PHP-FPM and SSL on Apache

358 views

Skip to first unread message

Darko Gavrilovic

unread,

Apr 5, 2017, 1:15:39 PM4/5/17

to highload-php-en

Hello, we are having trouble trying to get php-fpm on apache to work with SSL sites. Does anyone have a working example of it working? Below is the setup.

Server version: Apache/2.4.12 (Unix)

Server built: Feb 9 2015 14:14:25

PHP 5.5.34 (fpm-fcgi) (built: Mar 29 2016 19:28:14)

Loaded Modules:

core_module (static)

so_module (static)

http_module (static)

mpm_itk_module (shared)

authn_file_module (shared)

authn_core_module (shared)

authz_host_module (shared)

authz_groupfile_module (shared)

authz_user_module (shared)

authz_core_module (shared)

access_compat_module (shared)

auth_basic_module (shared)

reqtimeout_module (shared)

filter_module (shared)

substitute_module (shared)

sed_module (shared)

mime_module (shared)

log_config_module (shared)

env_module (shared)

expires_module (shared)

headers_module (shared)

setenvif_module (shared)

version_module (shared)

proxy_module (shared)

proxy_http_module (shared)

proxy_fcgi_module (shared)

ssl_module (shared)

mpm_prefork_module (shared)

unixd_module (shared)

status_module (shared)

autoindex_module (shared)

dir_module (shared)

alias_module (shared)

rewrite_module (shared)

I have confirmed that mod_ssl is enabled on apache and it's listening on port 443. But it seems what is happening is that it's not finding the vhost and is using the default catch all config.

With the catch all config disabled, it's behaving like there is no SSL on the site.

Below is what we see from logs.

[05/Apr/2017:11:58:33 -0400] "\x16\x03\x01" 400 226 "-" "-"

The vhost config looks like this.

<VirtualHost 172.28.100.160:80>
 Redirect permanent / https://172.28.100.160:443
</VirtualHost>

<VirtualHost 172.28.100.160:443>

ServerName mysite.domain.com

Define domain_preview mysite.domain.com
Define domain_production mysite.domain.com
Define site_directory mysite.domain.com
Define site_portnumber 10042
Define log_basename mysite.domain.com

## OPTIONAL
Define site_type_override wordpress
#Define security_override
#Define server_www_alias
#Define server_www_alias_redirect_to
#Define server_www_alias_redirect_from

ServerAdmin sup...@mysite.domain.com

SSLEngine On

SSLCertificateFile /var/www/sites/${site_directory}/ssl/cert.crt
SSLCertificateKeyFile /var/www/sites/${site_directory}/ssl/cert.key
SSLCACertificateFile /var/www/sites/${site_directory}/ssl/cert.bundle

DocumentRoot /var/www/sites/${site_directory}/htdocs

  <FilesMatch "\.(cgi|shtml|phtml|php|wt)$">
            SSLOptions +StdEnvVars +FakeBasicAuth +ExportCertData +StrictRequire
    </FilesMatch>

IncludeOptional vhosts.d/Includes/site_specific/${domain_production}*.conf

AssignUserID www-userid wwwg-nobody
<IfDefine site_type_override>
Include vhosts.d/Includes/type_specific/${site_type_override}/base.inc
</IfDefine>
<IfDefine !site_type_override>
Include vhosts.d/Includes/base.inc
</IfDefine>

SetHandler "proxy:unix:/tmp/php-fpm-${site_portnumber}-socket.sock|fcgi://localhost/"

FilterDeclare SITEPREVIEW
FilterProvider SITEPREVIEW SUBSTITUTE "%{CONTENT_TYPE} =~ m#^text/(html|css|plain|xml|x-component|javascript)#i"
FilterProvider SITEPREVIEW SUBSTITUTE "%{CONTENT_TYPE} =~ m#^application/(javascript|json|xml|xhtml+xml|rss+xml)#i"
FilterChain SITEPREVIEW

## Rewrite only certain links on settings page
Substitute "s|https://${domain_production}|https://${domain_preview}|ni"
## Add tag to denote that the page is from the development server(s)
Substitute "s|<head>|<head><!--  development site -->|ni"

#ProxyPassReverseCookieDomain ${domain_production} ${domain_preview}

#Header edit Location ^https://${domain_production} https://${domain_preview}

LogLevel debug
ErrorLog /var/www/sites/mysite.domain.com/logs/mysite.domain.com-error_log
CustomLog /var/www/sites/mysite.domain.com/logs/mysite.domain.com-access_log combined

</VirtualHost>

Reply all

Reply to author

Forward

0 new messages