Setting up PHP

On CentOS6/CentOS7/CloudLinux6/CloudLinux7

Run the following script /opt/nDeploy/scripts/easy_php_setup.sh

Additional mode of operations

# chroot-ed php-fpm using virtfs
/opt/nDeploy/scripts/init_backends.py jailphpfpm
service ndeploy_backends restart

# Disable chroot-ed php-php_fpm
/opt/nDeploy/scripts/init_backends.py disable-jailphpfpm
service ndeploy_backends restart

# User level php-fpm master.
# This setting must be enabled for reseller resource control
/opt/nDeploy/scripts/init_backends.py secure-php
/opt/nDeploy/scripts/attempt_autofix.sh
/opt/nDeploy/scripts/init_backends.py autofix

# Disable user level php-fpm master
/opt/nDeploy/scripts/init_backends.py disable-secure-php
/opt/nDeploy/scripts/attempt_autofix.sh
/opt/nDeploy/scripts/init_backends.py autofix
service ndeploy_backends restart

ZendOpcache and security considerations on php-fpm single master setup

. XtendWeb currently offers the following settings that can mitigate the security risk of a shared OpCache memory to some extend

1. opcache.restrict_api

opcache.restrict_api
Allows calling OPcache API functions only from PHP scripts which path is started from specified string. The default "" means no restriction.
This is set to /home/CPANELUSER/

2. opcache.blacklist_filename

opcache.blacklist_filename
The location of the OPcache blacklist file. A blacklist file is a text file containing the names of files that should not be accelerated, one per line. Wildcards are allowed, and prefixes can also be provided. Lines starting with a semi-colon are ignored as comments.
This is set to /home/CPANELUSER/opcache-blacklist.txt
User can upload the opcache-blacklist.txt to his homedir via FTP or ssh and paths in this file will not be cached.

Per user php.ini custom settings

php-fpm lets users configure settings of type PHP_INI_PERDIR and PHP_INI_USER in .user.ini files

Ref: http://php.net/manual/en/configuration.file.per-user.php

the settings can be provided in ini format(same as php.ini) and the file must be named .user.ini