gh-mirrors/docker-php-fpm
1
0
Fork 0
mirror of https://github.com/devilbox/docker-php-fpm.git synced 2026-01-10 01:51:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Harden PHP-FPM defaults

Browse Source
This commit is contained in:
cytopia
2018-08-02 20:37:08 +02:00
parent cb31f9ac1f
commit cb176f5eba
77 changed files with 2137 additions and 1720 deletions
Download Patch File Download Diff File Expand all files Collapse all files

134
build/ansible/CONFIGURATIONS/php-fpm.conf.j2
View File

@@ -1,7 +1,129 @@
{% if not php_version == 5.2 %}
; ################################################################################
; ####
; #### The following settings can be overwritten by later includes
; ####
; ################################################################################
; ############################################################
; Timeouts
; ############################################################
[www]
; The timeout for serving a single request after which the worker process will be killed.
; This option should be used when the 'max_execution_time' ini option does not stop script
; execution for some reason.
request_terminate_timeout = {{ item.cfg[item.key].request_terminate_timeout | default(item.cfg[item.alt].request_terminate_timeout) }}
; ############################################################
; Logging
; ############################################################
[global]
error_log = {{ item.cfg[item.key].error_log | default(item.cfg[item.alt].error_log) }}
log_level = {{ item.cfg[item.key].log_level | default(item.cfg[item.alt].log_level) }}
[www]
; if we send this to /proc/self/fd/1, it never appears
access.log = {{ item.cfg[item.key].access_log | default(item.cfg[item.alt].access_log) }}
; ############################################################
; Worker configuration
; ############################################################
[www]
; static - the number of child processes is fixed (pm.max_children).
;
; dynamic - the number of child processes is set dynamically based on the following directives:
; pm.max_children, pm.start_servers, pm.min_spare_servers, pm.max_spare_servers.
;
; ondemand - the processes spawn on demand (when requested, as opposed to dynamic, where
; pm.start_servers are started when the service is started.
pm = {{ item.cfg[item.key].pm | default(item.cfg[item.alt].pm) }}
; The maximum number of child processes to be created
pm.max_children = {{ item.cfg[item.key].pm_max_children | default(item.cfg[item.alt].pm_max_children) }}
; The number of child processes created on startup. Used only when pm is set to dynamic.
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2.
pm.start_servers = {{ item.cfg[item.key].pm_start_servers | default(item.cfg[item.alt].pm_start_servers) }}
; The desired minimum number of idle server processes.
pm.min_spare_servers = {{ item.cfg[item.key].pm_min_spare_servers | default(item.cfg[item.alt].pm_min_spare_servers) }}
; The desired maximum number of idle server processes.
pm.max_spare_servers = {{ item.cfg[item.key].pm_max_spare_servers | default(item.cfg[item.alt].pm_max_spare_servers) }}
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries.
; For endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default value: 0.
pm.max_requests = {{ item.cfg[item.key].pm_max_requests | default(item.cfg[item.alt].pm_max_requests) }}
; The number of seconds after which an idle process will be killed. Used only when pm is set to ondemand
pm.process_idle_timeout = {{ item.cfg[item.key].pm_process_idle_timeout | default(item.cfg[item.alt].pm_process_idle_timeout) }}
; ############################################################
; Include
; ############################################################
[global]
include = /usr/local/etc/php-fpm.d/*.conf
; ################################################################################
; ####
; #### The following settings overwrite any includes again
; ####
; ################################################################################
; ############################################################
; Required for Dockerization
; ############################################################
[global]
daemonize = no
include = /usr/local/etc/php-fpm.d/*.conf
[www]
{# This value is available since PHP >=5.4 #}
{% if not php_version == 5.3 %}
; Keep env variables set by docker
clear_env = {{ item.cfg[item.key].clear_env | default(item.cfg[item.alt].clear_env) }}
{% endif %}
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
catch_workers_output = {{ item.cfg[item.key].catch_workers_output | default(item.cfg[item.alt].catch_workers_output) }}
; ############################################################
; User and Group
; ############################################################
[www]
user = {{ item.cfg[item.key].user | default(item.cfg[item.alt].user) }}
group = {{ item.cfg[item.key].group | default(item.cfg[item.alt].group) }}
; ############################################################
; Networking
; ############################################################
[www]
; Ensure to listen here
listen = {{ item.cfg[item.key].listen | default(item.cfg[item.alt].listen)}}
{# Available since PHP >= 5.4 #}
listen.backlog = {{ item.cfg[item.key].listen_backlog | default(item.cfg[item.alt].listen_backlog) }}
{% else %}
{# PHP-FPM 5.2 uses XML format for configuration #}
<?xml version="1.0" ?>
@@ -56,16 +178,6 @@ include = /usr/local/etc/php-fpm.d/*.conf
</value>
Additional php.ini defines, specific to this pool of workers.
<value name="php_defines">
<value name="error_reporting">E_ALL</value>
<value name="xmlrpc_errors">{{ item.cfg[item.key].xmlrpc_errors | default(item.cfg[item.alt].xmlrpc_errors) }}</value>
<value name="report_memleaks">{{ item.cfg[item.key].report_memleaks | default(item.cfg[item.alt].report_memleaks) }}</value>
<value name="display_errors">{{ item.cfg[item.key].display_errors | default(item.cfg[item.alt].display_errors) }}</value>
<value name="display_startup_errors">{{ item.cfg[item.key].display_startup_errors | default(item.cfg[item.alt].display_startup_errors) }}</value>
<value name="track_errors">{{ item.cfg[item.key].track_errors | default(item.cfg[item.alt].track_errors) }}</value>
<value name="log_errors">{{ item.cfg[item.key].log_errors | default(item.cfg[item.alt].log_errors) }}</value>
<value name="html_errors">{{ item.cfg[item.key].html_errors | default(item.cfg[item.alt].html_errors) }}</value>
</value>
Unix user of processes
<value name="user">{{ item.cfg[item.key].user | default(item.cfg[item.alt].user) }}</value>

