Apache step-by-step configuration with the choice of versions of php + Nginx as reverse proxy (with mod_pagespeed) on ubuntu 16.04

There are a lot of articles on server setup, Apache, Nginx, etc. settings on the Internet. This article will set up a simple shared hosting. All operations are performed through the console.

The following tasks will be solved and described in the post:

1. Install Apache + PHP
2. Ability to select PHP versions
3. Ability to work sites from different users, with restrictions on reading directories of other sites.
4. Installing Nginx with google pagespeed module
5. Configuring Nginx as a reverse proxy
')
All stages will contain descriptions and explanations. The post itself was written more for itself, so as not to lose the order of configuration, but it will be very useful for beginners who are beginning to understand the administration of the server. Ubuntu 16.0.4 with SSH only is installed as a server.

STAGE 1 (Install Apache + PHP)

Run the shell with root rights:

sudo -i 

Install apache:

 apt install -y apache2 

Key

  -y 

it is necessary so that during the installation process, it automatically answers all questions positively. For example, if you run:

  apt install apache2 

then during the installation process we will be asked if we really want to install.

Install php (as mod_php)

  apt install -y php libapache2-mod-php 

At this stage, we will install php version 7 as an apache module.

STAGE 2 (Ability to select PHP versions)

At the first stage, we installed the Apache + PHP server, and PHP works like an Apache module for us. There are several modes of PHP detailed information can be found under the link "CGI, FastCGI, PHP-FPM and mod_php in brief" .

If you are too lazy to read, I will explain it easier:

1. mod_php - Apache itself runs a php script.

Pros: works quickly, requires a minimum of settings and knowledge
Minuses: scripts run from apache user (usually www-data)

2. CGI / FastCGI - Apache Server runs the php-cgi interpreter application script, which in turn executes the php script

Pros: scripts are executed from an arbitrary user, can be used in conjunction with other applications (Nginx + PHP), PHP configuration can be made individual
Cons: speed, additional setting

3.PHP-FPM is a modernized fast-cgi server that constantly keeps pool processes ready for work.

Pros: speed, scripts run from an arbitrary user, can be used in conjunction with other applications (Nginx + PHP-FPM is the most common implementation)
Cons: additional configuration, takes the port, for each user opens its own port.

We will focus on CGI / FastCGI. In fact, many may be afraid that it is the slowest, but on most shared hosts, this is the mode of operation (ispmanager uses this mode of operation). We will need to compile from source the php versions we need.

2.1 Building php from source

Update the repository:

 apt update 

Install the necessary packages for the assembly:

 apt install -y make \ git autoconf \ lynx \ wget \ build-essential \ libxml2-dev \ libssl-dev \ libbz2-dev \ libcurl4-openssl-dev \ libpng12-dev \ libfreetype6-dev \ libxpm-dev \ libmcrypt-dev \ libmhash-dev \ libmysqlclient-dev \ libjpeg62-dev \ freetds-dev \ libjson-c-dev \ re2c \ zlib1g-dev \ libpcre3 \ libpcre3-dev \ unzip \ libxslt1-dev 

The \ character is used as a line break for readability.

Create folders for php:

 mkdir -p /opt/source/php mkdir -p /opt/php/ 

Go to the directory in which the source php will be stored

 cd /opt/source/php 

Download the necessary version of php and unpack it:

 wget -c http://php.net/get/php-5.6.18.tar.bz2/from/this/mirror -O php-5.6.18.tar.bz2 tar xvjf php-5.6.18.tar.bz2 

In the last command, we downloaded the link php-5.6.18 and saved it as php-5.6.18.tar.bz2
Then unpacked the archive.

Go to the directory downloaded and unpacked php

 cd /opt/source/php/php-5.6.18 

Configuring php

 ./configure --enable-cli \ --prefix=/opt/php/php-5.6.18 \ --disable-rpath \ --enable-calendar \ --enable-discard-path \ --enable-fastcgi \ --enable-force-cgi-redirect \ --enable-fpm \ --enable-ftp \ --enable-gd-native-ttf \ --enable-inline-optimization \ --enable-mbregex \ --enable-mbstring \ --enable-pcntl \ --enable-soap \ --enable-sockets \ --enable-sysvsem \ --enable-sysvshm \ --enable-zip \ --with-bz2 \ --with-curl \ --with-curl \ --with-freetype-dir \ --with-gd \ --with-gd \ --with-gettext \ --with-jpeg-dir \ --with-jpeg-dir=/usr/lib/ \ --with-libdir=/lib/x86_64-linux-gnu \ --with-libxml-dir=/usr \ --with-mcrypt \ --with-mhash \ --with-mysql \ --with-mysql \ --with-mysqli \ --with-mysqli \ --with-openssl \ --with-pcre-regex \ --with-pdo-mysql \ --with-png-dir=/usr \ --with-zlib \ --with-zlib-dir 

