EasyApache

From Just another day in the life of a linux sysadmin
Jump to: navigation, search

Update Blocker

Severity Blocker Message FATAL You must upgrade the EasyApache 4 package, “ea-apache24-config-runtime” to version “1.0-113” or later, to upgrade to the next version of cPanel & WHM.

To correct this run a

yum update

or

yum install ea-apache24-config-runtime

you may need to run a :

yum clean all 

first if these fail and try it again. Ensure you are using the EA4 repo in /etc/yum.repos.d/

[EA4]
name=EA4 ( EasyApache 4 )
mirrorlist=http://httpupdate.cpanel.net/ea4-c$releasever-$basearch-mirrorlist
gpgcheck=1
gpgkey=https://securedownloads.cpanel.net/cPanelPublicRPMKey.asc
enabled=1
cost=50

once this is successful follow this with

/scripts/upcp --force

Pre EasyApache Config backups

(echo;read -p "What is your LW username?: " _usr
_usr="$_usr.$(date +%Y-%m-%d-%H:%M)"
_out="Date created: $(date +%c)\n\nConfiguration files:"
_httpd=/usr/local/apache
 
function cbak { cp "$@" "${@}.bak.${_usr}";_out=$_out"\nBacked up\n - $@\n - TO: ${@}.bak.${_usr}"; }
function out { _out=$_out"\n\n--${1}--\n${@:2}"; }
function ver { echo -e "Current ${1}: \e[1;33m${@:2}\e[0m"; }
 
cbak $_httpd/conf/httpd.conf
cbak $_httpd/conf/php.conf
cbak /usr/local/lib/php.ini
 
_ea=$(test -f /etc/cpanel/ea4/is_ea4 && echo 4 || echo '3 (or unknown)')
out "EasyApache version" "EasyApache $_ea"
 
_handler=$(/usr/local/cpanel/bin/rebuild_phpconf --current 2>&1)
out "Current Handler" "$_handler"
if [ -x /usr/bin/php4 ];then
   out "PHP 4 Version" "$(php4 -v 2>&1)"
   out "PHP 4 Modules" "$(php4 -m 2>&1)"
fi
if [ -x /usr/bin/php5 ];then
   out "PHP 5 Version" "$(php5 -v 2>&1)"
   out "PHP 5 Modules" "$(php5 -m 2>&1)"
fi
if [ -x /usr/bin/php ];then
   out "PHP (main) Version" "$(php -v 2>&1)"
   out "PHP (main) Modules" "$(php -m 2>&1)"
fi
 
out "Apache Version" "$($_httpd/bin/httpd -V 2>&1)"
out "Apache Modules" "$($_httpd/bin/httpd -l 2>&1)\n$($_httpd/bin/httpd -M 2>&1)"
echo -e "$_out" > /root/preEA.$_usr
 
_php=$(php -v 2>&1 | sed -rn "s:PHP ([0-9.]+) .*:\1:p")
_phpdef=$(sed -rn "s:DEFAULT PHP\: (.*)$:\1:p"<<<"$_handler")
_phph=$(echo $_handler | grep -Eo "[^ ]+ SAPI: [^ ]+" | sed -r "s: SAPI::g" | sed -r "s:^:   - :g")
_phpx=$(php -m 2>/dev/null | egrep -io "memcache(d)?|(i)?magick(wand)?|ffmpeg|apc|eaccelerator|xcache" | sed "s:^:   - :g")
read _httpdv _httpdh <<<$(/usr/sbin/httpd -V | tr '\n' ' ' | sed -rn "s:.*Apache/([^ ]+) (.*Server MPM\: +([^ ]+) )?.*:\1 \3:p")
 
ver "EasyApache version" "EasyApache $_ea"
ver "PHP version" "$_php (Default: $_phpdef)"
ver "PHP Handler(s)" "\n$_phph"
ver "Apache version" "$_httpdv"
ver "Apache MPM" "$_httpdh"
if [ ! -z "$_phpx" ];then
   echo -e "\n\e[1;31m [ The following module(s) appear to be currently installed ]\n$_phpx\n [ Ensure these are installed after the EA is complete ]\e[0m\n"
fi
 
echo -e "\e[1;33mConfiguration stored in: /root/preEA.$_usr\e[0m")


What is EasyApache 4?

stat /etc/cpanel/ea4/is_ea4


tl;dr

"EA4 represents a total overhaul of how cPanel & WHM ships and maintains our Apache and PHP distribution. EasyApache is software that installs, configures, updates, and validates your web server, PHP, and other components of your web server." link


Long version:


Previously, EasyApache was cPanel's solution to maintaining Apache and PHP in a sensible way that would work with their setup. The EasyApache script was an all-in-one script that allowed you to update, install, and remove versions of Apache and PHP as well as modules for both of them all in one convenient location. Unfortunately, cPanel set it up in a way that forced Apache and PHP to be recompiled client-side each time you wanted to make changes. Since Apache and PHP are gigantic piece of software, a recompile would usually take 10-30 minutes on average if nothing went wrong. This approached proved to be too inefficient, so cPanel completely overhauled everything about EasyApache and created EasyApache 4.

First and most importantly: EasyApache 4 now uses yum for package management. Before, Apache/PHP would be recompiled client-side which takes a great deal of time. With yum, everything is taken care of on cPanel's own repositories. Because of this, users can just install and update Apache/PHP directly through yum.

To put it into context how big of a change this is: installing through yum takes <1 minute, vs the 10-30 minutes it took before.

