In this guide, we will describe installing PHP and PHP-FPM on Ubuntu 24.04. PHP, which stands for Hypertext Preprocessor, is a language that is widely used and open-sourced, mainly for web development. PHP is the only PHP FastCGI implementation, that is extremely useful for high-traffic websites. At the end of this guide, you should be ready to go with PHP running on your server.
Before we start, please confirm you have the following:
To ensure that your system is up to date, run the following commands:
sudo apt update
sudo apt upgrade
Launch the Apache web server using the following command:
sudo apt install apache2
Let's begin with installing the PHP package in Ubuntu 24.04 server.
First, open a terminal on your Ubuntu system.
PHP and common modules are included in the installation action:
sudo apt install php
That command installs the core PHP package, the command-line interface, and common libraries.
Make sure the installation works:
php -v
PHP extensions are the way to go to extending PHP installation with certain functions. Start by installing extensions:
sudo apt install php-curl php-mbstring php-xml
Short description:
php-mysql
: Allows MySQL database connection
php-gd
: Adds ability to manipulate images
php-curl
: Makes possible to communicate with servers
php-mbstring
: Provides multibyte string support
php-xml
: Enables XML support
php-zip
: Enables ZIP support
Additional extensions can be installed as you see fit for your projects. You can search them using:
apt-cache search php-
PHP-FPM is essential when dealing with high-traffic websites. To install and configure it:
Install the package:
sudo apt install php-fpm
Launch PHP-FPM service. Depending on the installation, version number may differ.
sudo systemctl start php8.3-fpm
Tell PHP-FPM to go on boot:
sudo systemctl enable php8.3-fpm
Verfy PHP-FPM is working:
systemctl status php8.3-fpm
This will output a response that says "Active (Running)" if everything is working as expected.
To ensure that PHP and PHP-FPM are both running with no problems, create a test file then serve it via the website's server. Let's say it uses Apache in this example:
Generate PHP Info File. To show PHP settings using the phpinfo() function, do the following:
mkdir -p /var/www/html
echo "<?php phpinfo(); ?>" | sudo tee /var/www/html/info.php
Set Up Apache for PHP-FPM. Ensure Apache is made compatible for PHP-FPM, by first finding Apache configuration file (usually /etc/apache2/sites-available/000-default.conf
) then inserting:
<FilesMatch \.php$>
SetHandler "proxy:unix:/var/run/php/php8.3-fpm.sock|fcgi://localhost/"
</FilesMatch>
Remember we must alter specific PHP version and socket path to suit individual settings of the server.
Activate PHP and PHP-FPM. Enable PHP and PHP-FPM following these instructions:
sudo apt install libapache2-mod-php
sudo a2enmod proxy_fcgi setenvif
Reboot Apache. Apply changes by restarting Apache server:
sudo systemctl restart apache2
Access PHP Info Page. First open your web browser and go to:
http://your_server_ip/info.php
Replace [server_ip]
with the server IP address or domain. You can see details of your PHP installation.
For particular projects you might need to run different applications, each one may require different functionalities. This is the way to manage and manipulate multiple PHP versions on Ubuntu 24.04.
First, add PHP repository:
sudo apt install software-properties-common
sudo add-apt-repository ppa:ondrej/php && sudo apt update
Install PHP versions you need:
sudo apt install php8.1 php8.1-fpm
Deselect one PHP version and elect the other:
sudo update-alternatives --set php /usr/bin/php8.1
If you are using multiple PHP versions, ensure that your web server is pointing to the appropriate PHP-FPM socket.
As a web developer, you know the importance of incorporating both PHP and PHP-FPM into web applications that are safe and robust. In this section, we will introduce a number of security steps that you should adapt using PHP and PHP-FPM.
PHP and PHP-FPM should be up to date. Doing regular updates will eliminate known security breaches and provide overall security improvements. You need to check for updates as often as possible then update the system as soon as the updates are available.
To configure PHP securely, start by disabling unnecessary and potentially dangerous functions, such as exec
, shell_exec
, and eval
, in the PHP configuration file (php.ini
). Use open_basedir
directive to restrict PHP’s access to specific directories, preventing unauthorized access to sensitive files. Set display_errors
to Off
in production to avoid exposing error messages that could provide insights to attackers. Limit file upload sizes and execution times to reduce the risk of resource exhaustion attacks. Besides, ensure that PHP runs under a dedicated, restricted user account with minimal permissions to prevent privilege escalation. Regularly update PHP to the latest stable version to patch vulnerabilities and improve security.
To ensure an error-free application, it is quite handy locating and correcting code bugs in a development environment. In production environment, you have the possibility to hide the PHP errors by setting the display_error
directive to be off
, and you should also set the log_errors
directive to be On
, thus this will help you prevent PHP from showing errors to the users whereas your server will log it in a safe location without problems to users.
Being aware of the input validations is quite crucial during the programming of your software. Make sure that all deficiencies are tested and only SQL statements containing their SQL equivalent that can produce outwardly neutral queries via prepared statements is considered safe.
PHP-FPM is required to run using a non-usual user account with minium rights. Furthermore, access to the PHP-FPM socket or port should be very limited to the web application.
You need to bind open_basedir
directive in order to restrict access files within the given directory. In this case, if you attempt to visit a forbidden directory and the request is accidentally transmitted to the server, PHP will prevent you from doing so.
We need to secure web calls by making apps HTTPS-only, which is the only prominent way to block all the known hacking tricks.
With this guide, you've successfully set up PHP and PHP-FPM on Ubuntu 24.04. Your server is now configured for dynamic web applications. To maintain security and performance, remember to keep the system and packages regularly updated.