Set up php-fpm status page with php7 and apache

Question

I'm trying to set up and get php-fpm stats with a http call. I know it's possible to use the service status command, but I would like to get that from my browser.

I'm running php7, and apache, and this is what I did in my server configuration.

at apache side, I create a vhost with this :

<LocationMatch "/fpm-status">
             Order Allow,Deny
             Allow from 127.0.0.1
             ProxyPass fcgi://127.0.0.1:9000
</LocationMatch>

In the php pool configuration (/etc/php/7.0/fpm/pool.d/www.conf) I have this :

[www]
user = www-data
group = www-data
listen = 127.0.0.1:9000
listen.owner = www-data
listen.group = www-data

pm = ondemand

pm.max_children = 1000

pm.start_servers = 150
pm.min_spare_servers = 50
pm.max_spare_servers = 400
pm.max_requests = 200
pm.process_idle_timeout = 5s
pm.status_path = /fpm-status

but after restart apache and php-fpm process, when I try with curl I get this output :

admin@ip-10-3-23-78:~$curl http://localhost/fpm-status
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /fpm-status
on this server.<br />
</p>
</body></html>
admin@ip-10-3-23-78:~$ 

And in the apache log file I have this :

==> /var/log/apache2/error.log <==
[Thu Aug 25 13:36:10.776665 2016] [access_compat:error] [pid 12608] [client ::1:23142] AH01797: client denied by server configuration: proxy:fcgi://127.0.0.1:9000

I would like to know how to really set this up. I've googled for long time and didn't get a precise answer, every one is trying his way. Who is reponsible to create the status page (fpm-status in my case)? When and how this page is generated (by php-fpm I guess)? What is the right way to set the page up and accessible from a browser?

Answer 1

If you run other web-applications on your apache-server it is likely that one of them ships with an .htaccess file that interferes with handling the /staus page (or whatever you named the page in the php-fpm pool-configuration).

I recently came across that with a nextcloud instance. Within the nextcloud-(apache)-configuration whitelisting the URL and disabling the .htaccess-overrides for this path (RewriteEngine Off) made the page accessible in my case. Be sure to replace the path to the socket with the correct path (this is stock Ubuntu 16.04 example).

<FilesMatch "^ping|status$">                                                       
  RewriteEngine Off
  SetHandler "proxy:unix:/run/php/php7.2-fpm.sock|fcgi://localhost"               
</FilesMatch>

Note As pointed out in the comments, the proper directive would likely be <Location "^ping|status$"> instead of <FilesMatch>.

The socket-path is defined at /etc/php/7.2/fpm/pool.d/www.conf (listen = /run/php/php7.2-fpm.sock) in default ubuntu version.

Answer 2

Might be a bit late now but I wanted to post a straight forward simple answer to this issue with php-fpm(7.1+)/apache(2.4) as most of the answers I found online were a bit convoluted. This is using the default php-fpm settings that require unix sockets vs port mapping.

1) Within /etc/php-fpm.d/www.conf, I have the following config options set for listen sock below and uncommented out:

listen = /var/run/php-fpm.sock

pm.status_path = /fpm-status

2) With my apache config php-latest.conf (or similar) I added a match that looked for fpm-status and set it to proxypass to the unix socket and run the fpm-status from fcgi. It also restricts it so only localhost can call it:

<LocationMatch "/fpm-status">
    Order Allow,Deny
    Allow from 127.0.0.1
    ProxyPass unix:/var/run/php-fpm.sock|fcgi://localhost/fpm-status
</LocationMatch>

3) Just simply run the curl command locally:

$ curl http://localhost/fpm-status
pool:                 www
process manager:      dynamic
start time:           16/Oct/2019:11:33:25 -0400
start since:          14
accepted conn:        12
listen queue:         0
max listen queue:     0
listen queue len:     0
idle processes:       38
active processes:     2
total processes:      40
max active processes: 5
max children reached: 0
slow requests:        0

Answer 3

If you're getting a permissions error, try adding

listen.mode = 0666

to /etc/php/7.0/fpm/pool.d/www.conf

That was necessary for me to get the entire fastcgi stack with php-fpm running properly although I'm still not able to view the status page and am getting a 404 error when I try.

Answer 4

I suffered the same problem and put a few hours in there to solve it for our installations. Unfortunately I can not answer all questions you have put in there, this is mainly a working solution for the tile "Set up php-fpm status page with php7 and apache"

Here we go (Ubuntu 16.04):

Step 1: Things needed Just check if you installed this stuff similarly:

apt-get -y install apache2
apt-get -y install libapache2-mod-fastcgi php7.0-fpm php7.0
a2enmod actions fastcgi alias
systemctl restart apache2.service

Step 2: Setup fastcgi In /etc/apache2/mods-available/fastcgi.conf (or similar) put the following:

<IfModule mod_fastcgi.c>
        # Define a named handler
        AddHandler php7-fcgi .php
        # Generate an alias pointing to /usr/lib/cgi-bin/php[VersionNumber]-fcgi
        Alias /php7-fcgi /usr/lib/cgi-bin/php7-fcgi
        # Configure an external server handling your upcoming requests (note where the alias is pointing towards)
        FastCgiExternalServer /usr/lib/cgi-bin/php7-fcgi -socket /var/run/php/php7.0-fpm.sock -pass-header Authorization

         # only on if fpm-status is match. You might want to put this into your concrete vhost.conf file. For the testing, fastcgi.conf should work.
         <LocationMatch "/fpm-status">
             # set the before defined handler here
             SetHandler php7-fcgi
             # use the handler for the action handling virtual requests
             Action php7-fcgi /php7-fcgi virtual
         </LocationMatch>
</IfModule>

Step 3: Check your /etc/php/7.0/fpm/pool.d/www.conf Make sure do uncomment the status path:

pm.status_path = /fpm-status

Step 4: Secure the page (optional) Before going into production, it is certainly wise to secure this somehow, e.g.:

 Order deny,allow
 Deny from all
 Allow from [Some-IP]

Hope this helps, cheers.