The biggest consequence to this change aside from the time save, though, is the path changes. Essentially, it's structured similar to our core-managed boxes: /etc/apache2 for Apache config, /var/log/apache2 for Apache logs, that kind of thing. The changes are listed here.

Another notable change is the native multi-PHP support. That wiki page with a million warning saying "DON'T DO THIS EVER"? Yeah, that's what we're talking about (note: that method is still unsupported). This, of course, allows you to run multiple versions of PHP on your server at the same time. You can only have one version of PHP running in a given vhost* (sort of, more on that later). The "Multi-PHP Manager" in WHM provides an excellent interface for working with multiple versions of PHP.

Also: PHP 7

There's a lot more other neat little things, but these are just the biggest couple. The other changes will be covered later in this wiki.

File Path Changes

Since PHP and Apache have switched to using yum with EasyApache 4, the paths to critical files have changed. Here's what you need to know:

Configuration

Config Description
/etc/apache2 Configuration files for Apache. This is more-or-less the rest of what /usr/local/apache used to be.
/etc/apache2/conf httpd.conf, and some mod_mime config stuff
/etc/apache2/conf.modules.d Apache module config files
/etc/apache2/conf.d The rest of what /usr/local/apache/conf was, basically.
/etc/apache2/conf.d/includes Apache include files
/opt/cpanel/ea-phpXX/root/etc/php.d PHP extension config files
/opt/cpanel/ea-phpXX/root/etc/php.ini php.ini for each PHP version. XX = PHP version, e.g. 54, 55, 56, 70
/opt/cpanel/ea-phpXX/root/etc/php.d/local.ini alternate php.ini file. see here for more info

Logs

Log Description
/var/log/apache2 Apache's logs, symlinks to /usr/local/apache/logs
/etc/apache2/logs Logs again, symlinks to /var/log/apache2
/etc/apache2/logs/domlogs Apache domlogs, symlinks to /usr/local/apache/domlogs
/etc/apache2/logs/domlogs Domlogs again, symlinks to /var/log/apache2/domlogs

Misc changes

File Description
/usr/lib64/apache2/modules Apache dynamic module locations (the .so files)
/opt/cpanel/ea-phpXX/root/usr/bin/php PHP binaries for installed PHP versions. XX = PHP version, e.g. 54, 55, 56, 70
/opt/cpanel/ea-phpXX/root/usr/lib64/php/modules PHP module locations (the .so files) for each installed version. XX = PHP version, e.g. 54, 55, 56, 70
/var/www/html Server document root, basically what /usr/local/cpanel/htdocs was
/usr/local/apache.ea3 Backup of the Apache configuration for EA3

EasyApache 4 files

In addition to file path changes, there's some new files that you'll need to learn as well. These ones are specific to EA4.

File Description
/etc/cpanel/ea4/profiles The directories for default cPanel and customer profiles go here. Don't put custom profiles in this directory, as they'll be overwritten when cPanel updates.
/etc/cpanel/ea4/profiles/cpanel This is where cPanel's default profiles will go. Custom profiles in here will also be overwritten when cPanel updates.
/etc/cpanel/ea4/profiles/custom Custom EA4 profiles go here. Best practice would be to copy an existing profile from the ../cpanel directory to here, then just edit the copy.

Pre-EA Backups

While the switch to EA4 should ensure that all relevant EA3 data is backed up, It's always better to be safe than sorry. Here's the copypasta from the Pre-EA Backup section of the Easy Apache wiki page to backup this data. {{#lst:EasyApache|pre_ea_backups}}

How to Install or Uninstall EasyApache 4

ModSecurity considerations

Prior to converting to EA4

ModSec will break if you don't do this

The EA4 conversion process will at least partially break non-cPanel-supplied ModSec rulesets. Our ModSec ruleset has been updated for EA4, but the package name differs slightly. Ideally, you'll want to do this before moving to EA4:

yum remove lp-modsec2-rules


How to install EasyApache 4 - cPanel

Make sure you've run 'yum remove lp-modsec2-rules' before converting, otherwise ModSec will break Installing and Uninstalling EasyApache 4 takes down Apache.

To install EasyApache 4, perform the following steps:

Please backup old apache location in the event we need to reference those for module/mpm/etc settings.

mkdir -p /home/lwtemp/
cp -r /usr/local/apache/conf/ /home/lwtemp/preEA4apacheconf

Run the following command:

/scripts/migrate_ea3_to_ea4 --run

If you see this option while switching to EA4 please refer to the ea-php55-php-zendguard_conflicts_with_ea-php55-php-opcache section of the wiki.

1) Revert to EasyApache 3

2) Abort.

3) Install the cPanel Default profile. }}

A prompt will display all of the changes that you will make. To continue, follow the system's instructions.

Remember to finish the ModSecurity post conversion steps!

yum install lp-modsec2-rules-ea4

That should install our ruleset with payload specific for EA4, for example:

/etc/apache2/conf.d/modsec2.liquidweb.conf
/etc/apache2/conf.d/modsec2/*.conf

whitelist.conf and custom.conf should be populated with the contents of the corresponding rpmsave files in /usr/local/apache.ea3/conf/modsec2/ if nonzero.


