1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
|
Table of Contents:
----------------------------------------------------------------------
* Using PHP 5 with threaded webservers (e.g. apache2-mpm-worker)
* Problems starting Apache HTTP Server with PHP 5
* Session storage
* Other caveats
* PHP 5 and Apache 2 Multiviews (HTTP Content Negotiation)
* PHP 5 CGI and Apache HTTP Server
* Configuration layout
* Timezone data from system timezone database
* Further documentation, errata, etc
Using PHP 5 with threaded webservers (e.g. apache2-mpm-worker)
----------------------------------------------------------------------
After much back-and-forth with upstream (and even building our
packages thread-safe for a while), we're currently admitting defeat
on that front, and are NOT building any thread-safe versions of PHP
5 for any webservers. Our recommendation is that, if you need to use
a threaded webserver, you should use php5-fpm and interface to your
webserver with FastCGI.
Problems starting Apache HTTP Server with PHP 5
----------------------------------------------------------------------
At the time of writing, there are no *known* incompatibilities
between any of the PHP 5 modules we ship. However, there have been
many bug reports in the past due to dynamically-loaded extensions,
and it's possible there are still bugs in the released packages. If
Apache fails to start after you install PHP 5, check your list of
enabled extensions at the bottom of /etc/php5/apache2/php.ini (and
in the per-SAPI configuration directory), and try commenting out or
reordering the extensions until you find a combination that works.
For example, in the past the mhash extension was incompatible with
some other common extensions. To work around this, you could list
the mhash extension first in php.ini.
If you find an extension-related bug in the Debian packages, and you
are willing to help debug the problem, please send us a bug report
that lists all enabled PHP 5 extensions (extension=), in the order
in which they appear in php.ini, as well as all enabled Apache
modules (LoadModule), with version numbers where possible.
Session storage
----------------------------------------------------------------------
Session files are stored in /var/lib/php5/sessions. For security
purposes, this directory is unreadable to non-root users. This means
that PHP 5 running from Apache HTTP Server, for example, will not be
able to clean up stale session files. Instead, we have a cron job
run every 30 minutes that cleans up stale session files;
/etc/cron.d/php5. You may need to modify how often this runs, if
you've modified session.gc_maxlifetime in your php.ini; otherwise,
it may be too lax or overly aggressive in cleaning out stale session
files.
WARNING: If you modify the session handling in any way (e.g. put
session files in subdirectories, use different session handler), you
always have to check and possibly disable or modify the session
cleanup cron job that is located in /etc/cron.d/php5.
Other caveats
----------------------------------------------------------------------
Configuration directives extension_dir and include_path should be
commented out, unless you need special settings for them so PHP will
look in compiled-in paths. If you set them, you should also add
appropriate PHP install directories there.
PHP 5 and Apache 2 Multiviews (HTTP Content Negotiation)
----------------------------------------------------------------------
Apache 2’s mod_negotiation needs files to have a MIME-Type (amongst
others) associated with them in order to be considered for HTTP
content negotiation.
Per default, the Debian PHP packages use Apache 2 handlers
(SetHandler directive) to enable PHP interpretation, while no
MIME-Type is being associated with the common PHP file extensions.
Thus, by default, the HTTP content negotiation is disabled for PHP
file extensions.
Possible use cases:
1) You intend to use HTTP content negotiation in order to tidy up URLs:
For example, you wanted the file “http://example.org/foo.php”
being accessible as “http://example.org/foo”, too. In that case
you really shouldn’t abuse mod_negotiation but use mod_rewrite.
An example of rewrite-rules, which allow any file ending in “.php”
to be accessed without this extension is:
RewriteCond "%{REQUEST_FILENAME}" !-f
RewriteCond "%{REQUEST_FILENAME}" !-d
RewriteRule "^(.*)$" "$1.php" [last]
Depending on your setup you may need to set other flags, too,
especially “passthrough” or “qsappend”.
2) You really wanted to use HTTP content negotiation on PHP files
(be they interpreted or not).
