OAMP – Apache using FastCGI Process Manager on OpenBSD

    

Once upon a time, there was a way to run PHP with Apache on OpenBSD using the php-*-ap2 package. At that time, OpenBSD shipped with home-patched Apache 1.3 and provided Apache 2.x as a package. Since then, Apache 1.x was dropped from base, replaced with httpd(8) and ports gave the opportunity to run either Apache 1.x or Apache 2.x. This is when PHP packages and Apache 2.x became quite a pain in the ass to use. Thanks to the ports, one could deal with it. But binary PHP packages are not built this way. One way to get PHP and Apache is to use FastCGI. Here’s how to run the OAMP 6.0.

Installing PHP

The php package comes with built-in fastcgi support.

# pkg_add php
(...)
php-5.6.23p0:femail-1.0p1: ok
php-5.6.23p0:femail-chroot-1.0p2: ok
php-5.6.23p0: ok
The following new rcscripts were installed: /etc/rc.d/php56_fpm
See rcctl(8) for details.
Look in /usr/local/share/doc/pkg-readmes for extra documentation.

# rcctl enable php56_fpm

I like to use syslog rather than log file. I also use loopback ports rather than socket to deal with chroot issues.

# vi /etc/php-fpm.conf
(...)
error_log = "syslog"
(...)
listen = 127.0.0.1:9000
(...)
chroot = /var/www
(...)

Start and test the daemon:

# rcctl start php56_fpm

# SCRIPT_NAME=/status SCRIPT_FILENAME=/status REQUEST_METHOD=GET \
  cgi-fcgi -bind -connect 127.0.0.1:9000
X-Powered-By: PHP/5.6.23
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Content-type: text/plain;charset=UTF-8

pool:                 www
process manager:      dynamic
start time:           25/Nov/2016:09:17:26 +0100
(...)

In OAMP, there are a few default PHP modules that are expected to be installed.

# pkg_add php-bz2 php-mcrypt php-mysqli php-zip
# for MOD in bz2 mcrypt mysqli opcache zip; do \
  ln -s /etc/php-5.6.sample/$MOD.ini /etc/php-5.6/; done
# rcctl restart php56_fpm
php56_fpm(ok)
php56_fpm(ok)

The Apache Web server

Installation is no big deal:

# pkg_add apache-httpd
quirks-2.241 signed on 2016-07-26T16:56:10Z
apache-httpd-2.4.23:nghttp2-1.12.0: ok
apache-httpd-2.4.23:db-4.6.21p3v0: ok
apache-httpd-2.4.23:apr-1.5.2: ok
apache-httpd-2.4.23:apr-util-1.5.4p1: ok
apache-httpd-2.4.23:apache-httpd-common-2.4.23: ok
apache-httpd-2.4.23: ok
(...)
# rcctl enable apache2

The magical part lies in the httpd.conf:

# vi /etc/apache2/httpd.conf
(...)
LoadModule proxy_module /usr/local/lib/apache2/mod_proxy.so
LoadModule proxy_fcgi_module /usr/local/lib/apache2/mod_proxy_fcgi.so
(...)
<IfModule proxy_fcgi_module>
  <FilesMatch "\.php$">
    SetHandler "proxy:fcgi://127.0.0.1:9000"
  </FilesMatch>
</IfModule>
(...)

A last rcctl start apache2 and PHP is now enabled from the Wild Wild Web!

The DB server

OpenBSD doesn’t provide Oracle MySQL. It provides MariaDB which is better, faster, stronger and (mostly) compatible with MySQL. So be it.

# pkg_add mariadb-server
(...)
# rcctl enable mysqld

To ensure proper performance and system protection, don’t use the standard daemon class:

# vi /etc/login.conf
(...)
mysqld:\
        :openfiles-cur=1024:\
        :openfiles-max=2048:\
        :tc=daemon:

# [ -f /etc/login.conf.db ] && cap_mkdb /etc/login.conf
# usermod -L mysqld _mysql

Install and run through the initial configuration steps.

# /usr/local/bin/mysql_install_db
# rcctl start mysqld
mysqld(ok)
# '/usr/local/bin/mysqladmin' -u root password 'secret'
# /usr/local/bin/mysql_secure_installation

To be able to use the SQL server from the Web server chroot, there’re a few remaining steps.

# install -d -m 0711 -o _mysql -g _mysql /var/www/run/mysql

# diff -u1 /usr/local/share/examples/mysql/my-medium.cnf /etc/my.cnf
--- /usr/local/share/examples/mysql/my-medium.cnf       Tue Jul 26 00:36:18 2016
+++ /etc/my.cnf Mon Nov 28 10:11:23 2016
@@ -22,3 +22,3 @@
 port           = 3306
-socket         = /var/run/mysql/mysql.sock
+socket         = /var/www/run/mysql/mysql.sock

@@ -29,3 +29,3 @@
 port           = 3306
-socket         = /var/run/mysql/mysql.sock
+socket         = /var/www/run/mysql/mysql.sock
# Default is to listen on :: (IPv6 only).

# rcctl restart mysqld
mysqld(ok)
mysqld(ok)

done!