Note: the EA4 conversion process will itself also retain the old /usr/local/apache/ hierarchy here:

/usr/local/apache.ea3/

Enable the Symlink Patch (NEW)

# Add symlink settings.
if [ "`grep -i symlink_protect /var/cpanel/conf/apache/local | wc -l`" -gt 0 ]
 then
  echo "Symlink_Protect already set"
 else
cat >> /var/cpanel/conf/apache/local << EOF
  "symlink_protect":
    "item":
      "symlink_protect": 'On'
EOF

/scripts/rebuildhttpdconf

fi


Stop here if you're just converting to EA4, the rest of this section is specific to other edge cases

Already converted to EA4 with our ruleset

If on the other hand, the server is already converted to EA4, and our ruleset is in-place in a partially broken manner, do this:

yum remove lp-modsec2-rules
cd /etc/apache2/conf.d
mv modsec2.user.conf modsec2.user.conf.PREVIOUS
touch modsec2.user.conf
yum install lp-modsec2-rules-ea4

modsec2.user.conf is moved out of the way and replaced with a zero byte file as lp-modsec2-rules-ea4 uses modsec2.liquidweb.conf instead, and the rule-ids will conflict if both modsec2.liquidweb.conf and modsec2.user.conf as supplied by different versions of our ruleset are in-place.

Already converted to EA4 with ASL ruleset

If the ASL ruleset happened to be in-use with EasyApache 3 prior to conversion to EA4, that's likely to be broken in a similar, but more significant way, since all rules in the ASL ruleset reside in Include's in the modsec2 directory. Do something like this to fix the ASL ruleset manually:

cd /etc/apache2/conf.d
mkdir modsec2
cd modsec2
cp /usr/local/apache.ea3/conf/modsec2/* .
cd ..
ln -s /etc/apache2/conf.d/modsec2 /usr/local/apache/conf/modsec2
vim modsec2.user.conf

Ensure the Include lines in modsec2.user.conf are uncommented (the EA4 conversion process comments them out).

Save your changes to modsec2.user.conf, and restart Apache:

apachectl restart

The cPanel-supplied OWASP ruleset is unaffected by the EA4 conversion process.

How to install EasyApache 4 - cPanel + CloudLinux

Make sure you've run 'yum remove lp-modsec2-rules' before converting, otherwise ModSec will break Installing and Uninstalling EasyApache 4 takes down Apache.

mkdir -p /home/lwtemp/
cp -r /usr/local/apache/conf/ /home/lwtemp/preEA4apacheconf

Convert to EA4 from EA3

cd ~; wget https://repo.cloudlinux.com/cloudlinux/sources/cloudlinux_ea3_to_ea4; sh cloudlinux_ea3_to_ea4 --convert

Revert from EA4 to EA3

cd ~; wget https://repo.cloudlinux.com/cloudlinux/sources/cloudlinux_ea3_to_ea4; sh cloudlinux_ea3_to_ea4 --revert

http://docs.cloudlinux.com/index.html?cpanel_easyapache_4.html


How to uninstall EasyApache 4 if EasyApache 3 was installed prior

To uninstall EasyApache 4, perform the following steps:

To revert to EasyApache 3 from EasyApache 4, run the following command:

/scripts/migrate_ea3_to_ea4 --revert --run

This will remove the installed rpms, move the original hierarchy back into place, and run a brand new easyapache.

How to uninstall EasyApache 4 if EasyApache 3 was not installed prior

  • Note: Still testing, do at your own risk

Run a Pre-EA to make sure you can fix things if something goes wrong.

If EA3 was not installed prior it will give you the following when trying to revert:

[root@host2 ~]# /scripts/migrate_ea3_to_ea4 --revert --run
This system never had EasyApache 3. Reverting is not possible.

To get around this first create this folder: /usr/local/apache.ea3/

mkdir /usr/local/apache.ea3/

Then run the following script:

/scripts/migrate_ea3_to_ea4 --revert --run

It will ask for confirmation

Once it is done it will likely state that apache/httpd failed to restart. Do not worry, instead run a EasyApache:

/scripts/easyapache --build

After that is done it should be all set and running EA3

Known issues:

If EasyApache 3 does not show up in WHM Load the following link after logging into WHM:

https://<$IP>:2087/<CPANELSESSION_ID>/cgi/easyapache.pl

Replace the <$IP> with the servers IP/Host and replace <CPANELSESSION_ID> wth the the session id from your link after logging in

Example:

https://host.domain.com:2087/cpsess5485003701/scripts3/feature_showcase

to

https://host.domain.com:2087/cpsess5485003701/cgi/easyapache.pl

Then run a build from WHM.

Using EasyApache 4

As of now there is no using /scripts/easyapache via command line.

You can still do things the command line way, though. In WHM > EasyApache 4, they have a link called "How to run EasyApache 4 from a Command Line Interface (CLI)." It actually takes you to a page on using yum:

https://documentation.cpanel.net/display/EA4/Yellowdog+Updater%252C+Modified+%2528yum%2529+Basics

What we're interested in is presently at the bottom section:

cPanel & WHM ensures that packages do not conflict with one another. Each package in the EasyApache 4 yum repository uses the ea- prefix. This refers to a package's namespace. cPanel & WHM does this to ensure that the apache2 package never conflicts with another apache2 package, or a user mistakenly downloads a package in place of the intended package. 
Each Software Collection area uses its own package namespace. Because of this, each server includes two package namespaces for each version of PHP. For example, to install the -soap extension for PHP 5.5, you must install the ea-php55-php-soap package. You cannot install only the php-soap package.

