From ac7b87133f56d8f338d80e9a6880c80b676ab779 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Thu, 23 Jul 2020 21:00:55 +0100 Subject: [PATCH] Use separate FPM pools for donate and dmca sites --- cookbooks/dmca/recipes/default.rb | 7 ++++++- cookbooks/dmca/templates/default/apache.erb | 6 ++++-- cookbooks/donate/recipes/default.rb | 7 ++++++- cookbooks/donate/templates/default/apache.erb | 8 +++++--- 4 files changed, 21 insertions(+), 7 deletions(-) diff --git a/cookbooks/dmca/recipes/default.rb b/cookbooks/dmca/recipes/default.rb index 30ab6d9ab..765750485 100644 --- a/cookbooks/dmca/recipes/default.rb +++ b/cookbooks/dmca/recipes/default.rb @@ -18,7 +18,7 @@ # include_recipe "apache" -include_recipe "php::apache" +include_recipe "php::fpm" directory "/srv/dmca.openstreetmap.org" do owner "root" @@ -41,6 +41,11 @@ ssl_certificate "dmca.openstreetmap.org" do notifies :reload, "service[apache2]" end +php_fpm "dmca.openstreetmap.org" do + php_admin_values "open_basedir" => "/srv/dmca.openstreetmap.org/html/:/usr/share/php/:/tmp/", + "disable_functions" => "exec,shell_exec,system,passthru,popen,proc_open" +end + apache_site "dmca.openstreetmap.org" do template "apache.erb" directory "/srv/dmca.openstreetmap.org" diff --git a/cookbooks/dmca/templates/default/apache.erb b/cookbooks/dmca/templates/default/apache.erb index 373c63af2..672a1be3e 100644 --- a/cookbooks/dmca/templates/default/apache.erb +++ b/cookbooks/dmca/templates/default/apache.erb @@ -47,10 +47,12 @@ DocumentRoot <%= @directory %>/html Options -Indexes - - ProxyFCGISetEnvIf "true" PHP_ADMIN_VALUE "open_basedir=<%= @directory %>/html/:/usr/share/php/:/tmp/\ndisable_functions=exec,shell_exec,system,passthru,popen" /html> Require all granted + + + SetHandler "proxy:unix:/run/php/<%= @name %>.sock|fcgi://127.0.0.1" + diff --git a/cookbooks/donate/recipes/default.rb b/cookbooks/donate/recipes/default.rb index ca38efbb1..9d08b478b 100644 --- a/cookbooks/donate/recipes/default.rb +++ b/cookbooks/donate/recipes/default.rb @@ -21,7 +21,7 @@ include_recipe "accounts" include_recipe "apache" include_recipe "git" include_recipe "mysql" -include_recipe "php::apache" +include_recipe "php::fpm" package %w[ php-cli @@ -78,6 +78,11 @@ ssl_certificate "donate.openstreetmap.org" do notifies :reload, "service[apache2]" end +php_fpm "donate.openstreetmap.org" do + php_admin_values "open_basedir" => "/srv/donate.openstreetmap.org/:/usr/share/php/:/tmp/", + "disable_functions" => "exec,shell_exec,system,passthru,popen,proc_open" +end + apache_site "donate.openstreetmap.org" do template "apache.erb" end diff --git a/cookbooks/donate/templates/default/apache.erb b/cookbooks/donate/templates/default/apache.erb index 2b3c2f18f..329dc12bd 100644 --- a/cookbooks/donate/templates/default/apache.erb +++ b/cookbooks/donate/templates/default/apache.erb @@ -27,8 +27,6 @@ DocumentRoot /srv/donate.openstreetmap.org - ProxyFCGISetEnvIf "true" PHP_ADMIN_VALUE "open_basedir=/srv/donate.openstreetmap.org/:/usr/share/php/:/tmp/\ndisable_functions=exec,shell_exec,system,passthru,popen" - # Alias Dynamic Content to data folder to avoid serving dummy git content Alias /donors-eur.csv /srv/donate.openstreetmap.org/data/donors-eur.csv Alias /donors.csv /srv/donate.openstreetmap.org/data/donors.csv @@ -41,7 +39,11 @@ Redirect permanent /server2015 https://donate.openstreetmap.org/ - Require all granted + Require all granted + + + SetHandler "proxy:unix:/run/php/donate.openstreetmap.org.sock|fcgi://127.0.0.1" + -- 2.43.2