Massive update in php configuration: add apc config, add/improve apache2/nginx vhosts for pma and various php tools

group_vars/webserver

@@ -4,8 +4,45 @@
 
 with_apache2: False
 with_apache2_modphp5: False
+
 with_nginx: False
+# nginx_workers ~= $(getconf _NPROCESSORS_ONLN)
+nginx_workers: 2
+
 with_fpm: False
 fpm_pool_count: 1
+fpm_user: www-data
+fpm_group: www-data
+# fpm_max_children ~= (total RAM - RAM used by other process) / (average amount of RAM used by a PHP process)
+fpm_max_children: 42
+fpm_min_spare_servers: 10
+fpm_max_spare_servers: 20
+
+with_php: False
+phpsyscheck_vhostname: sys.localhost
+php_config:
+  - key: short_open_tag
+    value: off
+  - key: expose_php
+    value: off
+  - key: display_errors
+    value : off
+  - key: display_startup_errors
+    value: off
+  - key: log_errors
+    value: on
+  - key: html_errors
+    value: off
+  - key: cgi.fix_pathinfo
+    value: 0
+  - key: error_log
+    value: syslog
+  - key: date.timezone
+    value: Europe/Paris
+
+with_php_apc: False
+
+with_phpmyadmin: False
+phpmyadmin_vhostname: pma.localhost
 
 # vim: ft=yaml

roles/webserver/tasks/apache2.yml

@@ -9,17 +9,36 @@
   when_boolean: ${with_apache2}
 
 - name: Install mod_php5 packages for apache2
-  action: ${ansible_pkg_mgr} pkg=apache2 state=installed update_cache=yes
+  action: ${ansible_pkg_mgr} pkg=libapache2-mod-php5 state=installed update_cache=yes
   when_boolean: ${with_apache2} and ${with_apache2_modphp5}
 
-- name: Install php5 basic security configuration
-  action: template dest=/etc/php5/apache2/conf.d/security-local.ini owner=root group=root mode=0644
-  first_available_file:
-    - apache2/php5/security-local.${ansible_hostname}.ini.j2
-    - apache2/php5/security-local.ini.j2
+- name: Create basic authentication file for admin (apache2)
+  action: template src=apache2/auth_admin.j2 dest=/etc/apache2/auth_admin owner=root group=www-data mode=0640
+  when_boolean: ${with_apache2}
+
+- name: Install PHPMyAdmin virtual host for apache2 (sites-available)
+  action: template src=apache2/pma_vhost.j2 dest=/etc/apache2/sites-available/pma owner=root group=root mode=0644
   notify:
     - Reload apache2
-  when_boolean: ${with_apache2} and ${with_apache2_modphp5}
+  when_boolean: ${with_phpmyadmin} and ${with_apache2}
+
+- name: Install PHPMyAdmin virtual host for apache2 (sites-enabled)
+  action: file src=/etc/apache2/sites-available/pma path=/etc/apache2/sites-enabled/pma state=link
+  notify:
+    - Reload apache2
+  when_boolean: ${with_phpmyadmin} and ${with_apache2}
+
+- name: Install PHP system checks virtual host for apache2 (sites-available)
+  action: template src=apache2/sys_vhost.j2 dest=/etc/apache2/sites-available/sys owner=root group=root mode=0644
+  notify:
+    - Reload apache2
+  when_boolean: ${with_php} and ${with_apache2}
+
+- name: Install PHP system checks virtual host for apache2 (sites-enabled)
+  action: file src=/etc/apache2/sites-available/sys path=/etc/apache2/sites-enabled/sys state=link
+  notify:
+    - Reload apache2
+  when_boolean: ${with_php} and ${with_apache2}
 
 - name: Ensure apache2 is running
   action: service name=apache2 state=started

roles/webserver/tasks/main.yml

@@ -1,3 +1,4 @@
 - include: apache2.yml
 - include: nginx.yml
 - include: fpm.yml
+- include: php.yml

roles/webserver/tasks/nginx.yml

@@ -33,6 +33,34 @@
     - Reload nginx
   when_boolean: ${with_nginx}
 
+- name: Create basic authentication file for admin (nginx)
+  action: template src=nginx/auth_admin.j2 dest=/etc/nginx/auth_admin owner=root group=www-data mode=0640
+  when_boolean: ${with_nginx}
+
+- name: Install PHPMyAdmin virtual host for nginx (sites-available)
+  action: template src=nginx/pma_vhost.j2 dest=/etc/nginx/sites-available/pma owner=root group=root mode=0644
+  notify:
+    - Reload nginx
+  when_boolean: ${with_phpmyadmin} and ${with_nginx}
+
+- name: Install PHPMyAdmin virtual host for nginx (sites-enabled)
+  action: file src=/etc/nginx/sites-available/pma path=/etc/nginx/sites-enabled/pma state=link
+  notify:
+    - Reload nginx
+  when_boolean: ${with_phpmyadmin} and ${with_nginx}
+
+- name: Install PHP system checks virtual host for nginx (sites-available)
+  action: template src=nginx/sys_vhost.j2 dest=/etc/nginx/sites-available/sys owner=root group=root mode=0644
+  notify:
+    - Reload nginx
+  when_boolean: ${with_php} and ${with_nginx}
+
+- name: Install PHP system checks virtual host for nginx (sites-enabled)
+  action: file src=/etc/nginx/sites-available/sys path=/etc/nginx/sites-enabled/sys state=link
+  notify:
+    - Reload nginx
+  when_boolean: ${with_php} and ${with_nginx}
+
 - name: Ensure nginx is running
   action: service name=nginx state=started
   when_boolean: ${with_nginx}