So, adding or removing an Apache module for instance, is like on a core-managed - you do a yum install. Make sure the package is from the EA4 repository and is properly named. For example, the mod_suexec package is presently named: ea-apache24-mod_suexec.x86_64

Profile

At the moment cPanel includes a hand full of default profiles under "Software > EasyApache 4". You can also create your own JSON-formatted profiles yourself. The instructions for that are in the URL below if this is something you'd like to do:

https://documentation.cpanel.net/display/EA4/EasyApache+4+-+Create+a+profile

Review

With EasyApache 4 there is now also a "Review" tab that shows you packages going to be installed, upgraded, uninstalled, and affected by provisioning a profile.

Provision

When you click "Provision" it begins the process without prompting you, so be careful here.

MPMs

Changing MPM

Switching the Apache MPM is a bit different now. You need to do a remove/install to change.

Please use the yum shell specifically when removing/installing MPMs

yum shell
remove ea-apache24-mod_mpm_worker
install ea-apache24-mod_mpm_event

run

This will remove the worker MPM and replace it with the Event MPM.

Do note there is a new location for includes. If you have lost your event/worker configs grab em from your backups you made (hopefully).

/etc/apache2/conf.d/includes/pre_main_global.conf
/etc/apache2/conf.d/includes/pre_virtualhost_global.conf
/etc/apache2/conf.d/includes/post_virtualhost_global.conf

Modules (PHP/Apache)

Modules are very similar. To install the mcrypt PHP module in EasyApache 4, run the following command on the command line:

yum install ea-php<version>-php-mcrypt

In the example, <version> is the version of PHP for which you wish to install mcrypt. Your command may resemble: yum install ea-php55-php-mcrypt if you wish to use mcrypt with PHP version 5.5.


To uninstall the mod_ruid2 Apache module in EasyApache 4, run the following command on the command line:

yum remove ea-php<version>-php-mcrypt

In the example, <version> is the version of PHP for which you wish to uninstall mcrypt. Your command may resemble: yum remove ea-php55-php-mcrypt if you wish to no longer use mcrypt with PHP version 5.5.


To check for the presence or absence of a PHP module on a non-default PHP version, invoke the alternate PHP version's binary. For example:

/opt/cpanel/ea-php70/root/usr/bin/php -m

Unlike in EA3, php -i will show modules and options that are not yet installed.

MultiPHP Manager

WHM >> Software >> MultiPHP Manager

This allows you to switch the default PHP version used on the system and specify different versions for each account.

This will be available unless you're using the No PHP profile, naturally.

MultiPHP INI Editor

Read here before using this

WHM >> Software >> MultiPHP INI Editor

This is just like PHP configuration editor but allowing to set different values per version. Includes both a basic and advanced editor.


Be sure the version of PHP you installed is complete in terms of extensions. ea-php70 will not provide any extensions. A more complete install for PHP7 for instance would be:

yum install ea-apache24 ea-apache24-config ea-apache24-config-runtime ea-apache24-mod_bwlimited ea-apache24-mod_cgid ea-apache24-mod_deflate ea-apache24-mod_env ea-apache24-mod_expires ea-apache24-mod_headers ea-apache24-mod_mpm_event ea-apache24-mod_proxy ea-apache24-mod_proxy_fcgi ea-apache24-mod_proxy_http ea-apache24-mod_security2 ea-apache24-mod_ssl ea-apache24-mod_suexec ea-apache24-mod_suphp ea-apache24-mod_unique_id ea-apache24-tools ea-apr ea-apr-util ea-cpanel-tools ea-documentroot ea-libmcrypt ea-php-cli ea-php70 ea-php70-php-bcmath ea-php70-php-bz2 ea-php70-php-calendar ea-php70-php-cli ea-php70-php-common ea-php70-php-curl ea-php70-php-devel ea-php70-php-exif ea-php70-php-fpm ea-php70-php-ftp ea-php70-php-gd ea-php70-php-gettext ea-php70-php-iconv ea-php70-php-mbstring ea-php70-php-mcrypt ea-php70-php-mysqlnd ea-php70-php-opcache ea-php70-php-pdo ea-php70-php-posix ea-php70-php-soap ea-php70-php-sockets ea-php70-php-xml ea-php70-php-xmlrpc ea-php70-php-zip ea-php70-runtime ea-profiles-cpanel

Just PHP7 without touching Apache:

yum install ea-php70 ea-php70-php-bcmath ea-php70-php-bz2 ea-php70-php-calendar ea-php70-php-cli ea-php70-php-common ea-php70-php-curl ea-php70-php-devel ea-php70-php-exif ea-php70-php-fpm ea-php70-php-ftp ea-php70-php-gd ea-php70-php-gettext ea-php70-php-iconv ea-php70-php-mbstring ea-php70-php-mcrypt ea-php70-php-mysqlnd ea-php70-php-opcache ea-php70-php-pdo ea-php70-php-posix ea-php70-php-soap ea-php70-php-sockets ea-php70-php-xml ea-php70-php-xmlrpc ea-php70-php-zip ea-php70-runtime ea-profiles-cpanel

PHP Handlers

Currently EA4 works with suPHP, CGI, and DSO.  suPHP is the only PHP Handler that can use Multiple PHP Versions

Use:

WHM >> Software >> MultiPHP Manager

https://documentation.cpanel.net/display/EA4/PHP+Handlers

FCGI requires additional PHP-FPM configuration (see below).

PHP-FPM

cPanel 60 now supports php-fpm user pools natively, configurable in the WHM MultiPHP Manager. Don't do it manually as (hidden) below, and don't use lw-php7fpm-cpanel. Use the native functionality.

