Step-by-step configuration of Apache with the choice of php + Nginx versions as reverse proxy (with mod_pagespeed) on ubuntu 16.04

On the Internet, a bunch of articles on setting up a server, setting up Apache, Nginx, etc. In this article, simple shared hosting will be configured step by step. All operations are performed through the console.

The following tasks will be solved and described in the post:

1. Installing Apache + PHP
2. The ability to select PHP versions
3. The ability to work sites from different users, with the restriction on reading directories of other sites.
4. Installing Nginx with the google pagespeed module
5. Setting up Nginx as reverse proxy

All steps will contain a description and explanations. The post itself was written more for itself, so as not to lose the order of settings, but it will be very useful for beginners who begin to understand server administration. Ubuntu 16.0.4 with SSH only is installed as the server.

STEP 1 (Install Apache + PHP)

Run the shell with root privileges:

sudo -i

Install apache:

apt install -y apache2

Key

 -y 

needed so that during the installation process, automatically answer all questions positively. For example, if you run:

 apt install apache2 

then during the installation process we will be asked if we really want to install.

Install php (like mod_php)

 apt install -y php libapache2-mod-php 

At this stage, we install php version 7 as the apache module.

STEP 2 (Possibility to choose PHP versions)

At the first stage, we installed the Apache + PHP server, with which PHP works as an Apache module. There are several PHP operating modes. Detailed information can be found on the link “Briefly about CGI, FastCGI, PHP-FPM and mod_php” .

If you are too lazy to read, then I’ll explain easier:

1. mod_php - Apache itself executes a php script.

Pros: it works quickly, requires a minimum of settings and knowledge
Cons: scripts are executed from the apache user (usually www-data)

2. CGI / FastCGI - The Apache server runs the php-cgi interpreter application script, which in turn executes the php script

Pros: scripts are run from an arbitrary user, can be used in conjunction with other applications (Nginx + PHP), the PHP configuration can be made individual
Minuses: speed, additional configuration

3.PHP-FPM is an upgraded fast-cgi server that constantly keeps ready for pool process operations.

Pros: speed, scripts are executed from an arbitrary user, can be used in conjunction with other applications (Nginx + PHP-FPM - the most common implementation)
Cons: additional configuration, takes up a port, opens a port for each user.

We will focus on CGI / FastCGI. In fact, many may be afraid that it is the slowest, but on most shared hosting, this is the mode of operation (ispmanager uses this particular mode of operation). We will need to collect from the source php versions that we need.

2.1 Building php from source

Updating the repository:

apt update

Install the packages necessary for assembly:

apt install -y make \
git autoconf \
lynx \
wget \
build-essential \
libxml2-dev \
libssl-dev \
libbz2-dev \
libcurl4-openssl-dev \
libpng12-dev \
libfreetype6-dev \
libxpm-dev \
libmcrypt-dev \
libmhash-dev \
libmysqlclient-dev \
libjpeg62-dev \
freetds-dev \
libjson-c-dev \
re2c \
zlib1g-dev \
libpcre3 \
libpcre3-dev \
unzip \
libxslt1-dev

The \ character is used as a line break for readability.

Create folders for php:

mkdir -p /opt/source/php
mkdir -p /opt/php/

Go to the directory where php sources will be stored

cd /opt/source/php

Download the necessary version of php and unpack it:

wget -c http://php.net/get/php-5.6.18.tar.bz2/from/this/mirror -O php-5.6.18.tar.bz2
tar xvjf php-5.6.18.tar.bz2

In the last command, we downloaded the link php-5.6.18 and saved it as php-5.6.18.tar.bz2 and
then unpacked the archive.

Go to the directory of downloaded and unpacked php

cd /opt/source/php/php-5.6.18

Configure php

./configure --enable-cli \
 --prefix=/opt/php/php-5.6.18		\
 --disable-rpath		\
 --enable-calendar		\
 --enable-discard-path 		\
 --enable-fastcgi		\
 --enable-force-cgi-redirect		\
 --enable-fpm		\
 --enable-ftp		\
 --enable-gd-native-ttf		\
 --enable-inline-optimization		\
 --enable-mbregex		\
 --enable-mbstring		\
 --enable-pcntl		\
 --enable-soap		\
 --enable-sockets		\
 --enable-sysvsem		\
 --enable-sysvshm		\
 --enable-zip		\
 --with-bz2		\
 --with-curl		\
 --with-curl 		\
 --with-freetype-dir		\
 --with-gd		\
 --with-gd 		\
 --with-gettext		\
 --with-jpeg-dir 		\
 --with-jpeg-dir=/usr/lib/		\
 --with-libdir=/lib/x86_64-linux-gnu		\
 --with-libxml-dir=/usr		\
 --with-mcrypt		\
 --with-mhash		\
 --with-mysql		\
 --with-mysql 		\
 --with-mysqli		\
 --with-mysqli 		\
 --with-openssl		\
 --with-pcre-regex		\
 --with-pdo-mysql		\
 --with-png-dir=/usr		\
 --with-zlib		\
 --with-zlib-dir

