From Apache 2.4 the Apache project strongly recommends PHP-FPM saying "Using mod_php as a DSO (legacy) [...] This method is the oldest and slowest possible configuration. It was suitable for version 2.2 and older, and requires the use of the prefork mpm." (https://cwiki.apache.org/confluence/display/httpd/PHP).
They instead provide documentation on setting up using PHP_FPM plus mod_proxy_fcgi (https://cwiki.apache.org/confluence/display/httpd/PHP-FPM).
The problem is .htaccess files are not accessed by php-fpm and so the restrictions CA assumes are in place, are not (this problem was already present for anyone trying to use Nginx, and is not the same issue as was raised in collectiveaccess/providence#1361 ).
My questions / discussion points are:
- Should CA document a preferred standard (php-fpm vs mod_php)
- If mod_php is considered the future, should example web server configuration be included in the documentation or the providence codebase?
As a reference point, this is part of our nginx configuration which tries to replicate the denys from CA htaccess files.
location ~ /setup.php {
deny all;
}
location ~ /media/ {
allow all;
}
location ~ /(uploads|import|media)/(.*/)?.*\.php {
deny all;
}
location ~ /(tests|uploads|import|support|install|import_logs)/ {
deny all;
}
location ~ /app/(models|log|conf|helpers|controllers|refineries|tmp|service|lib)/ {
deny all;
}
As an aside I previously noted (in a CA chat) that pawtucket and providence have different restrictions imposed by their htaccess files; sometimes overlapping. a PHP-fpm configuration might help clean that up too.
From Apache 2.4 the Apache project strongly recommends PHP-FPM saying "Using mod_php as a DSO (legacy) [...] This method is the oldest and slowest possible configuration. It was suitable for version 2.2 and older, and requires the use of the prefork mpm." (https://cwiki.apache.org/confluence/display/httpd/PHP).
They instead provide documentation on setting up using PHP_FPM plus mod_proxy_fcgi (https://cwiki.apache.org/confluence/display/httpd/PHP-FPM).
The problem is .htaccess files are not accessed by php-fpm and so the restrictions CA assumes are in place, are not (this problem was already present for anyone trying to use Nginx, and is not the same issue as was raised in collectiveaccess/providence#1361 ).
My questions / discussion points are:
As a reference point, this is part of our nginx configuration which tries to replicate the denys from CA htaccess files.
As an aside I previously noted (in a CA chat) that pawtucket and providence have different restrictions imposed by their htaccess files; sometimes overlapping. a PHP-fpm configuration might help clean that up too.