Use:

WHM >> Software >> MultiPHP Manager

This is fairly self-explanatory. Select the domain(s) you want to enable php-fpm for. You must explicitly select a PHP Version, using inherit will not work for enabling php-fpm. Set PHP-FPM to ON. Click Apply. That's it.

There are 3 options exposed in the Pool Options dropdown for any Domain with php-fpm enabled. These don't need to be altered for most use cases. However for instance with a high traffic site you might want to up Max Children, Process Timeout, and Max Requests significantly, within RAM constraints.

If you are further curious as to how this native php-fpm user pools functionality works behind the scenes, it looks like enabling php-fpm on a domain instantiates some logic in the corresponding vhost(s) that uses FilesMatch to match on \.(phtml|php[0-9]*) and from there utilizes SetHandler to proxy-pass to a socket in /opt/cpanel/ea-phpnn/root/usr/var/run/php-fpm/*.sock using mod_proxy_fcgi. SetHandler is specifically superior to the old way of doing a ProxyPassMatch in a userdata include, as it does not appear to override any .htaccess declarations, whereas ProxyPassMatch did.

The php-fpm user pool config is auto-generated and is in /opt/cpanel/ea-phpnn/root/etc/php-fpm.d/*.conf. There should not be any reason to edit it manually. Interestingly they are using ondemand for the pm mode. I suppose you could alter that to dynamic if you wanted manually, but on the off chance you would want to do that, it seems a better idea to just use the MultiPHP Manager Pool Options functionality to raise Process Timeout and Max Requests significantly (even up to 10000000) to approximate dynamic pm functionality while leaving it set to ondemand.

Manual setup:

Basic steps for getting PHP 7 with Opcache and PHP-FPM functional for a single domain with EasyApache 4 on cPanel 56+:

Obviously you must be converted over to EasyApache 4 first (start at the top of this wiki if you're not). I prefer the GUI tools as opposed to CLI, yum shell, etc. In:

WHM --> EasyApache 4

Click (cPanel 54):

Start --> Down Arrow next to Provision under Current Profile --> Configure

Click (cPanel 56+):

Customize (in the Currently Installed Packages section heading)

Best choice for Apache MPM is obviously:

ea-apache24-mod_mpm_event

For Apache Modules, Install as necessary. What is required to be installed for our purposes (for the php-fpm FCGI proxy-pass) is:

ea-apache24-mod_proxy_fcgi

For PHP versions, Install what is required. For this basic example, we are installing only:

ea-php70

For PHP Extensions, Install as necessary. What is required to be installed for our purposes is:

ea-php70-php-opcache ea-php70-php-fpm

Example full list of all EA4 packages installed:

ea-apache24
ea-apache24-config
ea-apache24-config-runtime
ea-apache24-mod_bwlimited
ea-apache24-mod_cgid
ea-apache24-mod_deflate
ea-apache24-mod_env
ea-apache24-mod_expires
ea-apache24-mod_headers
ea-apache24-mod_mpm_event
ea-apache24-mod_proxy
ea-apache24-mod_proxy_fcgi
ea-apache24-mod_proxy_http
ea-apache24-mod_security2
ea-apache24-mod_ssl
ea-apache24-mod_suexec
ea-apache24-mod_suphp
ea-apache24-mod_unique_id
ea-apache24-tools
ea-apr
ea-apr-util
ea-cpanel-tools
ea-documentroot
ea-libmcrypt
ea-php-cli
ea-php70
ea-php70-php-bcmath
ea-php70-php-bz2
ea-php70-php-calendar
ea-php70-php-cli
ea-php70-php-common
ea-php70-php-curl
ea-php70-php-devel
ea-php70-php-exif
ea-php70-php-fpm
ea-php70-php-ftp
ea-php70-php-gd
ea-php70-php-gettext
ea-php70-php-iconv
ea-php70-php-mbstring
ea-php70-php-mcrypt
ea-php70-php-mysqlnd
ea-php70-php-opcache
ea-php70-php-pdo
ea-php70-php-posix
ea-php70-php-soap
ea-php70-php-sockets
ea-php70-php-xml
ea-php70-php-xmlrpc
ea-php70-php-zip
ea-php70-runtime
ea-profiles-cpanel

If you happen to want to install everything in that above list in one-go without clicking stuff one-by-one in WHM:

yum install ea-apache24 ea-apache24-config ea-apache24-config-runtime ea-apache24-mod_bwlimited ea-apache24-mod_cgid ea-apache24-mod_deflate ea-apache24-mod_env ea-apache24-mod_expires ea-apache24-mod_headers ea-apache24-mod_mpm_event ea-apache24-mod_proxy ea-apache24-mod_proxy_fcgi ea-apache24-mod_proxy_http ea-apache24-mod_security2 ea-apache24-mod_ssl ea-apache24-mod_suexec ea-apache24-mod_suphp ea-apache24-mod_unique_id ea-apache24-tools ea-apr ea-apr-util ea-cpanel-tools ea-documentroot ea-libmcrypt ea-php-cli ea-php70 ea-php70-php-bcmath ea-php70-php-bz2 ea-php70-php-calendar ea-php70-php-cli ea-php70-php-common ea-php70-php-curl ea-php70-php-devel ea-php70-php-exif ea-php70-php-fpm ea-php70-php-ftp ea-php70-php-gd ea-php70-php-gettext ea-php70-php-iconv ea-php70-php-mbstring ea-php70-php-mcrypt ea-php70-php-mysqlnd ea-php70-php-opcache ea-php70-php-pdo ea-php70-php-posix ea-php70-php-soap ea-php70-php-sockets ea-php70-php-xml ea-php70-php-xmlrpc ea-php70-php-zip ea-php70-runtime ea-profiles-cpanel

Proceed to Review, wait for Package information to populate, then click Provision.