It is worth paying attention to the line --prefix = / opt / php / php-5.6.18 . It is in this directory that the project will be compiled. You can also add or remove the necessary php module and components yourself. But the configuration must have - enable-fastcgi and --enable-force-cgi-redirect . After the configuration, we collect php

make
make install

The assembly process is unusually long, so do not worry about this. Upon completion of the assembly, you can check with the command:

/opt/php/php-5.6.18/bin/php -v

The result will be something like:

PHP 5.6.18 (cli) (built: Jun 8 2017 15:59:20)
Copyright © 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright © 1998-2016 Zend Technologies

2.2 Configuring Apache

Next, we need Apache to call the php script through fastcgi mode. Install and activate mod_fcgi

apt install libapache2-mod-fcgid
a2enmod cgi fcgid actions

restart the apache service

service apache2 restart

2.3 Creating a CGI script

Create a wrapper to run PHP-FastCGI

mkdir -p /opt/php/php-5.6.18/fcgi-bin

In this folder, create a script called php with the following contents
#!/opt/php/php-5.6.18/bin/php-cgi. Personally, I use the nano editor.

nano /opt/php/php-5.6.18/fcgi-bin/php

We insert the code, exit CTRL + X and confirm the changes.

We make the file executable:

chmod +x /opt/php/php-5.6.18/fcgi-bin/php

In the same directory we create the php.ini () file, you can copy /opt/source/php/php-5.6.18/php.ini-production .

2.4 Host Settings for Apache

The example will show the default virtual host settings:

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        
            IPCCommTimeout 7200
            FcgidConnectTimeout 320
            MaxRequestLen 25728640
            FcgidMaxRequestsPerProcess 0
            FcgidBusyTimeout 3600
            FcgidOutputBufferSize 0
        
                SetHandler fcgid-script
                FCGIWrapper /opt/php/php-5.6.18/fcgi-bin/php
        
        ErrorLog /var/www/html/error.log
        CustomLog /var/www/html/access.log combined

        Options +Includes +ExecCGI

Restart Apache settings:

service apache2 reload

STEP 3 (Ability to work sites from different users, with a restriction on reading directories of other sites.)

To differentiate user rights, Apache has 2 different suEXEC and ITK modules.

Let's see how each of them works:

ITK - When a request arrives, apache creates a handler process that inherits the rights of the root process, but after checking the context, changes its rights to the specified user.

suEXEC - When a request arrives, apache launches CGI and similar native or third-party scripts / programs inside the domain’s web folder on behalf of the specified user.

suEXEC in our version is preferable due to the particular architecture of work. Install suEXEC

apt install apache2-suexec-custom
a2enmod suexec

It is important that for proper operation suexec must correctly set permissions on directories.
How to arrange the directories you must decide for yourself, the example gives an example, and it is not optimal.

The hierarchy of folders is as follows: Create folders for the user:

|--/var/www/ - Корневая папка, права 751 владелец root
|----/php-bin - Папка храннения дефолтных настроек для php
|------/php-5.6.18 - Папка храннения дефолтных настроек для php-5.6.18
|--------php - Исполняемый файл для php-5.6.18
|--------php.ini - Дефольный файл настроке
|--------php.ini - Дефольный файл настроке
|----/apache-cert - папка хранения сертификатов для apache


mkdir -p /var/www/users/admin
mkdir -p /var/www/users/admin/domain.ru
mkdir -p /var/www/users/admin/apache-log
mkdir -p /var/www/users/admin/php-bin
mkdir -p /var/www/users/admin/temp
mkdir -p /var/www/users/admin/temp/php-session

Copy the configuration files for php:

cp /opt/php/php-5.6.18/fcgi-bin/php /var/www/users/admin/php-bin/php
cp /opt/php/php-5.6.18/fcgi-bin/php.ini /var/www/users/admin/php-bin/php.ini

We create a user (it is important to remember that all users in the admin group have access to run programs from sudo, so when you select admin, he will automatically have permission to run sudo. In this example, this is not critical, but you should keep this in mind when creating a user) .

useradd -m -s /bin/bash admin
passwd admin

Set the owner of the folder:

chown admin:admin -R /var/www/users/admin

Set the root directory for the user:

usermod -d /var/www/users/admin admin

Configure virtual hosts in apache:

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/users/admin/domain.ru
	SuexecUserGroup admin admin	
	
	      RemoteIPHeader X-Forwarded-For
	      RemoteIPHeader X-Real-IP
	      RemoteIPInternalProxy 127.0.0.1
	
		RewriteEngine On
		RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]
	
	    IPCCommTimeout 7200
	    FcgidConnectTimeout 320
	    MaxRequestLen 25728640
	    FcgidMaxRequestsPerProcess 0
	    FcgidBusyTimeout 3600
	    FcgidOutputBufferSize 0
	
		SetHandler fcgid-script
		FCGIWrapper /var/www/users/admin/php-bin/php
	
	ErrorLog /var/www/users/admin/apache-log/error.log
	CustomLog /var/www/users/admin/apache-log/access.log combined