94
build/ansible/CONFIGURATIONS/php-fpm.d-conf.j2
View File

@@ -1,94 +0,0 @@
{# PHP-FPM 5.2 uses XML format for configuration and does not allow multiple files #}
{% if not php_version == 5.2 %}
[www]
; ############################################################
; Required for Dockerization
; ############################################################
{# This value is available since PHP >=5.4 #}
{% if not php_version == 5.3 %}
; Keep env variables set by docker
clear_env = {{ item.cfg[item.key].clear_env | default(item.cfg[item.alt].clear_env) }}
{% endif %}
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
catch_workers_output = {{ item.cfg[item.key].catch_workers_output | default(item.cfg[item.alt].catch_workers_output) }}
; ############################################################
; Networking
; ############################################################
[www]
; Ensure to listen here
listen = {{ item.cfg[item.key].listen | default(item.cfg[item.alt].listen)}}
{# Available since PHP >= 5.4 #}
listen.backlog = {{ item.cfg[item.key].listen_backlog | default(item.cfg[item.alt].listen_backlog) }}
; ############################################################
; Timeouts
; ############################################################
[www]
; The timeout for serving a single request after which the worker process will be killed.
; This option should be used when the 'max_execution_time' ini option does not stop script
; execution for some reason.
request_terminate_timeout = {{ item.cfg[item.key].request_terminate_timeout | default(item.cfg[item.alt].request_terminate_timeout) }}
; ############################################################
; Logging
; ############################################################
[global]
error_log = {{ item.cfg[item.key].error_log | default(item.cfg[item.alt].error_log) }}
log_level = {{ item.cfg[item.key].log_level | default(item.cfg[item.alt].log_level) }}
[www]
; if we send this to /proc/self/fd/1, it never appears
access.log = {{ item.cfg[item.key].access_log | default(item.cfg[item.alt].access_log) }}
; ############################################################
; Worker configuration
; ############################################################
[www]
; The number of child processes is set dynamically based on the following directives:
; pm.max_children, pm.start_servers, pm.min_spare_servers, pm.max_spare_servers.
pm = {{ item.cfg[item.key].pm | default(item.cfg[item.alt].pm) }}
; The maximum number of child processes to be created
pm.max_children = {{ item.cfg[item.key].pm_max_children | default(item.cfg[item.alt].pm_max_children) }}
; The number of child processes created on startup. Used only when pm is set to dynamic.
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2.
pm.start_servers = {{ item.cfg[item.key].pm_start_servers | default(item.cfg[item.alt].pm_start_servers) }}
; The desired minimum number of idle server processes.
pm.min_spare_servers = {{ item.cfg[item.key].pm_min_spare_servers | default(item.cfg[item.alt].pm_min_spare_servers) }}
; The desired maximum number of idle server processes.
pm.max_spare_servers = {{ item.cfg[item.key].pm_max_spare_servers | default(item.cfg[item.alt].pm_max_spare_servers) }}
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries.
; For endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default value: 0.
pm.max_requests = {{ item.cfg[item.key].pm_max_requests | default(item.cfg[item.alt].pm_max_requests) }}
; ############################################################
; User and Group
; ############################################################
[www]
user = {{ item.cfg[item.key].user | default(item.cfg[item.alt].user) }}
group = {{ item.cfg[item.key].group | default(item.cfg[item.alt].group) }}
{% endif %}