It is worth paying attention to the line --prefix = / opt / php / php-5.6.18 . It is in this directory that the project will be compiled. You can also add or remove the necessary module and php components. But the configuration must be - enable-fastcgi and --enable-force-cgi-redirect . After configuration we collect php

 make make install 

The assembly process is unusually long, so do not worry about it. Upon completion of the assembly, you can check with the command:

 /opt/php/php-5.6.18/bin/php -v 

The result will be something like:

PHP 5.6.18 (cli) (built: Jun 8 2017 15:59:20)
Copyright © 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright © 1998-2016 Zend Technologies

2.2 Configuring Apache

Next, we need Apache to invoke the php script through the fastcgi mode. Install and activate mod_fcgi

 apt install libapache2-mod-fcgid a2enmod cgi fcgid actions 

restart the apache service

 service apache2 restart 

2.3 Creating a CGI Script

Create a wrapper for running PHP-FastCGI

 mkdir -p /opt/php/php-5.6.18/fcgi-bin 

In this folder, create a script called php with the following contents
#!/opt/php/php-5.6.18/bin/php-cgi . I personally use the nano editor.

 nano /opt/php/php-5.6.18/fcgi-bin/php 

Insert the code, exit CTRL + X and confirm the changes.

Making the file executable:

 chmod +x /opt/php/php-5.6.18/fcgi-bin/php 

In the same directory create a file php.ini () you can copy /opt/source/php/php-5.6.18/php.ini-production .

2.4 Setting up a host for Apache

The example will show the default virtual host setting:

 <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html <IfModule mod_fcgid.c> IPCCommTimeout 7200 FcgidConnectTimeout 320 MaxRequestLen 25728640 FcgidMaxRequestsPerProcess 0 FcgidBusyTimeout 3600 FcgidOutputBufferSize 0 </IfModule> <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler fcgid-script FCGIWrapper /opt/php/php-5.6.18/fcgi-bin/php </FilesMatch> ErrorLog /var/www/html/error.log CustomLog /var/www/html/access.log combined </VirtualHost> <Directory /var/www/html> Options +Includes +ExecCGI </Directory> 

Restart Apache settings:

 service apache2 reload 

STAGE 3 (Ability to work sites from different users, with restrictions on reading directories of other sites.)

To differentiate user rights, Apache has 2 different suEXEC and ITK modules.

Consider how each of them works:

ITK - When a request arrives, apache creates a handler process that inherits the rights of the root process, but after checking the context, it changes its rights to the specified user.

suEXEC -When a request is received, apache runs CGI and similar proprietary or third-party scripts / programs within the domain’s web folder on behalf of the specified user.

suEXEC in our version is preferable because of the particular architecture of the work. Install suEXEC

 apt install apache2-suexec-custom a2enmod suexec 

It is important that for the proper operation of suexec it is necessary to correctly set the rights to directories.
How to locate directories you have to decide for yourself, an example is given in the example, and it is not optimal.

The folder hierarchy is as follows:

|--/var/www/ - , 751 root
|----/php-bin - php
|------/php-5.6.18 - php-5.6.18
|--------php - php-5.6.18
|--------php.ini -
|--------php.ini -
|----/apache-cert - apache

Create folders for the user:

 mkdir -p /var/www/users/admin mkdir -p /var/www/users/admin/domain.ru mkdir -p /var/www/users/admin/apache-log mkdir -p /var/www/users/admin/php-bin mkdir -p /var/www/users/admin/temp mkdir -p /var/www/users/admin/temp/php-session 

Copy the settings files for php:

 cp /opt/php/php-5.6.18/fcgi-bin/php /var/www/users/admin/php-bin/php cp /opt/php/php-5.6.18/fcgi-bin/php.ini /var/www/users/admin/php-bin/php.ini 

Create a user (it is important to remember that all users in the admin group have access to run programs from sudo, so when you select admin, he will automatically have rights to execute sudo. In this example, this is not critical, but you should remember this when creating a user) .

 useradd -m -s /bin/bash admin passwd admin 

We set the folder owner:

 chown admin:admin -R /var/www/users/admin 

We set the root directory for the user:

 usermod -d /var/www/users/admin admin 

Configure virtual hosts in apache:

 <VirtualHost *:8080> ServerAdmin webmaster@localhost DocumentRoot /var/www/users/admin/domain.ru SuexecUserGroup admin admin <IfModule mod_remoteip.c> RemoteIPHeader X-Forwarded-For RemoteIPHeader X-Real-IP RemoteIPInternalProxy 127.0.0.1 </IfModule> <ifmodule mod_rewrite.c> RewriteEngine On RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}] </ifmodule> <IfModule mod_fcgid.c> IPCCommTimeout 7200 FcgidConnectTimeout 320 MaxRequestLen 25728640 FcgidMaxRequestsPerProcess 0 FcgidBusyTimeout 3600 FcgidOutputBufferSize 0 </IfModule> <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler fcgid-script FCGIWrapper /var/www/users/admin/php-bin/php </FilesMatch> ErrorLog /var/www/users/admin/apache-log/error.log CustomLog /var/www/users/admin/apache-log/access.log combined </VirtualHost> <Directory /var/www/users/admin/www> AllowOverride All Options +Includes +ExecCGI </Directory> 