Next step is to set up php-fpm and its required FCGI proxy-pass manually. Replace $user and $testdomain.com with the cPanel user and domain in question in all relevant examples noted below. For example this is the cPanel user and domain we're going to be working with:

user: testdomain.com
mkdir -p /home/$user/run/
mkdir -p /home/$user/session/
chown $user. /home/$user/run
chown $user. /home/$user/session
cd /opt/cpanel/ea-php70/root/etc/php-fpm.d/
cp www.conf.example $user.conf

Edit your $user.conf file to include the following changes:

On line 4 alter pool name to match username:

; pool name ('www' here)
[$user]

On lines 38-39 comment-out the existing listen directive and set a new one:

;listen = 127.0.0.1:9000
listen = /home/$user/run/php70-fpm.sock

Set listen.owner and listen.group on lines 49 and 50 as such:

listen.owner = $user
listen.group = nobody

On lines 24-26 set user and group to match username:

user = $user
; RPM: Keep a group allowed to write in log dir.
group = $user

On line 414 set error_log as such:

php_admin_value[error_log] = /home/$user/logs/ea-php70-php-fpm.log

On line 420 set session.save_path as such:

php_value[session.save_path]    = /home/$user/session

You should probably adjust pm directives on lines 110-125 for provisioned resources on the server. For example, a 1G VPS:

pm.max_children = 5

; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2

; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1

; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3

Start the service and enable it. On CentOS 6:

/etc/init.d/ea-php70-php-fpm start
chkconfig ea-php70-php-fpm on

On CentOS 7:

systemctl start ea-php70-php-fpm.service
systemctl enable ea-php70-php-fpm.service

Now we need to create the FCGI proxy-pass to php-fpm. Recall we're working with this user and its associated main domain:

user: testdomain.com
mkdir -p /etc/apache2/conf.d/userdata/std/2_4/$user/$testdomain.com
mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/$user/$testdomain.com
vim /etc/apache2/conf.d/userdata/std/2_4/$user/$testdomain.com/fpm.conf

Insert the following (altering for username, etc. as necessary). This assumes document root is in /home/$user/public_html for $testdomain.com obviously:

<IfModule proxy_fcgi_module>
    ProxyPassMatch "^/(.*\.php(/.*)?)$" "unix:/home/$user/run/php70-fpm.sock|fcgi://localhost/home/$user/public_html"
    DirectoryIndex index.php
</IfModule>

Save, replicate to ssl userdata include:

cp /etc/apache2/conf.d/userdata/std/2_4/$user/$testdomain.com/fpm.conf /etc/apache2/conf.d/userdata/ssl/2_4/$user/$testdomain.com/fpm.conf

Backup the existing httpd.conf in /etc/apache2/conf/httpd.conf, then:

/scripts/rebuildhttpdconf

And restart Apache using your preferred technique:

/scripts/restartsrv_httpd

To confirm PHP-FPM is the active handler create a phpinfo() test script in the document root. The Server API line should read:

Server API 	FPM/FastCGI 

Note that with this method described above, you can simply leave the PHP Handler set to SuPHP: the PHP-FPM userdata FCGI proxy-pass usurps SuPHP for the given user / domain. Reverting to a standard PHP handler is as easy as moving the fpm.conf userdata includes to fpm.conf.bak, running /scripts/rebuildhttpdconf, and restarting Apache.

Most of the above was culled from:

https://documentation.cpanel.net/display/CKB/Configure+PHP-FPM+with+User+Pools+for+EasyApache+4

Additional resource:

https://wiki.mikejung.biz/CPanel#How_to_Configure_cPanel_54_to_use_PHP_7_and_PHP-FPM

Known Issues & Caveats

httpd status

httpd does not behave exactly as you may be used to with httpd as supplied by EasyApache 3. httpd status, httpd fullstatus, httpd restart, etc. will not function as expected. Instead use apachectl:

apachectl status
apachectl fullstatus
apachectl restart

Note for status / fullstatus to work, you likely will have to install links if not installed:

yum install links

Troubleshooting

EA3 to EA4 conversion fails with yum exited 256

I've encountered this issue on CentOS 7. After the conversion, PHP will show as text on webpages, and /usr/local/cpanel/bin/rebuild_phpconf --current will report errors like so:

Cpanel::Exception::MissingParameter/(XID jeavej) Provide the "type" parameter for the "Cpanel::WebServer::Supported::apache::make_handler" function.
at /usr/local/cpanel/Cpanel/Exception/CORE.pm line 77.
   Cpanel::Exception::create("MissingParameter", HASH(0x27b0898)) called at /usr/local/cpanel/Cpanel/Exception.pm line 30
   Cpanel::Exception::__ANON__(__CPANEL_HIDDEN__, HASH(0x27b0898)) called at /usr/local/cpanel/Cpanel/WebServer/Supported/apache.pm line 195
   Cpanel::WebServer::Supported::apache::make_handler(Cpanel::WebServer::Supported::apache=HASH(0x258fa50), "lang", Cpanel::ProgLang::Supported::php=HASH(0x256a540),  "package", "ea-php54", "type", undef) called at /usr/local/cpanel/bin/rebuild_phpconf line 186
   bin::rebuild_phpconf::ea4::do_current(HASH(0x17e7e38), Cpanel::ProgLang::Supported::php=HASH(0x256a540), Cpanel::WebServer::Supported::apache=HASH(0x258fa50))  called at /usr/local/cpanel/bin/rebuild_phpconf line 218
   bin::rebuild_phpconf::ea4::run(ARRAY(0x17c4980)) called at /usr/local/cpanel/bin/rebuild_phpconf line 394


The fix was just to ensure "plugins=1" is set in /etc/yum.conf and re-run the EA3 to EA4 conversions process again.