1
build/ansible/DOCKERFILES/Dockerfile-base.j2
View File

@@ -67,7 +67,6 @@ RUN set -x \
###
COPY ./data/php-ini.d/php-{{ php_version }}.ini /usr/local/etc/php/conf.d/yyy-devilbox.ini
COPY ./data/php-fpm.conf/php-fpm-{{ php_version }}.conf /usr/local/etc/php-fpm.conf
COPY ./data/php-fpm.d/php-fpm.d-{{ php_version }}.conf /usr/local/etc/php-fpm.d/php-fpm.d.conf
COPY ./data/docker-entrypoint.sh /docker-entrypoint.sh
COPY ./data/docker-entrypoint.d /docker-entrypoint.d

1
build/ansible/DOCKERFILES/Dockerfile-work.j2
View File

@@ -193,7 +193,6 @@ RUN set -x \
###
COPY ./data/php-ini.d/php-{{ php_version }}.ini /usr/local/etc/php/conf.d/yyy-devilbox.ini
COPY ./data/php-fpm.conf/php-fpm-{{ php_version }}.conf /usr/local/etc/php-fpm.conf
COPY ./data/php-fpm.d/php-fpm.d-{{ php_version }}.conf /usr/local/etc/php-fpm.d/php-fpm.d.conf
COPY ./data/docker-entrypoint.sh /docker-entrypoint.sh
COPY ./data/docker-entrypoint.d/*.sh /docker-entrypoint.d/

