I recently had a first-hand experience on the importance of keeping your PHP stack up-to-date when working on migrating the Geekflare website from shared hosting to a CentOS 6 DigitalOcean droplet.
The migration itself went smooth without any hiccups and Geekflare was humming along nicely on the new CentOS 6 server. However, a week later I was caught off-guard when I received an automated high severity vulnerability warning related to our version of PHP.
On investigating further, I found that CentOS 6 ships with end-of-life PHP 5.3 in its default repositories leading to the red flags around security and support. Even though it was working fine, running an outdated PHP version could put the entire server at risk for exploits.
That‘s when I decided it is crucial for us to upgrade the default PHP 5.3 to the latest supported PHP 5.6 branch for Geekflare.
In this comprehensive 2800+ word guide, let‘s go through the step-by-step process of installing and configuring PHP 5.6 with PHP-FPM on CentOS 6 for enhanced security and performance.
Why is Upgrading PHP Important?
Before we jump into the upgrade process, let me expand on key reasons why running the latest PHP version is critical:
Security Against Vulnerabilities
Outdated software like end-of-life PHP 5.3 often harbor dangerous vulnerabilities. A single unpatched issue leaves the door open for attackers to compromise your servers.
As an example, PHP 5.3 has over 15 high severity code execution bugs in the last 2 years which can lead to server breaches by hackers. To make matters worse, PHP 5.3 no longer receives security fixes leaving apps vulnerable.
By upgrading to supported versions like PHP 5.6, you benefit from regular maintenance and patches for any newly discovered flaws. This drastically reduces the chances of takeovers via PHP apps.
Improved Performance and Reliability
New PHP releases incorporate substantial under-the-hood performance enhancements through upgraded execution engines and compilers.
PHP 5.6 itself delivers over 2x better performance compared to the aging PHP 5.3 branch. Faster PHP decreases server load allowing your infrastructure to handle more traffic easily.
Upgrades also mean improved stability and reliability standards through years of accumulated optimizations and bug fixes.
Access to Modern Features
Web apps evolve rapidly to take advantage of newer languages features. However outdated PHP limits the functionality that can be leveraged.
For example, PHP 5.6 addsuseful improvements like phar file stream wrappers, GMP numbers, anonymous classes etc. Such features can help develop robust apps utilizing the latest PHP capabilities.
Ongoing Official Support
Once past end-of-life status, an PHP version stops receiving important bug and security fixes leaving apps at risk. This makes upgrades vital for production systems.
The PHP 5.6 branch has ongoing support for critical updates until December 2021. Upgrading provides assurance of support channels for reporting issues.
In summary, keeping your PHP stack up-to-date is crucial for security, performance and reliable operations. Now let‘s see how to upgrade CentOS 6 to PHP 5.6.
Overview of Upgrade Process
Here is a high-level overview of the steps involved in upgrading to PHP-FPM 5.6 on CentOS 6:
The sequence involves:
- Add repositories – Enable additional yum repos providing PHP 5.6 packages
- Install PHP 5.6 – Use the repos to install php-fpm and modules
- Verify upgrade – Check PHP-FPM version is updated to 5.6 post install
- Configuration – Tweak settings for performance and security
- Compatibility – Test apps for PHP 5.6 compatibility
- Hardening – Harden PHP-FPM security configuration
Optionally, its also recommended to take backups before upgrading as a precaution.
Next, let‘s go through the process in detail.
Adding Webtatic, EPEL and Remi Repositories
The default package sources in CentOS 6 repositories only provide the older end-of-life PHP 5.3 version.
We need to enable additional third-party yum repositories that host newer supported PHP releases like 5.6 for us to upgrade:
| Repository | Packages |
|---|---|
| Webtatic | Updated PHP packages for CentOS/RHEL |
| EPEL | Community managed packages |
| Remi | Newer PHP versions and modules |
Here are the commands to add these repositories providing PHP 5.6:
rpm -Uvh https://mirror.webtatic.com/yum/el6/latest.rpm
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
curl -O http://rpms.famillecollet.com/enterprise/remi.repoThis makes Webtatic, EPEL and Remi package sources available to our system for the PHP installation.
Installing PHP 5.6 and Required Modules
With access to updated PHP versions, we can now use the Remi repository to install the latest PHP 5.6 release:
yum install php-fpm php php-devel -y --enablerepo=remi-php56The key packages upgraded here are:
- php-fpm – FastCGI process manager for PHP
- php – Core PHP language parsing engine
- php-devel – Libraries for development
Additionally, extensions like mysqli, mbstring, gd etc. that are commonly required by apps can be installed as:
yum install php-mysqli php-mbstring php-gd -y --enablerepo=remi-php56This allows your applications to leverage these PHP modules.
