children - the maximum number of children that +; can be alive at the same time. +; pm.process_idle_timeout - The number of seconds after which +; an idle process will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +pm.max_children = 20 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: (min_spare_servers + max_spare_servers) / 2 +pm.start_servers = 5 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 5 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 15 + +; The number of rate to spawn child processes at once. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +; Default Value: 32 +;pm.max_spawn_rate = 32 + +; The number of seconds after which an idle process will be killed. +; Note: Used only when pm is set to 'ondemand' +; Default Value: 10s +;pm.process_idle_timeout = 10s; + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +;pm.max_requests = 500 + +; The URI to view the FPM status page. If this value is not set, no URI will be +; recognized as a status page. It shows the following information: +; pool - the name of the pool; +; process manager - static, dynamic or ondemand; +; start time - the date and time FPM has started; +; start since - number of seconds since FPM has started; +; accepted conn - the number of request accepted by the pool; +; listen queue - the number of request in the queue of pending +; connections (see backlog in listen(2)); +; max listen queue - the maximum number of requests in the queue +; of pending connections since FPM has started; +; listen queue len - the size of the socket queue of pending connections; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes; +; max active processes - the maximum number of active processes since FPM +; has started; +; max children reached - number of times, the process limit has been reached, +; when pm tries to start more children (works only for +; pm 'dynamic' and 'ondemand'); +; Value are updated in real time. +; Example output: +; pool: www +; process manager: static +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 62636 +; accepted conn: 190460 +; listen queue: 0 +; max listen queue: 1 +; listen queue len: 42 +; idle processes: 4 +; active processes: 11 +; total processes: 15 +; max active processes: 12 +; max children reached: 0 +; +; By default the status page output is formatted as text/plain. Passing either +; 'html', 'xml' or 'json' in the query string will return the corresponding +; output syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; http://www.foo.bar/status?xml +; +; By default the status page only outputs short status. Passing 'full' in the +; query string will also return status for each pool process. +; Example: +; http://www.foo.bar/status?full +; http://www.foo.bar/status?json&full +; http://www.foo.bar/status?html&full +; http://www.foo.bar/status?xml&full +; The Full status returns for each process: +; pid - the PID of the process; +; state - the state of the process (Idle, Running, ...); +; start time - the date and time the process has started; +; start since - the number of seconds since the process has started; +; requests - the number of requests the process has served; +; request duration - the duration in µs of the requests; +; request method - the request method (GET, POST, ...); +; request URI - the request URI with the query string; +; content length - the content length of the request (only with POST); +; user - the user (PHP_AUTH_USER) (or '-' if not set); +; script - the main script called (or '-' if not set); +; last request cpu - the %cpu the last request consumed +; it's always 0 if the process is not in Idle state +; because CPU calculation is done when the request +; processing has terminated; +; last request memory - the max amount of memory the last request consumed +; it's always 0 if the process is not in Idle state +; because memory calculation is done when the request +; processing has terminated; +; If the process is in Idle state, then informations are related to the +; last request the process has served. Otherwise informations are related to +; the current request being served. +; Example output: +; ************************ +; pid: 31330 +; state: Running +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 63087 +; requests: 12808 +; request duration: 1250261 +; request method: GET +; request URI: /test_mem.php?N=10000 +; content length: 0 +; user: - +; script: /home/fat/web/docs/php/test_mem.php +; last request cpu: 0.00 +; last request memory: 0 +; +; Note: There is a real-time FPM status monitoring sample web page available +; It's available in: /usr/share/php/8.2/fpm/status.html +; +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +pm.status_path = /fpmstatus-www + +; The address on which to accept FastCGI status request. This creates a new +; invisible pool that can handle requests independently. This is useful +; if the main pool is busy with long running requests because it is still possible +; to get the status before finishing the long running requests. +; +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Default Value: value of the listen option +;pm.status_listen = 127.0.0.1:9001 +pm.status_listen = /run/php/php8.2-fpm-www-status.sock + +; The ping URI to call the monitoring page of FPM. If this value is not set, no +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;ping.path = /ping + +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +;ping.response = pong + +; The access log file +; Default: not set +;access.log = log/$pool.access.log + +; The access log format. +; The following syntax is allowed +; %%: the '%' character +; %C: %CPU used by the request +; it can accept the following format: +; - %{user}C for user CPU only +; - %{system}C for system CPU only +; - %{total}C for user + system CPU (default) +; %d: time taken to serve the request +; it can accept the following format: +; - %{seconds}d (default) +; - %{milliseconds}d +; - %{milli}d +; - %{microseconds}d +; - %{micro}d +; %e: an environment variable (same as $_ENV or $_SERVER) +; it must be associated with embraces to specify the name of the env +; variable. Some examples: +; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e +; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e +; %f: script filename +; %l: content-length of the request (for POST request only) +; %m: request method +; %M: peak of memory allocated by PHP +; it can accept the following format: +; - %{bytes}M (default) +; - %{kilobytes}M +; - %{kilo}M +; - %{megabytes}M +; - %{mega}M +; %n: pool name +; %o: output header +; it must be associated with embraces to specify the name of the header: +; - %{Content-Type}o +; - %{X-Powered-By}o +; - %{Transfert-Encoding}o +; - .... +; %p: PID of the child that serviced the request +; %P: PID of the parent of the child that serviced the request +; %q: the query string +; %Q: the '?' character if query string exists +; %r: the request URI (without the query string, see %q and %Q) +; %R: remote IP address +; %s: status (response code) +; %t: server time the request was received +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsulated in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %T: time the log has been written (the request has finished) +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsulated in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %u: remote user +; +; Default: "%R - %u %t \"%m %r\" %s" +;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%" + +; A list of request_uri values which should be filtered from the access log. +; +; As a security precuation, this setting will be ignored if: +; - the request method is not GET or HEAD; or +; - there is a request body; or +; - there are query parameters; or +; - the response code is outwith the successful range of 200 to 299 +; +; Note: The paths are matched against the output of the access.format tag "%r". +; On common configurations, this may look more like SCRIPT_NAME than the +; expected pre-rewrite URI. +; +; Default Value: not set +;access.suppress_path[] = /ping +;access.suppress_path[] = /health_check.php + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +;slowlog = log/$pool.log.slow + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_slowlog_timeout = 0 + +; Depth of slow log stack trace. +; Default Value: 20 +;request_slowlog_trace_depth = 20 + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_terminate_timeout = 0 + +; The timeout set by 'request_terminate_timeout' ini option is not engaged after +; application calls 'fastcgi_finish_request' or when application has finished and +; shutdown functions are being called (registered via register_shutdown_function). +; This option will enable timeout limit to be applied unconditionally +; even in such cases. +; Default Value: no +;request_terminate_timeout_track_finished = no + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. +; Note: relative path can be used. +; Default Value: current directory or / when chroot +;chdir = /var/www + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environment, this can cause some delay in the page +; process time (several ms). +; Default Value: no +;catch_workers_output = yes + +; Decorate worker output with prefix and suffix containing information about +; the child that writes to the log and if stdout or stderr is used as well as +; log level and time. This options is used only if catch_workers_output is yes. +; Settings to "no" will output data as written to the stdout or stderr. +; Default value: yes +;decorate_workers_output = no + +; Clear environment in FPM workers +; Prevents arbitrary environment variables from reaching FPM worker processes +; by clearing the environment in workers before env vars specified in this +; pool configuration are added. +; Setting to "no" will make all environment variables available to PHP code +; via getenv(), $_ENV and $_SERVER. +; Default Value: yes +;clear_env = no + +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; execute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 .php7 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or /usr) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +;php_admin_value[error_log] = /var/log/fpm-php.www.log +;php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 32M diff --git a/roles/web/files/vhost b/roles/web/files/vhost index 2a7c021..421140d 100644 --- a/roles/web/files/vhost +++ b/roles/web/files/vhost @@ -75,13 +75,48 @@ server { rewrite ^/wiki/(.*) /wiki/doku.php?id=$1&$args last; } + location ~ ^/fpmstatus-spaceapi { + auth_basic "Admin"; + auth_basic_user_file /etc/nginx/fpm_status.htaccess; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:/var/run/php/php8.2-fpm-spaceapi-status.sock; + fastcgi_intercept_errors on; + fastcgi_read_timeout 10s; + } + + location ~ ^/fpmstatus-www { + auth_basic "Admin"; + auth_basic_user_file /etc/nginx/fpm_status.htaccess; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:/var/run/php/php8.2-fpm-www-status.sock; + fastcgi_intercept_errors on; + fastcgi_read_timeout 10s; + } + + location ~ ^/spaceapi.php { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:/var/run/php/php8.2-fpm-spaceapi.sock; + fastcgi_intercept_errors on; + fastcgi_read_timeout 10s; + } + location ~ \.php(?:$|/) { fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; + fastcgi_pass unix:/var/run/php/php8.2-fpm-www.sock; fastcgi_intercept_errors on; + # fastcgi_read_timeout intentionally not reduced, since Wiki etc. might perform long-running operations (file uploads etc.) } } diff --git a/roles/web/handlers/main.yml b/roles/web/handlers/main.yml index ff936dd..0ca22b0 100644 --- a/roles/web/handlers/main.yml +++ b/roles/web/handlers/main.yml @@ -3,5 +3,8 @@ - name: Restart nginx service: name=nginx state=restarted +- name: Restart php8.2-fpm + service: name=php8.2-fpm state=restarted + - name: Run acertmgr command: /usr/bin/acertmgr diff --git a/roles/web/tasks/main.yml b/roles/web/tasks/main.yml index f2976ad..dfb7255 100644 --- a/roles/web/tasks/main.yml +++ b/roles/web/tasks/main.yml @@ -7,6 +7,7 @@ - php-ldap - php-sqlite3 - php-xml + - python3-passlib - name: Create vhost directories file: path=/var/www/{{ item }} state=directory owner=www-data group=www-data @@ -36,6 +37,20 @@ - name: Place Thunderbird autoconfig file template: src=auto_mail.xml.j2 dest=/var/www/autoconfig/mail/config-v1.1.xml +- name: Configure php-fpm + copy: src={{ item }} dest=/etc/php/8.2/fpm/pool.d/ + notify: Restart php8.2-fpm + with_fileglob: "php/8.2/fpm/pool.d/*.conf" + +- name: Configure htaccess for fpm status + htpasswd: + path: /etc/nginx/fpm_status.htaccess + name: "{{ fpm_status_user}}" + password: "{{ fpm_status_pass }}" + owner: root + group: www-data + mode: 0640 + - name: Configure certificate manager copy: src=certs dest=/etc/acertmgr/www.binary-kitchen.de.conf notify: Run acertmgr