	AllowOverride All
	Options +Includes +ExecCGI

In the user's php.ini settings, change session.save_path
session.save_path = /var/www/users/admin/temp/php-session

Restart apache:

service apache2 restart

STEP 4 (Installing Nginx with the pagespeed module from google)

Looking ahead, to support pagespeed in Nginx, you need to rebuild Nginx itself with this module, but in order not to climb further in the settings, it is easier to install it first.
Change the ports for Apache:

/etc/apache2/ports.conf
+ Ваши созданные виртуальные хосты

Restart Apache:

service apache2 restart

Install ngnix:

apt-get install nginx

We collect Nginx with pagespeed

First you need to install all the packages necessary for the assembly:

apt install -y build-essential zlib1g-dev libpcre3 libpcre3-dev unzip libxslt1-dev libgd-dev libgeoip-dev

Create folders for nginx sources:

mkdir -p /opt/source/nginx
cd /opt/source/nginx

Download and unpack pagespeed and psol. Yt cnjbn g

wget https://github.com/pagespeed/ngx_pagespeed/archive/v1.11.33.4-beta.zip
unzip v1.11.33.4-beta.zip
cd ngx_pagespeed-1.11.33.4-beta
wget https://dl.google.com/dl/page-speed/psol/1.11.33.4.tar.gz
tar -xzvf 1.11.33.4.tar.gz

Psol itself is downloaded and unpacked into a directory with ngx_pagespeed. Go to the folder with Ngnix

cd /opt/source/nginx

Checking the version of ngnix (by default, ubuntu 16.0.4 installs 1.10.0):

nginx -V

Download the t version of NGINX:

wget https://nginx.ru/download/nginx-1.10.0.tar.gz
tar -xvzf nginx-1.10.0.tar.gz

We collect nginx with the same parameters as the installed one, but in the end we add additional modules:

cd /opt/source/nginx/nginx-1.10.0
./configure \
--with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads \
--add-module=/opt/source/nginx/ngx_pagespeed-1.11.33.4-beta \
--with-http_mp4_module

Build Nginx:

make
make install

The assembled Nginx binary is located in the /opt/source/nginx/nginx-1.10.0/objs/nginx directory. In order to install, you just need to replace the current executable Nginx file with the assembled one.

Stop Nginx, replace the file, and restart it.

service nginx stop

# Rename (just in case) the current nginx to nginx_backup:

mv /usr/sbin/nginx /usr/sbin/nginx_backup

# We move in its place the new assembled binary:

mv /opt/source/nginx/nginx-1.10.0/objs/nginx /usr/sbin/nginx

restart nginx:

service nginx start

Create a cache storage folder for pagespeed:

/var/www/temp/
/var/www/temp/page-speed/

Add /etc/nginx/nginx.conf to the http section:

pagespeed on;
pagespeed FileCachePath "/var/www/temp/page-speed/";
pagespeed EnableFilters combine_css,combine_javascript,rewrite_images,rewrite_css,rewrite_javascript,inline_images,recompress_jpeg,recompress_png,resize_images;
pagespeed JpegRecompressionQuality 85;
pagespeed ImageRecompressionQuality 85;
pagespeed ImageInlineMaxBytes 2048;
pagespeed LowercaseHtmlNames on;

STEP 5 (Configuring Nginx as a reverse proxy)

I will say that there are a lot of articles on the Internet for configuring Nginx as a reverse proxy. I will give a trial setting option.

server { 
	listen 80; 
	server_name domain.ru; 
	access_log /var/log/nginx.access_log;
	location ~* \.(jpg|jpeg|gif|png|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|tar|wav|bmp|rtf|swf|ico|flv|txt|xml|docx|xlsx)$ { 
		root /var/www/users/admin/domain.ru; 
		index index.html index.php; 
		access_log off; 
		expires 30d; 
		error_page 404 = @prox;
	} 
	location @prox{
		proxy_pass 127.0.0.1:8880; 
		proxy_set_header X-Real-IP $remote_addr; 
		proxy_set_header X-Forwarded-for $remote_addr; 
		proxy_set_header Host $host; 
		proxy_connect_timeout 60; 
		proxy_send_timeout 90; 
		proxy_read_timeout 90; 
		proxy_redirect off; 
		proxy_set_header Connection close; 
		proxy_pass_header Content-Type; 
		proxy_pass_header Content-Disposition; 
		proxy_pass_header Content-Length;
	}
	location ~ /\.ht { 
		deny all; 
	} 
	location / { 
		proxy_pass 127.0.0.1:8880; 
		proxy_set_header X-Real-IP $remote_addr; 
		proxy_set_header X-Forwarded-for $remote_addr; 
		proxy_set_header Host $host; 
		proxy_connect_timeout 60; 
		proxy_send_timeout 90; 
		proxy_read_timeout 90; 
		proxy_redirect off; 
		proxy_set_header Connection close; 
		proxy_pass_header Content-Type; 
		proxy_pass_header Content-Disposition; 
		proxy_pass_header Content-Length; 
	} 
}