Install PHP-FPM (FastCGI) and NGINX

dnf install nginx php-fpm php php-mysqlnd php-curl php-gd php-xml php-mbstring php-zip php-intl php-bcmath
systemctl enable --now php-fpm nginx 

Selinux

ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
semodule -i my-phpfpm.pp
setsebool -P httpd_unified 1

ausearch -c 'nginx' --raw | audit2allow -M my-nginx
semodule -i my-nginx.pp
systemctl restart nginx

setsebool -P nis_enabled 1 # allows access to network connection information
setsebool -P httpd_can_network_relay 1 # allows external connections
setsebool -P httpd_graceful_shutdown 1 # helps release resources before closing the process
setsebool -P httpd_can_network_connect 1 # allows network connections
setsebool -P httpd_read_user_content 1 # allow nginx/apache to read other users' logs

systemctl restart php-fpm nginx 

Create new website:

New user and project

sudo useradd -g user01 -s /bin/false -c "Run with PHP-FPM" -d /home/users/user01 user01
mkdir -p /home/test-site
echo '<?php phpinfo(); >' > /home/domain.com/index.php
chown -R user01:nginx/home/domain.com/
chmod 755 /home/domain.com/

Create new php-fpm pool

New file: /etc/php-fpm.d/domain.com.conf:

[domain.com]
user = user01
group = user01
listen = /run/php-fpm/domain.com.sock
listen.acl_users = apache,nginx
listen.allowed_clients = 127.0.0.1
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
slowlog = /var/log/php-fpm/www-slow.log
php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path]    = /var/lib/php/session
php_value[soap.wsdl_cache_dir]  = /var/lib/php/wsdlcache

Restart

systemctl restart php-fpm

Create Nginx config:

server {
    listen 80;
    server_name domain.com;
    root /var/www/html/domain.com;
    index index.php index.html index.htm;

    access_log /var/log/nginx/domain.com-access.log;
    error_log  /var/log/nginx/domain.com-error.log error;

    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php-fpm/domain.com.sock; # same php-fpm pool
        fastcgi_index index.php;
        include fastcgi.conf;
    }
}

Restart

nginx -s reload

Install SSL

Install certbot:

dnf install epel-release
dnf install certbot python3-certbot-nginx #require python

Create cert

certbot --nginx

Then update cert to nginx config with new server block for port 443 ssl with fastcgi_param HTTPS on; and declare cert & key.

Some command can be helpful

chcon -R nginx:nginx /home/domain.com
chcon -R -t httpd_sys_rw_content_t /home/domain.com
etsebool -P httpd_can_network_connect 1

Use cockpit may be helpful for debug selinux


Leave a Reply

Your email address will not be published. Required fields are marked *