scripts/entrypoint-shared-httpd.sh

#!/usr/bin/env bash

export CONTAINER_ROLE="httpd_only"

if [ -z "$environment" ]; then
  environment="PROD"
fi

# Generate self-signed SSL cert if not already present
if [ ! -f /etc/pki/tls/certs/localhost.crt ]; then
  openssl req -newkey rsa:2048 -nodes \
    -keyout /etc/pki/tls/private/localhost.key \
    -x509 -days 3650 -subj "/CN=localhost" \
    -out /etc/pki/tls/certs/localhost.crt
fi

# Create log directory
mkdir -p /var/log/httpd

# Remove default configs that conflict
rm -f /etc/httpd/conf.d/userdir.conf

# Configure RemoteIP for Docker network
docker_network=$(ip addr show | grep eth0 | grep inet | awk -F " " '{print $2}')
if [ -n "$docker_network" ]; then
  echo "RemoteIPInternalProxy $docker_network" >> /etc/httpd/conf.d/remoteip.conf
fi

# Detect memory and calculate Apache MPM tuning
source /scripts/detect-memory.sh
echo "Container memory: ${CONTAINER_MEMORY_MB}MB | Apache workers=${APACHE_MAX_REQUEST_WORKERS} | Role=${CONTAINER_ROLE}"

# Generate MPM tuning config
/scripts/create-apache-mpm-config.sh

# Write SSL global config (matches standalone CAC behavior)
cat <<'EOF' > /etc/httpd/conf.d/ssl-global.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLCryptoDevice builtin
EOF

# Disable the default ssl.conf if present (we use per-vhost SSL)
if [ -f /etc/httpd/conf.d/ssl.conf ]; then
  mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak
fi

# Ensure vhosts directory exists and is included
mkdir -p /etc/httpd/conf.d/vhosts
if ! grep -q 'IncludeOptional conf.d/vhosts/' /etc/httpd/conf/httpd.conf; then
  echo 'IncludeOptional conf.d/vhosts/*.conf' >> /etc/httpd/conf/httpd.conf
fi

# Start Apache
/usr/sbin/httpd -k start

# Start cron for log rotation
/usr/sbin/crond

# Tail Apache logs (becomes PID 1 process)
touch /var/log/httpd/error_log
tail -f /var/log/httpd/*

exit 0
Add shared httpd + PHP-FPM-only container architecture Separate Apache and PHP-FPM into distinct container roles to reduce per-customer memory overhead on shared servers. Adds three new images: - Dockerfile.fpm: PHP-FPM only (no Apache), listens on TCP port 9000 - Dockerfile.shared-httpd: Apache only (no PHP), with SSL and proxy_fcgi - Existing Dockerfile unchanged for standalone mode Key changes: - detect-memory.sh: CONTAINER_ROLE env var (combined/fpm_only/httpd_only) controls the memory budget split - create-php-config.sh: FPM_LISTEN env var for TCP port vs Unix socket, added /fpm-ping and /fpm-status health endpoints - New entrypoints for each container role - tune-mpm.sh for hot-adjusting Apache MPM settings - shared-vhost-template.tpl with proxy_fcgi and SSL on port 443 - CI/CD builds all three image types in parallel Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-01 10:08:00 -07:00			`#!/usr/bin/env bash`

			`export CONTAINER_ROLE="httpd_only"`

			`if [ -z "$environment" ]; then`
			`environment="PROD"`
			`fi`

			`# Generate self-signed SSL cert if not already present`
			`if [ ! -f /etc/pki/tls/certs/localhost.crt ]; then`
			`openssl req -newkey rsa:2048 -nodes \`
			`-keyout /etc/pki/tls/private/localhost.key \`
			`-x509 -days 3650 -subj "/CN=localhost" \`
			`-out /etc/pki/tls/certs/localhost.crt`
			`fi`

			`# Create log directory`
			`mkdir -p /var/log/httpd`

			`# Remove default configs that conflict`
			`rm -f /etc/httpd/conf.d/userdir.conf`

			`# Configure RemoteIP for Docker network`
			`docker_network=$(ip addr show \| grep eth0 \| grep inet \| awk -F " " '{print $2}')`
			`if [ -n "$docker_network" ]; then`
			`echo "RemoteIPInternalProxy $docker_network" >> /etc/httpd/conf.d/remoteip.conf`
			`fi`

			`# Detect memory and calculate Apache MPM tuning`
			`source /scripts/detect-memory.sh`
			`echo "Container memory: ${CONTAINER_MEMORY_MB}MB \| Apache workers=${APACHE_MAX_REQUEST_WORKERS} \| Role=${CONTAINER_ROLE}"`

			`# Generate MPM tuning config`
			`/scripts/create-apache-mpm-config.sh`

			`# Write SSL global config (matches standalone CAC behavior)`
			`cat <<'EOF' > /etc/httpd/conf.d/ssl-global.conf`
			`Listen 443 https`
			`SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog`
			`SSLSessionCache shmcb:/run/httpd/sslcache(512000)`
			`SSLSessionCacheTimeout 300`
			`SSLCryptoDevice builtin`
			`EOF`

			`# Disable the default ssl.conf if present (we use per-vhost SSL)`
			`if [ -f /etc/httpd/conf.d/ssl.conf ]; then`
			`mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak`
			`fi`

			`# Ensure vhosts directory exists and is included`
			`mkdir -p /etc/httpd/conf.d/vhosts`
			`if ! grep -q 'IncludeOptional conf.d/vhosts/' /etc/httpd/conf/httpd.conf; then`
			`echo 'IncludeOptional conf.d/vhosts/*.conf' >> /etc/httpd/conf/httpd.conf`
			`fi`

			`# Start Apache`
			`/usr/sbin/httpd -k start`

			`# Start cron for log rotation`
			`/usr/sbin/crond`

			`# Tail Apache logs (becomes PID 1 process)`
			`touch /var/log/httpd/error_log`
			`tail -f /var/log/httpd/*`

			`exit 0`