LAMP (Apache/mod_php)¶
The LAMP role starts a managed instance of Apache with mod_php (or optionally php-fpm) that can be used to easily run a production-ready PHP application server.
Note
The Apache configured by this role does not bind / open firewall ports to the frontend network automatically. It is not intended to serve applications directly to consumers but should be placed behind a webgateway.
Note
Due to stability issues we only support PHP 8.0 when using FPM instead of mod_php.
Configuration¶
This role is configured exclusively using NixOS configuration options. It can provide multiple applications by setting up multiple vhosts and you can put the configuration in a single file or distribute it over multiple files depending on your use case.
As a service user, place a file in /etc/local/nixos/myservice.nix
:
A complete configuration might looks something like this:
{ pkgs, ... }:
{
flyingcircus.roles.lamp = {
useFPM = true;
vhosts = [
{ port = 8000;
docroot = "/srv/s-myserviceuser/application.git/docroot";
}
];
php = pkgs.lamp_php74;
apache_conf = ''
MaxRequestWorkers 5
'';
php_ini = ''
; max filesize
upload_max_filesize = 200M
post_max_size = 200M
date.timezone = Europe/Berlin
session.save_handler = redis
session.save_path = "tcp://myservice01:6379?auth=<secret>"
'';
};
}
flyingcircus.roles.lamp.vhost
(required)¶
The vhost configuration allows you to configure multiple applications per VM each running on a separate port. The two options for every vhost thus are:
port
The port number that Apache should listen on for this application. We recommend starting with 8000 and counting up from there.
docroot
The absolute path to the docroot of your application.
flyingcircus.roles.lamp.apache_conf
(optional)¶
Any text written here will be included in the global Apache configuration. Use this to adjust global settings like workers:
MaxRequestWorkers 5
Note that if you distribute your configuration over multiple files then you can repeat this option and the values will be concatenated to a single big Apache config file. They will also always apply to all vhosts.
flyingcircus.roles.lamp.useFPM
(optional)¶
Whether to use mod_php
(default) or use a separate php-fpm
process per
virtual host that improves reliability and security. This also switches Apache
to using the event
worker model.
This is off by default but will become the default in our 21.11 platform.
flyingcircus.roles.lamp.php
(optional)¶
A reference to a PHP package that will be used in Apache and in the CLI.
Supported packages:
pkgs.lamp_php56
(outdated but provided for legacy applications)pkgs.lamp_php72
(outdated but provided for legacy applications)pkgs.lamp_php73
pkgs.lamp_php74
pkgs.lamp_php80
The lamp_php_*
packages provided by our platform include commonly used
PHP extensions, currently:
bcmath
imagick
redis
memcached
There are more pre-packaged extension that can be added via Nix code. For example, to add the apcu extension along with the ones provided by lamp_php80, use:
php = pkgs.lamp_php80.withExtensions ({ enabled, all }:
enabled ++ [
all.apcu
]);
You can also use any custom PHP package from the NixOS universe (if you know what you are doing. ;) )
For more information about PHP packaging on Nix, refer to the PHP section of the Nixpkgs manual.
flyingcircus.roles.lamp.tideways_api_key
(optional)¶
If you have an account with tideways.com then you can quickly enable the tideways profiler for your application by setting the API key here:
flyingcircus.roles.lamp.tideways_api_key = "my-api-key";
flyingcircus.roles.lamp.php_ini
(optional)¶
We deliver a production-tested PHP configuration that you can extend by placing additional configuration instructions in this option:
; max filesize
upload_max_filesize = 200M
post_max_size = 200M
Similar to the flyingcircus.roles.lamp.apache_conf
option this will
be concatenated with from all Nix configuration files with our global platform
settings and will be applied to all vhosts.
PHP version and modules¶
We currently provide a single pre-selected version of PHP (7.3) with a fixed set of modules. Please contact our support if you need a different version of PHP and/or further modules.
Interaction¶
No special interaction is required. Changes to the configuration need to be activated as usual using:
$ sudo fc-manage -b
Network¶
The Apache server listens on the srv interface only.
Security¶
Apache runs in a separate user who is a member of the
service
group and thus can (by default) access files owned by service users.Access is read-only for Apache by default, but you can grant write access for directories by running :command:
chmod g+rwsx
on the directory.
Debugging¶
To assist with debugging we have integrated the Tideways application performance monitoring daemon and PHP module by default.
To enable it, you just have to place your Tideways API key in /etc/local/lamp/php.ini
:
$ echo "tideways.api_key=<secretapikey>" >> /etc/local/lamp/php.ini
$ sudo fc-manage -b
Logging¶
Apache logs are available in /var/log/httpd
.
PHP output is accessible through the journal, running journalctl -t php -t httpd.
Monitoring¶
Our platform monitoring checks that Apache is running (through systemd) and verifies that the Apache statuspage (mod_status accessible via curl http://localhost:8001/server-status) is available.