An example for this might be, when you have the files
http://example.org/foo.php
http://example.org/foo.js
which both do the same job, but the former is executed as PHP on
the server-side, while the later is executed as JavaScript on the
client-side.
If you really want it, just add MIME type definitions for file
extensions you need to your Apache 2 configuration. For example
to recognize php and phps extensions you would add:
AddType application/x-php php
AddType application/x-php-source phps
This scenario is really very rarely used (if at all)!
PHP 5 CGI and Apache HTTP Server
----------------------------------------------------------------------
In simple cases, what you probably want isn't the php5-cgi package
at all, but rather the libapache2-mod-php5 package, which will
configure itself on installation and Just Work(tm). However, if you
have a need to use the CGI version of PHP 5 with Apache HTTP Server,
the following should help get you going, though there are dozens of
different ways to do this.
The current recommended approach is to install the php5-fpm package
and use FastCGI to interface to your webserver. However, you will
have to use the libapache2-mod-fastcgi package (from non-free) or a
different FastCGI-capable webserver (such as nginx or lighttpd),
since the libapache2-mod-fcgid available from the main archive has
no way of interacting with external FastCGI servers.
Please note that this process will never be made automatic, as
php5-cgi is meant to be a webserver-agnostic package that can be
used with any httpd, and we don't want it to conflict with the
httpd-specific packages such as libapache2-mod-php5. If both were
installed side-by-side and both were automatically enabled, the
results would be a bit confusing, obviously.
You should also be aware that a server deployed in CGI mode is open
to several possible vulnerabilities. See the upstream CGI security
page to learn how to defend yourself from such attacks:
http://www.php.net/manual/en/security.cgi-bin.php
To use php5-cgi with Apache HTTP Server:
1) activate php5_cgi module: run 'a2enconf php5-cgi'
2) this will also activate the mod_actions module as a dependency
3) comment out the last block of configuration in the
/etc/apache2/mods-enabled/php5_cgi.conf file to enable
server-wide PHP 5 CGI or add the mentioned configuration block to
one or more virtual hosts or directories.
4) It's advised to not mix-and-match multiple SAPIs (such as
php5-cgi along with libapache2-mod-php5) in the same apache2
configuration as it is likely to create unpredictable results.
Configuration Layout
----------------------------------------------------------------------
Each SAPI (apache2/apache2filter/cgi/cli/fpm) has a different
central configuration file /etc/php5/$SAPI/php.ini.
Additionally, each SAPI is configured with the compile-time option
--with-config-file-scan-dir=/etc/php5/$SAPI/conf.d
which for all SAPIs is actually a symlink pointing to a central
directory /etc/php5/conf.d. Any file found in this directory ending
in .ini will be treated as a configuration file by the PHP SAPI.
The rationale behind this method is that each SAPI can thus be
identically configured with a minimal amount of conffile handling,
but at the same time if you want to have SAPI-specific
configuration, you can just remove the symlink.
Note that the usage of the PHP_INI_SCAN_DIR environment variable
overrides what is set with --with-config-file-scan-dir and thus the
directory /etc/php5/$SAPI/conf.d will no longer be included.
Timezone data from system timezone database
----------------------------------------------------------------------
Debian PHP has been patched to use the system wide timezone database
from the tzdata package, making sure any updates there are
automatically used by PHP as well.
Note that this requires that the PHP process has access to
/etc/localtime and /usr/share/zoneinfo. For any regular installation
this should be the case, but in specific secured environments when
reading the timezone database is impossible PHP will give a
"Timezone database is corrupt - this should *never* happen!" error.
Further documentation, errata, misc.
----------------------------------------------------------------------
Errata and other general information about PHP in Debian can be
found in the debian wiki at:
http://wiki.debian.org/PHP
If after reading the documentation in this file you still have
unanswered questions, that's a good next place to go.
-- Ondřej Surý <ondrej@debian.org>, Thu, 14 Aug 2014 10:17:49 +0200
|