119
build/ansible/group_vars/all.yml
View File

@@ -23,34 +23,7 @@ php_all_versions:
###
### PHP settings equal for php.ini and php-fpm.comf (used below)
###
php_settings_all:
# ---- Settings for PHP.INI and PHP-FPM.CONF ----
base:
# Timeouts
timeout: 180
# Error reporting
error_reporting: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
xmlrpc_errors: 'Off'
report_memleaks: 'On'
display_errors: 'Off'
display_startup_errors: 'Off'
track_errors: 'On'
log_errors: 'On'
html_errors: 'Off'
work:
# Timeouts
timeout: 180
# Error reporting
error_reporting: E_ALL | E_NOTICE | E_STRICT | E_DEPRECATED
xmlrpc_errors: 'Off'
report_memleaks: 'On'
display_errors: 'On'
display_startup_errors: 'On'
track_errors: 'On'
log_errors: 'On'
html_errors: 'On'
php_timeout: 120
###
### PHP.ini
@@ -61,25 +34,26 @@ php_settings_ini:
# Memory
memory_limit: 512M
# Timeouts
max_execution_time: "{{ php_settings_all.base.timeout }}"
max_input_time: "{{ php_settings_all.base.timeout }}"
max_execution_time: "{{ php_timeout }}"
max_input_time: "{{ php_timeout }}"
# Uploads
post_max_size: 384M
upload_max_filesize: 256M
# Note: "post_max_size" should be greater than "upload_max_filesize"
post_max_size: 72M
upload_max_filesize: 64M
max_file_uploads: 20
# Variables
variables_order: EGPCS
max_input_vars: 8000
max_input_nesting_level: 64
# Error reporting
error_reporting: "{{ php_settings_all.base.error_reporting }}"
xmlrpc_errors: "{{ php_settings_all.base.xmlrpc_errors }}"
report_memleaks: "{{ php_settings_all.base.report_memleaks }}"
display_errors: "{{ php_settings_all.base.display_errors }}"
display_startup_errors: "{{ php_settings_all.base.display_startup_errors }}"
track_errors: "{{ php_settings_all.base.track_errors }}"
log_errors: "{{ php_settings_all.base.log_errors }}"
html_errors: "{{ php_settings_all.base.html_errors }}"
error_reporting: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
xmlrpc_errors: 'Off'
report_memleaks: 'On'
display_errors: 'Off'
display_startup_errors: 'Off'
track_errors: 'On'
log_errors: 'On'
html_errors: 'Off'
# Xdebug settings
xdebug_default_enable: 'Off'
xdebug_profiler_enable: 'Off'
@@ -93,14 +67,14 @@ php_settings_ini:
# ---- Inherits from base and overwrites certain values ----
work:
# Error reporting
error_reporting: "{{ php_settings_all.work.error_reporting }}"
xmlrpc_errors: "{{ php_settings_all.work.xmlrpc_errors }}"
report_memleaks: "{{ php_settings_all.work.report_memleaks }}"
display_errors: "{{ php_settings_all.work.display_errors }}"
display_startup_errors: "{{ php_settings_all.work.display_startup_errors }}"
track_errors: "{{ php_settings_all.work.track_errors }}"
log_errors: "{{ php_settings_all.work.log_errors }}"
html_errors: "{{ php_settings_all.work.html_errors }}"
error_reporting: E_ALL | E_NOTICE | E_STRICT | E_DEPRECATED
xmlrpc_errors: 'Off'
report_memleaks: 'On'
display_errors: 'On'
display_startup_errors: 'On'
track_errors: 'On'
log_errors: 'On'
html_errors: 'On'
# Xdebug settings
xdebug_default_enable: 'Off'
xdebug_profiler_enable: 'Off'
@@ -118,48 +92,32 @@ php_settings_fpm:
clear_env: 'no'
catch_workers_output: 'yes'
# Timeouts
request_terminate_timeout: "{{ php_settings_all.work.timeout }}s"
request_terminate_timeout: "{{ php_timeout }}s"
# Network
listen: 9000
listen_backlog: 1023
listen_backlog: 1024
# Logging
log_level: notice
error_log: /proc/self/fd/2
access_log: /proc/self/fd/2
# Worker
pm: dynamic
pm_max_children: 50
pm_start_servers: 10
pm_min_spare_servers: 5
pm_max_spare_servers: 15
pm_max_requests: 500
pm: ondemand
pm_max_children: 50 # pm: dynamic, ondemand or static
pm_start_servers: 4 # only for pm: dynamic (min_spare + (max_spare-min_spare)/2
pm_min_spare_servers: 2 # only for pm: dynamic
pm_max_spare_servers: 6 # only for pm: dynamic
pm_max_requests: 500 # pm: dynamic or ondemand
pm_process_idle_timeout: 10s # only for pm: ondemand
# User/Group
user: devilbox
group: devilbox
# Error reporting
error_reporting: "{{ php_settings_all.base.error_reporting }}"
xmlrpc_errors: "{{ php_settings_all.base.xmlrpc_errors }}"
report_memleaks: "{{ php_settings_all.base.report_memleaks }}"
display_errors: "{{ php_settings_all.base.display_errors }}"
display_startup_errors: "{{ php_settings_all.base.display_startup_errors }}"
track_errors: "{{ php_settings_all.base.track_errors }}"
log_errors: "{{ php_settings_all.base.log_errors }}"
html_errors: "{{ php_settings_all.base.html_errors }}"
# ---- Inherits from base ----
mods:
# ---- Inherits from base ----
prod:
# ---- Inherits from base and overwrites certain values ----
work:
# Error reporting
error_reporting: "{{ php_settings_all.work.error_reporting }}"
xmlrpc_errors: "{{ php_settings_all.work.xmlrpc_errors }}"
report_memleaks: "{{ php_settings_all.work.report_memleaks }}"
display_errors: "{{ php_settings_all.work.display_errors }}"
display_startup_errors: "{{ php_settings_all.work.display_startup_errors }}"
track_errors: "{{ php_settings_all.work.track_errors }}"
log_errors: "{{ php_settings_all.work.log_errors }}"
html_errors: "{{ php_settings_all.work.html_errors }}"
###
@@ -190,7 +148,6 @@ template_configurations:
cfg: "{{ php_settings_ini }}"
key: work
alt: base # Alternative key to use when definition is not set in 'work'
# php-fpm.conf
- src: CONFIGURATIONS/php-fpm.conf.j2
dst: "../../Dockerfiles/base/data/php-fpm.conf/php-fpm-{{ php_version }}.conf"
@@ -203,18 +160,6 @@ template_configurations:
key: work
alt: base
# php-fpm.d-conf
- src: CONFIGURATIONS/php-fpm.d-conf.j2
dst: "../../Dockerfiles/base/data/php-fpm.d/php-fpm.d-{{ php_version }}.conf"
cfg: "{{ php_settings_fpm }}"
key: base
alt: base
- src: CONFIGURATIONS/php-fpm.d-conf.j2
dst: "../../Dockerfiles/work/data/php-fpm.d/php-fpm.d-{{ php_version }}.conf"
cfg: "{{ php_settings_fpm }}"
key: work
alt: base
###
### Variables to be used in this file (group_vars/all.yml)