In the user's php.ini settings, we change session.save_path
session.save_path = /var/www/users/admin/temp/php-session

Restart apache:

 service apache2 restart 

STAGE 4 (Installing Nginx with google pagespeed module)

Looking ahead, in order to support pagespeed in Nginx, Nginx itself needs to be rebuilt with this module, but in order not to climb further in the settings later, it is easier to install it first.
Change the ports for Apache:

 /etc/apache2/ports.conf +     

Restart Apache:

 service apache2 restart 

Install ngnix:

 apt-get install nginx 

We collect Nginx with pagespeed

First you need to install everything you need to build the packages:

 apt install -y build-essential zlib1g-dev libpcre3 libpcre3-dev unzip libxslt1-dev libgd-dev libgeoip-dev 

Create folders for nginx sources:

 mkdir -p /opt/source/nginx cd /opt/source/nginx 

Download and unpack pagespeed and psol. Yt cnjbn g

 wget https://github.com/pagespeed/ngx_pagespeed/archive/v1.11.33.4-beta.zip unzip v1.11.33.4-beta.zip cd ngx_pagespeed-1.11.33.4-beta wget https://dl.google.com/dl/page-speed/psol/1.11.33.4.tar.gz tar -xzvf 1.11.33.4.tar.gz 

The psol itself is downloaded and unpacked in a directory with ngx_pagespeed. Go to the folder with Ngnix

 cd /opt/source/nginx 

Check the ngnix version (the default is 1.10.0 in ubuntu 16.0.4):

 nginx -V 

Download the NGINX version:

 wget https://nginx.ru/download/nginx-1.10.0.tar.gz tar -xvzf nginx-1.10.0.tar.gz 

We build nginx with the same parameters as the installed one, but at the end we add additional modules:

 cd /opt/source/nginx/nginx-1.10.0 ./configure \ --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads \ --add-module=/opt/source/nginx/ngx_pagespeed-1.11.33.4-beta \ --with-http_mp4_module 

We collect Nginx:

 make make install 

The compiled binary Nginx file is located in the /opt/source/nginx/nginx-1.10.0/objs/nginx directory. In order to install, you just need to replace the current Nginx file that is being used with the one you have collected.

Stop Nginx, replace the file, and restart it.

 service nginx stop 

# Rename (just in case) the current nginx in nginx_backup:

 mv /usr/sbin/nginx /usr/sbin/nginx_backup 

# Move in its place a new compiled binary:

 mv /opt/source/nginx/nginx-1.10.0/objs/nginx /usr/sbin/nginx 

restart nginx:

 service nginx start 

Create a cache storage folder for pagespeed:

 /var/www/temp/ /var/www/temp/page-speed/ 

Add /etc/nginx/nginx.conf to the http section:

 pagespeed on; pagespeed FileCachePath "/var/www/temp/page-speed/"; pagespeed EnableFilters combine_css,combine_javascript,rewrite_images,rewrite_css,rewrite_javascript,inline_images,recompress_jpeg,recompress_png,resize_images; pagespeed JpegRecompressionQuality 85; pagespeed ImageRecompressionQuality 85; pagespeed ImageInlineMaxBytes 2048; pagespeed LowercaseHtmlNames on; 

STAGE 5 (Configuring Nginx as reverse proxy)

I will say that on the Internet, a bunch of articles to configure Nginx as a reverse proxy. I will give an introductory version of the configuration.

 server { listen 80; server_name domain.ru; access_log /var/log/nginx.access_log; location ~* \.(jpg|jpeg|gif|png|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|tar|wav|bmp|rtf|swf|ico|flv|txt|xml|docx|xlsx)$ { root /var/www/users/admin/domain.ru; index index.html index.php; access_log off; expires 30d; error_page 404 = @prox; } location @prox{ proxy_pass 127.0.0.1:8880; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-for $remote_addr; proxy_set_header Host $host; proxy_connect_timeout 60; proxy_send_timeout 90; proxy_read_timeout 90; proxy_redirect off; proxy_set_header Connection close; proxy_pass_header Content-Type; proxy_pass_header Content-Disposition; proxy_pass_header Content-Length; } location ~ /\.ht { deny all; } location / { proxy_pass 127.0.0.1:8880; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-for $remote_addr; proxy_set_header Host $host; proxy_connect_timeout 60; proxy_send_timeout 90; proxy_read_timeout 90; proxy_redirect off; proxy_set_header Connection close; proxy_pass_header Content-Type; proxy_pass_header Content-Disposition; proxy_pass_header Content-Length; } }