roles/webserver/tasks/php.yml

@@ -0,0 +1,37 @@
+- name: Install common PHP dependencies
+  action: ${ansible_pkg_mgr} pkg=${item} state=installed update_cache=yes
+  with_items:
+    - php-mime-type
+    - php5-cli
+    - php5-gd
+    - php5-intl
+    - php5-mcrypt
+  when_boolean: ${with_php}
+
+- name: Instal local PHP configuration
+  action: template src=php/php-config.ini.j2 dest=/etc/php5/conf.d/99-local-config.ini owner=root group=root mode=0644
+  when_boolean: ${with_php}
+
+- name: Create system checks directory /etc/php5/syscheck.d
+  action: file path=/etc/php5/syscheck.d owner=root group=root mode=0755 state=directory
+  when_boolean: ${with_php}
+
+- name: Install phpinfo system check
+  action: template src=php/phpinfo.php dest=/etc/php5/syscheck.d/index.php owner=root group=root mode=0644
+  when_boolean: ${with_php}
+
+- name: Install PHP APC extension
+  action: ${ansible_pkg_mgr} pkg=php-apc state=installed update_cache=yes
+  when_boolean: ${with_php_apc}
+
+- name: Install php-apc system check
+  action: template src=php/apc.php dest=/etc/php5/syscheck.d/apc.php owner=root group=root mode=0644
+  when_boolean: ${with_php_apc}
+
+- name: Install MySQL extension for PHP
+  action: ${ansible_pkg_mgr} pkg=php5-mysqlnd state=installed update_cache=yes
+  when_boolean: ${with_mysql} and ${with_php}
+
+- name: Install PHPMyAdmin
+  action: ${ansible_pkg_mgr} pkg=phpmyadmin state=installed update_cache=yes
+  when_boolean: ${with_phpmyadmin}

roles/webserver/templates/apache2/pma_vhost.j2

@@ -0,0 +1,26 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+# Apache vhost for phpmyadmin
+
+<VirtualHost *:80>
+    ServerName {{ phpmyadmin_vhostname }}
+
+    DocumentRoot /usr/share/phpmyadmin
+    DirectoryIndex index.php
+
+    <Location />
+        AuthType basic
+        AuthName "Restricted Access"
+        AuthUserFile /etc/apache2/auth_admin
+        Require valid-user
+    </Location>
+
+    Include /etc/phpmyadmin/apache.conf
+
+    LogLevel warn
+    CustomLog ${APACHE_LOG_DIR}/pma.access.log combined
+    ErrorLog ${APACHE_LOG_DIR}/pma.error.log
+
+</VirtualHost>

roles/webserver/templates/apache2/sys_vhost.j2

@@ -0,0 +1,31 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+# Apache vhost for PHP system checks
+
+<VirtualHost *:80>
+    ServerName {{ phpsyscheck_vhostname }}
+
+    DocumentRoot /etc/php5/syscheck.d
+    DirectoryIndex index.php
+
+    <Location />
+        AuthType basic
+        AuthName "Restricted Access"
+        AuthUserFile /etc/apache2/auth_admin
+        Require valid-user
+    </Location>
+
+    <Directory /etc/php5/syscheck.d>
+        Options None
+        AllowOverride None
+        Order allow,deny
+        Allow from all
+    </Directory>
+
+    LogLevel warn
+    CustomLog ${APACHE_LOG_DIR}/sys.access.log combined
+    ErrorLog ${APACHE_LOG_DIR}/sys.error.log
+
+</VirtualHost>

roles/webserver/templates/fpm/php-fpm-custom.conf.j2

@@ -130,8 +130,8 @@ events.mechanism = epoll
 ; Unix user/group of processes
 ; Note: The user is mandatory. If the group is not set, the default user's group
 ;       will be used.
-user = www-data
-group = www-data
+user = {{ fpm_user }}
+group = {{ fpm_group }}
 
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
@@ -199,22 +199,22 @@ pm = dynamic
 ; forget to tweak pm.* to fit your needs.
 ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
 ; Note: This value is mandatory.
-pm.max_children = 50
+pm.max_children = {{ fpm_max_children }}
 
