Change Details

It would be nice to migrate the VirtualHost of `www.wikimedia.it` from the legacy configuration of `mod_php` to a dedicated pool of PHP-FPM. This is the current/old VirtualHost in our repository: https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure/-/blob/f322bcd06f9dd301ee87cee2bde8d8a5d7855e36/servers/intreccio/conf/apache2/sites-available/it-wikimedia-www-ssl.conf This is the current/old location on the filesystem: ``` /etc/wmit-infrastructure/servers/intreccio/conf/apache2/sites-available/it-wikimedia-www-ssl.conf ``` NOTE: If you need an inspirational Apache proxy configuration for PHP-FPM, check this: https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure/-/blob/f322bcd06f9dd301ee87cee2bde8d8a5d7855e36/servers/intreccio/conf/apache2/include/it-wikimedia-wiki-main.conf The new configuration should be probably created in this location (note that there are some useful files nearby to copy as inspiration): ``` /etc/wmit-infrastructure/servers/intreccio/conf/php/7.3/fpm/pool.d/www.conf ``` NOTE: If you need an inspirational PHP-FPM configuration, check this: https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure/-/blob/f322bcd06f9dd301ee87cee2bde8d8a5d7855e36/servers/intreccio/conf/php/7.3/fpm/pool.d/wikina.conf Suggested specifications: | Topic | Value | Notes | |--------------------------------------|------------|--| | Proposed dedicated unix user name | `wmit-www` | | | Proposed listen to socket VS port | socket | Why not. A socket works and reduces proxy overhead. We love the planet 💚 | | Proposed socket file name | `/run/php/php7.3-fpm-www.sock` | | That's all! ---- Pro: * `mod_php` is damn more simple to adopt than PHP-FPM * it would be easier to discover if the process is doing something nasty since it's a dedicated Unix user and not `www-data` * it's easier to separate privileges * probably it could improve responsiveness, but there is no evidence Cons: * We may need to occupy a new port (e.g. 900X) * PHP-FPM allows better ITSec standards (avoid to run every PHP process as `www-data`) * we need to review privileges in order to do not allow anything else than `wmit-www` ---- The idea comes during a random standard call between Stefano Cannillo with Valerio B.

NOTE: This is probably the first task of Anylink! Thank you again to help Wikimedia Italia! 💌 IMPORTANT: The supervisor is Stefano Cannillo: proceed only after his "OK" and with an established intervention window. It would be nice to migrate the VirtualHost of `www.wikimedia.it` from the legacy configuration of `mod_php` to a dedicated pool of PHP-FPM. This is the current/old VirtualHost in our repository: https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure/-/blob/f322bcd06f9dd301ee87cee2bde8d8a5d7855e36/servers/intreccio/conf/apache2/sites-available/it-wikimedia-www-ssl.conf This is the current/old location on the filesystem: ``` /etc/wmit-infrastructure/servers/intreccio/conf/apache2/sites-available/it-wikimedia-www-ssl.conf ``` NOTE: If you need an inspirational Apache proxy configuration for PHP-FPM, check this: https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure/-/blob/f322bcd06f9dd301ee87cee2bde8d8a5d7855e36/servers/intreccio/conf/apache2/include/it-wikimedia-wiki-main.conf The new configuration should be probably created in this location (note that there are some useful files nearby to copy as inspiration): ``` /etc/wmit-infrastructure/servers/intreccio/conf/php/7.3/fpm/pool.d/www.conf ``` NOTE: If you need an inspirational PHP-FPM configuration, check this: https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure/-/blob/f322bcd06f9dd301ee87cee2bde8d8a5d7855e36/servers/intreccio/conf/php/7.3/fpm/pool.d/wikina.conf Suggested specifications: | Topic | Value | Notes | |--------------------------------------|------------|--| | Proposed dedicated unix user name | `wmit-www` | | | Proposed listen to socket VS port | socket | Why not. A socket works and reduces proxy overhead. We love the planet 💚 | | Proposed socket file name | `/run/php/php7.3-fpm-www.sock` | | That's all! ---- Pro: * `mod_php` is damn more simple to adopt than PHP-FPM * it would be easier to discover if the process is doing something nasty since it's a dedicated Unix user and not `www-data` * it's easier to separate privileges * probably it could improve responsiveness, but there is no evidence Cons: * We may need to occupy a new port (e.g. 900X) * PHP-FPM allows better ITSec standards (avoid to run every PHP process as `www-data`) * we need to review privileges in order to do not allow anything else than `wmit-www` ---- The idea comes during a random standard call between Stefano Cannillo with Valerio B.