It would be nice to migrate the VirtualHost of `www.wikimedia.it` from the legacy configuration of `mod_php` to a dedicated pool of PHP-FPM.
This is the current/old VirtualHost in our repository:
https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure/-/blob/f322bcd06f9dd301ee87cee2bde8d8a5d7855e36/servers/intreccio/conf/apache2/sites-available/it-wikimedia-www-ssl.conf
This is the current/old location on the filesystem:
```
/etc/wmit-infrastructure/servers/intreccio/conf/apache2/sites-available/it-wikimedia-www-ssl.conf
```
NOTE: If you need an inspirational Apache proxy configuration for PHP-FPM, check this: https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure/-/blob/f322bcd06f9dd301ee87cee2bde8d8a5d7855e36/servers/intreccio/conf/apache2/include/it-wikimedia-wiki-main.conf
The new configuration should be probably created in this location (note that there are some useful files nearby to copy as inspiration):
```
/etc/wmit-infrastructure/servers/intreccio/conf/php/7.3/fpm/pool.d/www.conf
```
NOTE: If you need an inspirational PHP-FPM configuration, check this: https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure/-/blob/f322bcd06f9dd301ee87cee2bde8d8a5d7855e36/servers/intreccio/conf/php/7.3/fpm/pool.d/wikina.conf
Suggested specifications:
| Topic | Value | Notes |
|--------------------------------------|------------|--|
| Proposed dedicated unix user name | `wmit-www` | |
| Proposed listen to socket VS port | socket | Why not. A socket works and reduces proxy overhead. We love the planet 馃挌 |
| Proposed socket file name | `/run/php/php7.3-fpm-www.sock` | |
That's all!
----
Pro:
* `mod_php` is damn more simple to adopt than PHP-FPM
* it would be easier to discover if the process is doing something nasty since it's a dedicated Unix user and not `www-data`
* it's easier to separate privileges
* probably it could improve responsiveness, but there is no evidence
Cons:
* We may need to occupy a new port (e.g. 900X)
* PHP-FPM allows better ITSec standards (avoid to run every PHP process as `www-data`)
* we need to review privileges in order to do not allow anything else than `wmit-www`
----
The idea comes during a random standard call between Stefano Cannillo with Valerio B.