PHP Modules not loading

Check for suPHP_ConfigPath /home/$USER in .htaccess and comment it out.

ea-php55-php-zendguard conflicts with ea-php55-php-opcache

An error similar to this may present on conversion to EA4. Versions referenced may differ slightly, but basically zendguard conflicts with opcache in EA4. You'll be given a few options:

1) Revert to EasyApache 3
2) Abort.
3) Install the cPanel Default profile.

If you install the cPanel Default profile, our EA3 profile will not be converted over to an EA4 profile, which is undesirable. Because this condition is evidently hit after httpd as supplied by EA3 is basically uninstalled, the best solution appears to be to Revert to EasyApache 3.

Revert to EasyApache 3 will run a fresh recompile of the previous EA3 profile. After that is done, run:

/scripts/easyapache

Customize Profile. Deselect Zend Guard Loader from the Short Options List (or go to the Exhaustive Options list and remove Zend OPcache, which could be the issue). Proceed to Exhaustive Options List. Next Step. Save only (Do NOT build). Run the EA4 conversion script again, and it should success.

PECL and Manually Compiling Extensions

PECL is supposedly supported for EA4 as of cPanel 58, however even using it in concert with scl results in extensions being placed in incorrect extension directories and not being properly enabled in target PHP versions in my experience. If you run into any issues with PECL on EA4, just source compile PECL extensions manually with the following basic procedure:

cd /usr/local/src
wget https://pecl.php.net/get/somepkg-1.2.3.tgz
tar zxvf somepkg-1.2.3.tgz
cd somepkg-1.2.3
/opt/cpanel/ea-php56/root/usr/bin/phpize
./configure --with-php-config=/opt/cpanel/ea-php56/root/usr/bin/php-config
make
make install
cd /opt/cpanel/ea-php56/root/etc/php.d
echo "extension=somepkg.so" >> 20-somepkg.ini

Restart Apache, php-fpm, etc. as needed afterwards to activate. In the above example, we're compiling somepkg version 1.2.3 against PHP 5.6 as supplied by EA4, and then installing it in the proper extensions directory and enabling it. You will obviously need to alter the PECL package name and version as necessary for your purposes, and transpose ea-php56 with the target version for your purposes, as necessary, in all of the above example commands.

There are relevant wiki sections for some common extensions not available in the EA4 repo at the following links, that use the same basic procedure as above:

https://wiki.int.liquidweb.com/articles/FFMPEG#Building_ffmpeg-php_on_EA4 https://wiki.int.liquidweb.com/articles/Imagemagick#EA4 https://wiki.int.liquidweb.com/articles/Memcache#Centos_7_.28with_EA4.29

Local php.ini

This seems to be the best way to accomplish local php runtime alteration with SuPHP (probably other (Fast)CGI-type handlers as well):

cd /home/username/public_html
vim .user.ini

Add the local runtime alterations you need, for example:

memory_limit=256M
max_execution_time=300

Save the file. Maybe adjust ownership after that:

chown username. .user.ini

That's it. Confirm with phpinfo() of course.

Custom php settings per-site/docroot

EA4 will look for .user.ini instead of php.ini in user home directories for local modifications. Copy/rename the file for a quick fix. Verify with a phpinfo() on the site.

Another way to handle this is to make an ini for the user/site in question in the additional ini scan directory for the version of php that the user/site is using.

Make sure that the additional scan directory is going to be scanned with php -i:


$ php -i | grep additional
Scan this dir for additional .ini files => /usr/local/lib/php.ini.d

The additional scan directory should be setup already for every version of php since this is how EA4 loads extensions. You should also change your php command to the specific binary you're working with. For php 5.6 for example:

/opt/cpanel/ea-php56/root/usr/bin/php -i | grep additional


These should be the additional ini scan directories for each version of php currently:

  • 5.4 /opt/cpanel/ea-php54/root/etc/php.d
  • 5.5 /opt/cpanel/ea-php55/root/etc/php.d
  • 5.6 /opt/cpanel/ea-php56/root/etc/php.d
  • 7.0 /opt/cpanel/ea-php70/root/etc/php.d
  • 7.1 /opt/cpanel/ea-php71/root/etc/php.d


In the directory in question, /opt/cpanel/ea-php56/root/etc/php.d/ for 5.6, create a file named "cPanel username" + ".ini" (Ex: someuser.ini). In that file, put the following with the appropriate docroot path:


[PATH=/path/to/domain/doc/root]


And you can put whatever php directives you want under the PATH heading. This will cover both www and non-www and will override the global php.ini and local.ini for that version of php. Alternatively you can name your ini something else entirely, like custom.ini, and use this for ALL custom changes for any sites using this version of php, and just add a different PATH heading for each docroot. Example below.

