This role installs a PHP-FPM server.
Configuration:
- Bind to a Unix socket.
- Install the required PHP modules.
- Enable OPCache and allows memory limit configuration.
- Hide PHP version.
- Clean up the default site.
- Log in Systemd journal.
Security:
- Harden PHP configuration and runtime.
- Run in a Systemd sandbox with unprivileged workers.
- Work with SElinux enforced.
- Enable Fail2ban jails.
None
| Name | Default Value | Description |
|---|---|---|
php_fpm_domain |
Site domain. |
| Name | Default Value | Description |
|---|---|---|
php_disable_classes |
If set to a list of classe names, set the disable_class value to php.ini. This disable some class and to improve the security. |
|
php_disable_functions |
true |
If set to true, set the disable_functions value to php.ini to include function in php_disable_functions_disallow that are not in php_disable_functions_allow. This disable some internal functions to improve the security. |
php_disable_functions_allow |
[] | See php_disable_functions. List of function to always allow. |
php_disable_functions_disallow |
[chdir, chmod, dbase_open, dbmopen, exec, filepro, filepro_rowcount, filepro_retrieve, fopen_with_path, highlight_file, mkdir, move_uploaded_file, passthru, phpinfo, popen, posix_mkfifo, proc_open, putenv, rename, rmdir, shell_exec, show_source, system] |
See php_disable_functions. List of function disallow by default. |
php_doc_root |
If set to a path, set the doc_root value to php.ini. PHP's root directory on the server. |
|
php_extension_dir |
If set to a path, set the extension_dir value to php.ini. Directory where PHP look for dynamically loadable extensions. Should be restricted to improve security. |
|
php_file_uploads |
false |
If set to true, allow files upload in PHP. |
php_fpm_group |
nginx |
Unix group that will access to PHP-FPM. |
php_fpm_inaccessible_paths |
Space separated list of absolutes paths to make inaccessible from the PHP-FPM service. | |
php_fpm_bind_paths |
Space separated list of absolutes paths to bind read-write (To use with php_fpm_temporary_file_system). |
|
php_fpm_bind_read_only_paths |
Space separated list of absolutes paths to bind read-only (To use with php_fpm_temporary_file_system). |
|
php_fpm_log_level |
warning |
PHP-FPM log level in the journal. |
php_fpm_max_requests |
1000 | The number of requests each child process should execute before respawning. 0 to disable. |
php_fpm_request_terminate_timeout |
300 | The timeout for serving a single request after which the worker process will be killed. 0 to disable. |
php_fpm_user |
nginx |
Unix user that will access to PHP-FPM. |
php_fpm_site |
site |
Site name. |
php_hardening |
true | If true, install Snuffleupagus package to improve PHP default security. |
php_include_path |
If set to a list of paths, set the include_path value to php.ini. Directory where some PHP functions looks for files. Should be restricted to improve security. |
|
php_memory_limit |
128M |
PHP memory limit. |
php_modules |
[] | PHP modules to install (Fedora packages names without php-, example: [apcu, pgsql]). |
php_opcache_interned_strings_buffer |
8 |
The amount of memory used to store interned strings. Default to the default PHP value. |
php_open_basedir |
If set to a list of paths, set the open_basedir value to php.ini. Limit the files that can be accessed by PHP to the specified directory-trees. Should be restricted to improve security but disable the realpath cache. |
|
php_fpm_read_write_paths |
Space separated list of absolutes paths mark as read-write. | |
php_remi_repository |
false | If true, install the Remi repository. This give access to more PHP modules. |
php_upload_max_filesize |
2M |
PHP maximum upload and post size. Should be lower than php_memory_limit. |
php_upload_tmp_dir |
If set to a path, set the upload_tmp_dir value to php.ini. Must be in php_open_basedir if set. Default to PHP-FPM service restricted /tmp. |
|
php_session_cookie_path |
If set to a path, set the session.cookie_path value to php.ini. Specifies path to set in the session cookie. |
|
php_session_referer_check |
If set to a string, set the session.referer_check value to php.ini. Contains the substring you want to check each HTTP Referer for. Should be specified to improve security. |
|
php_session_sid_bits_per_character |
6 |
Session SID characters. Default to 6 to improve security. Set to 5 in case of compatibility issue. |
php_session_sid_length |
32 |
Session SID size. Value can be up to 256. Higher value improve security but may lead to compatibility issues. Default to a reasonable and compatible value. |
php_fpm_temporary_file_system |
Space separated list of absolutes paths to mount as tmpfs, add :ro to path to mount read-only. Use php_fpm_bind_read_only_paths and php_fpm_bind_paths to bind directories inside theses paths. |
|
php_version |
* |
PHP version specification, with * wildcard support. Get the latest version available on Remi repository (Example: * to match the latest version, 8.* to match the latest PHP 8 version, 8.2 to match exactly the PHP 8.2 version). |
---
- hosts: all
become: true
collections:
- jgoutin.home
roles:
- php_fpm