 ; The number of child processes created on startup.
 ; Note: Used only when pm is set to 'dynamic'
 ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
-pm.start_servers = 15
+; pm.start_servers =
 
 ; The desired minimum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
-pm.min_spare_servers = 5
+pm.min_spare_servers = {{ fpm_min_spare_servers }}
 
 ; The desired maximum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
-pm.max_spare_servers = 30
+pm.max_spare_servers = {{ fpm_max_spare_servers }}
 
 ; The number of seconds after which an idle process will be killed.
 ; Note: Used only when pm is set to 'ondemand'
@@ -225,7 +225,7 @@ pm.max_spare_servers = 30
 ; This can be useful to work around memory leaks in 3rd party libraries. For
 ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
 ; Default Value: 0
-pm.max_requests = 100
+pm.max_requests = 200
 
 ; The URI to view the FPM status page. If this value is not set, no URI will be
 ; recognized as a status page. It shows the following informations:
@@ -494,17 +494,6 @@ catch_workers_output = yes
 ;php_admin_value[error_log] = /var/log/fpm-php.www.log
 ;php_admin_flag[log_errors] = on
 ;php_admin_value[memory_limit] = 32M
-php_admin_value[cgi.fix_pathinfo] = 0
-php_admin_flag[short_open_tag] = off
-php_admin_flag[expose_php] = off
-php_admin_value[max_execution_time] = 30
-php_admin_value[memory_limit] = 32M
-php_admin_flag[display_errors] = off
-php_admin_flag[display_startup_errors] = on
-php_admin_flag[log_errors] = on
-php_admin_flag[html_errors] = off
-php_admin_value[error_log] = syslog
-php_admin_value[date.timezone] = Europe/Paris
 
 {% endfor %}
 

roles/webserver/templates/nginx/nginx.conf.j2

@@ -15,7 +15,7 @@ user www-data;
 
 # The maximum number of connections for Nginx is calculated by:
 # max_clients = worker_processes * worker_connections
-worker_processes 4;
+worker_processes {{ nginx_workers }};
 
 # Maximum open file descriptors per process;
 # should be > worker_connections.
@@ -25,7 +25,7 @@ events {
     # When you need > 8000 * cpu_cores connections, you start optimizing your OS,
     # and this is probably the point at where you hire people who are smarter than
     # you, as this is *a lot* of requests.
-    worker_connections 8192;
+worker_connections 4096;
     # Event model to use
     use epoll;
 }

roles/webserver/templates/nginx/pma_vhost.j2

@@ -0,0 +1,24 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+# Nginx vhost for phpmyadmin
+
+server {
+    server_name {{ phpmyadmin_vhostname }};
+
+    access_log  /var/log/nginx/pma.access.log;
+    error_log   /var/log/nginx/pma.error.log;
+
+    root /usr/share/phpmyadmin;
+    index index.php;
+    try_files $uri $uri/ /index.php;
+
+    auth_basic "Restricted Access";
+    auth_basic_user_file /etc/nginx/auth_admin;
+
+    location ~ \.php$ {
+        include fastcgi_pass_fpm;
+    }
+}
+

roles/webserver/templates/nginx/sys_vhost.j2

@@ -0,0 +1,23 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+# Nginx vhost for PHP system checks
+
+server {
+    server_name {{ phpsyscheck_vhostname }};
+
+    access_log  /var/log/nginx/sys.access.log;
+    error_log   /var/log/nginx/sys.error.log;
+
+    root /etc/php5/syscheck.d;
+    index index.php;
+    try_files $uri $uri/ /index.php;
+
+    auth_basic "Restricted Access";
+    auth_basic_user_file /etc/nginx/auth_admin;
+
+    location ~ \.php$ {
+        include fastcgi_pass_fpm;
+    }
+}

roles/webserver/templates/php/apc.php

@@ -0,0 +1,9 @@
+<?php
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+
+define('USE_AUTHENTICATION', 0);
+require_once '/usr/share/doc/php-apc/apc.php';
+?>

roles/webserver/templates/php/php-config.ini.j2

@@ -0,0 +1,25 @@
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog(';') }}
+{% endif -%}
+;
+; PHP configuration
+;
+
+{% if php_config is defined %}
+;
+; Main settings
+;
+{% for param in php_config %}
+{{ param.key }} = {{ param.value }}
+{% endfor %}
+{% endif %}
+
+{% if php_local_config is defined %}
+;
+; Thos host overrides
+;
+{% for param in php_local_config %}
+{{ param.key }} = {{ param.value }}
+{% endfor %}
+{% endif %}

roles/webserver/templates/php/phpinfo.php

@@ -0,0 +1,8 @@
+<?php
+{% if ansible_prolog -%}
+{% from 'templates/ansible/prolog.j2' import prolog with context %}
+{{ prolog() }}
+{% endif -%}
+
+phpinfo();
+?>