[PATH=/home/someuser/public_html/]
memory_limit 55M
display_errors = off

[PATH=/home/adifferentuser/public_html/wordpress]
memory_limit 72M
log_errors = off
max_execution_time = 2

Changes to version-global php.ini files not taking

This is assuming there aren't any local php.ini or .user.ini files lurking around on the sites you're testing on, and that you're editing the right file.

If you're making changes to a version-global php.ini file (like /opt/cpanel/ea-php56/root/etc/php.ini) and it's not reflecting on the sites that are clearly using it, then you should check to see if this file exists:

/opt/cpanel/ea-php56/root/etc/php.d/local.ini

If it does, then you'll want to make any any all version-global changes in that file. Why the extra file? Because when someone uses the Editor Mode section in MultiPHP INI Editor (in WHM) to edit to php.ini, a copy of the original php.ini file is made and put into php.d/local.ini.

The idea is that you can just delete the local.ini file if you need to restore to the global version defaults (ideally, the php.ini file). It's a good idea on paper, but the implementation is kinda weird. phpinfo() and php -i will tell you if there's a local.ini file that's being loaded. It'll be under "Additional .ini files parsed".

Strange PHP runtime defaults

All versions of PHP that EA4 supplies set a decent boilerplate global runtime config. However there are a couple of exceptions that seem like strange decisions:

allow_url_fopen defaults to OFF. This is commonly required by a lot of software to this day. Toggle it to enabled in WHM --> MultiPHP INI Editor for the required PHP versions and click Apply if needed.

This one is stranger: session.save_path defaults to NULL / no value for all versions of PHP EA4 supplies. This has the effect of dumping PHP session files into document roots on any sites that happen to use PHP sessions. It can also cause exceptions to be thrown by some Frameworks that expect session.save_path to be set to a value. Likely best to set:

session.save_path = /tmp

In WHM --> MultiPHP INI Editor, and click Apply for any / all PHP versions if needed.


Php Manager Permission errors

Sometimes when changing the version of PHP for a specific account in WHM, or cPanel you will be presented with a similar error.


(XID gp4b9b) The system failed to apply the “PHP” version to : Cpanel::Exception::IO::FileOpenError/(XID 47c3dv) The system failed to open the file “/home/willowhealing/public_html/.htaccess” for reading and writing because of an error: Permission denied at /usr/local/cpanel/Cpanel/Exception.pm line 73. Cpanel::Exception::create("IO::FileOpenError", HASH(0x6af7af8)) called at /usr/local/cpanel/Cpanel/WebServer/Supported/apache/Htaccess.pm line 186


This is most likely due to the permissions on the .htaccess file for that account.

[root@host /home/domain/public_html]# ll .htaccess -r--r--r--


[root@host /home/domain/public_html]# chmod 644 .htaccess .

Then the PHP version can now be changed for the account.




Modify PHP

There are several methods that allow you to modify your PHP configuration. For more information, read the following documentation:

PHP Options — A list of the available options in EasyApache that directly modify PHP.
PHP Handlers — The PHP handler that you select determines how Apache handles requests for PHP content.

To more easily allow you to call the PHP binaries directly, we provide the following symlinks for each version of PHP installed on your system:

PHP CLI — /usr/local/bin/ea-php##, where ## represents the two-digit PHP version.
PHP CGI — /usr/bin/ea-php## command, where ## represents the two-digit PHP version.

Adjust configuration files

To further customize your PHP configuration, you can edit your .ini files. We strongly recommend that you only edit your configuration files in cPanel's MultiPHP INI Editor interface (Home >> Software >> MultiPHP INI Editor). To edit your files manually, use the following files in your document root:


Apache handler PHP configuration file

Modify PHP There are several methods that allow you to modify your PHP configuration. For more information, read the following documentation: PHP Options — A list of the available options in EasyApache that directly modify PHP. PHP Handlers — The PHP handler that you select determines how Apache handles requests for PHP content. To more easily allow you to call the PHP binaries directly, we provide the following symlinks for each version of PHP installed on your system: PHP CLI — /usr/local/bin/ea-php##, where ## represents the two-digit PHP version. PHP CGI — /usr/bin/ea-php## command, where ## represents the two-digit PHP version. Adjust configuration files To further customize your PHP configuration, you can edit your .ini files. We strongly recommend that you only edit your configuration files in cPanel's MultiPHP INI Editor interface (Home >> Software >> MultiPHP INI Editor). To edit your files manually, use the following files in your document root: Apache handler PHP configuration file suPHP .user.ini Note:

If you enabled the suPHP_ConfigPath directive in your .htaccess file, read our The cPanel PHPRC PHP Patch for EasyApache 4 documentation.

CGI php.ini DSO .htaccess

PHP Security To ensure that your PHP stays up to date, use one of the following options: Set the Operating System Package Updates section of WHM's Update Preferences interface (Home >> Server Configuration >> Update Preferences) to Automatic. As a root-enabled user, run yum update on the command line. Install the CentOS-provided yum-cron package with the following command: yum install yum-cron. suPHP .user.ini

Note:

If you enabled the suPHP_ConfigPath directive in your .htaccess file, read our The cPanel PHPRC PHP Patch for EasyApache 4 documentation.


CGI php.ini DSO .htaccess


PHP Security

To ensure that your PHP stays up to date, use one of the following options: Set the Operating System Package Updates section of WHM's Update Preferences interface (Home >> Server Configuration >> Update Preferences) to Automatic. As a root-enabled user, run yum update on the command line. Install the CentOS-provided yum-cron package with the following command: yum install yum-cron.