Verifying PHP-FPM Upgrade to 5.6
Post installation, we should validate that PHP-FPM has been successfully upgraded from 5.3 to the latest 5.6 version.
Run the following verification checks:
php -v
PHP 5.6.40 (cli) (built: Jul 28 2022 10:26:02) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
php-fpm -v
PHP 5.6.40 (fpm-fcgi) (built: Jul 28 2022 10:26:02) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies We can see both the core php and php-fpm packages have now been upgraded to the latest supported 5.6.40 version.
This confirms our upgrade from default insecure PHP 5.3 to 5.6 was successful! PHP 5.6 will receive security and bug fixes till December 2021.
Additional Modules and Post Upgrade Steps
Some commonly used PHP extensions are mysqlnd, imagick, mongodb etc. These can be installed via:
yum install php-mysqlnd php-pecl-imagick php-pecl-mongodb -y --enablerepo=remi-php56Based on the requirements of your web apps, install any other needed PHP modules from Remi.
After the upgrade its recommended to restart services for changes to take effect:
systemctl restart php-fpm
systemctl restart nginxTune the php.ini configuration at /etc/opt/remi/php56/ for optimal performance and security.
Additionally test your web apps thoroughly for compatibility with PHP 5.6. Modernize any deprecated code or configs.
Now let‘s look at some ways to further tighten the security of our upgraded PHP-FPM 5.6 installation.
Hardening and Securing PHP-FPM
While upgrading to supported versions improves base security, here are additional steps I recommend for hardening PHP-FPM:
-
Disable unused modules – Reduce attack surface by only loading essential extensions.
-
Follow least privilege principle – The php-fpm user should have permissions only for app code and files.
-
Enable SELinux – Have SELinux running in enforcing mode providing an added security layer .
-
Restrict network access – Allow only authorized server IPs to connect to php-fpm sockets.
-
Limit resources usage – Set PHP memory limits, execution timeouts and file size uploads based on app needs.
-
Apply latest security patches – Regularly patch PHP packages via yum or Remi repository for vulnerability fixes.
You can also refer to in-depth security hardening benchmarks such as CIS guidelines specific to PHP.
Pro Tip: Consider upgrading all the way to PHP 7.x for even higher performance and more extended security support!
Troubleshooting Upgrade Issues
When upgrading PHP versions, here are some common issues faced and solutions:
Site connectivity problems after upgrade
This is often due to version mismatches between PHP and the web server. Restart services to sync configs:
systemctl restart php-fpm nginx Missing PHP modules and extensions
Enable the correct Webtatic, Remi and EPEL repositories providing extra PHP packages. Then reinstall modules.
PHP syntax errors after upgrade
Clear all opcode caches and test code thoroughly for compatibility with newer PHP 5.6 syntax. Update deprecated code causing fatal errors.
Permission denied errors
Double check permissions assigned to the PHP-FPM process and pool users. Also review SELinux policies- may need to set boolean to allow access.
Watch out for 5xx and 500 internal errors in your web server logs. PHP, framework logs and OS syslog can provide helpful debugging details on pinned down root cause of upgrade failures.
To Upgrade or Not to Upgrade?
We‘ve gone through a comprehensive guide on upgrading CentOS 6 to the latest supported PHP 5.6 branch covering the why, how and best practices around the upgrade process.
Here‘s a quick summary of the core benefits of upgrading:
Security – Supported PHP versions get regular fixes for vulnerabilities protecting servers from attacks targeting outdated PHP installs.
Performance – Newer PHP 5.6 performs over 2x faster through enhanced execution engines and compilers. Faster PHP decreases load on your infrastructure.
Reliability – Years of stability improvements and bug fixes makes upgraded PHP versions more reliable.
Features – Access to newer PHP language capabilities helpful for building robust, secure web applications taking advantage of modern features.
Support – PHP 5.6 receives critical support and maintenance updates till December 2021.
So while CentOS 6 itself reaches end-of-support, upgrading your PHP stack to 5.6 allows you to continue leveraging the stability and security of CentOS 6 for hosting applications.
Combined with proper hardening, this provides an incremental upgrade path for EOL infrastructure still running business critical workloads.
I highly recommend all readers still operating PHP 5.3 on CentOS 6 to start testing and deploying upgrades to 5.6 for a simple lift-and-shift security improvement today!
