1. Switch of the Apache HTTP server in event mode

Since the first days of the distribution, the severs use the prefork MPM.

For obvious performance reasons, we choose to follow the upstream project recommandations and to use the event MPM by default.

This change is also required to have the full benefit and feature of the HTTP/2 protocol via mod_http2.

2. The problem of mod_php

The mod_php module is only supported when the prefork MPM is used

In the PHP documentation, we can read:

Warning We do not recommend using a threaded MPM in production with Apache 2.

And, indeed, we already have some bug reports about crashes in this configuration.

So it doesn't make sense to keep mod_php by default.

Furthermore, this module have some annoying limitations:

  • integrated in the web server, it shares its memory, which may have some negative security impacts
  • a single version can be loaded

3. Using FastCGI

For many years, we are working to make the PHP execution as much flexible as possible, using various combinations, without configuration change:

  • httpd + mod_php
  • httpd + php-fpm (when mod_php is disabled or missing and with a running php-fpm server)
  • nginx + php-fpm

The FPM way have become the default recommend configuration for a safe PHP execution:

  • support of multiple web servers (httpd, nginx, lighttpd)
  • frontend isolation for security
  • multiple backends
  • micro-services architecture
  • containers (docker)
  • multiple versions of PHP

4. FPM by default

Since Fedora 27, mod_php ZTS (multi-threaded) is still provided, but disabled, so FastCGI is now used by default.

To not break existing configuration during the distribution upgrade, and to have a working server after installation, we choose to implement some solutions, probably temporarily:

  • the php package have a optional dependency on the php-fpm package, so it is now installed by default
  • the httpd service have a dependency on the php-fpm service, so it is started automatically

5. Known issues

5.1. Configuration change

After a configuration change, or after a new extension installation, it is now required to restart the php-fpm service.

5.2. Configuration files

With mod_php, it is common to to use the php_value or php_flag directives in the Apache HTTP server configuration or in some .htaccess file.

It is now required to use the php_value or php_flag directives in the FPM pool configuration file, or to use some .user.ini file in the application directory.

5.3 Users

By default httpd and php-fpm run using the apache account. If you need to change it for httpd, you also have to change the default pool configuration , in /etc/php-fpm.d/www.conf

user = foo
listen.acl_users = foo

5.4 timeout and max_execution_time

If you have to increase the max_execution_time value in PHP for a few long running scripts, you also have to increase the timeout configuration on the web server side:

ProxyTimeout 3000

5.5 error_log

The php errors are now logged in the fpm pool configured path

php_admin_value[error_log] = /var/log/php-fpm/www-error.log

6. Switching back to mod_php

If you really want to keep using (temporarily) mod_php, this is still possible, either way:

  • Switch back to prefork MPM in the /etc/httpd/conf.modules.d/00-mpm.conf file
 LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
 #LoadModule mpm_worker_module modules/mod_mpm_worker.so
 #LoadModule mpm_event_module modules/mod_mpm_event.so
  • Enable the module in the /etc/httpd/conf.modules.d/15-php.conf file. Warning, this configuration will not be supported, no bug report will be accepted.
 # ZTS module is not supported, so FPM is preferred
 LoadModule php7_module modules/libphp7-zts.so

After this change, the php-fpm package can be removed.

7. Conclusion

Fedora 27 now uses a modern configuration, matching the upstream projects recommendations. Security and performance are improved.

Any change may raise some small issues, and lot of gnashing of teeth, but we will try to take care of any difficulties, and to improve what must be in the next updates, or in the next fedora versions.

I plan to update this entry according to feedback.