It would be nice to migrate the VirtualHost of www.wikimedia.it from the legacy configuration of mod_php to a dedicated pool of PHP-FPM.
This is the current/old VirtualHost in our repository:
This is the current/old location on the filesystem:
/etc/wmit-infrastructure/servers/intreccio/conf/apache2/sites-available/it-wikimedia-www-ssl.conf
The new configuration should be probably created in this location (note that there are some useful files nearby to copy as inspiration):
/etc/wmit-infrastructure/servers/intreccio/conf/php/7.3/fpm/pool.d/www.conf
Suggested specifications:
Topic | Value | Notes |
---|---|---|
Proposed dedicated unix user name | wmit-www | |
Proposed listen to socket VS port | socket | Why not. A socket works and reduces proxy overhead. We love the planet 💚 |
Proposed socket file name | /run/php/php7.3-fpm-www.sock | |
That's all!
Pro:
- mod_php is damn more simple to adopt than PHP-FPM
- it would be easier to discover if the process is doing something nasty since it's a dedicated Unix user and not www-data
- it's easier to separate privileges
- probably it could improve responsiveness, but there is no evidence
Cons:
- We may need to occupy a new port (e.g. 900X)
- PHP-FPM allows better ITSec standards (avoid to run every PHP process as www-data)
- we need to review privileges in order to do not allow anything else than wmit-www