Final vhost template: SetHandler + ProxyFCGISetEnvIf for both paths

Reverts from ProxyPassMatch back to SetHandler + ProxyFCGISetEnvIf.
ProxyPassMatch couldn't override DOCUMENT_ROOT (Apache sets it as a
CGI param after all directives run). SetHandler with unconditional
ProxyFCGISetEnvIf correctly overrides both:

- DOCUMENT_ROOT: set to /home/{user}/public_html (FPM path)
- SCRIPT_FILENAME: constructed from DOCUMENT_ROOT + SCRIPT_NAME

This fixes WordFence WAF and other plugins that use DOCUMENT_ROOT to
locate config/log files. Tested on live sites with WordPress pretty
URLs, wp-admin, static assets, and WordFence WAF optimization.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

configs/shared-vhost-template.tpl

@@ -27,11 +27,17 @@
     SSLCertificateFile /etc/pki/tls/certs/localhost.crt
     SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 
-    # Proxy PHP requests to FPM with the correct filesystem path.
+    <FilesMatch \.php$>
-    # Apache serves static files directly from /mnt/users/ (read-only mount),
+        SetHandler "proxy:fcgi://~~fpm_host~~:~~fpm_port~~"
-    # but PHP-FPM has files at /home/{user}/public_html/ (its own mount).
+    </FilesMatch>
-    # ProxyPassMatch maps .php URLs directly to the FPM container's path.
+
-    ProxyPassMatch "^/(.*\.php(/.*)?)$" "fcgi://~~fpm_host~~:~~fpm_port~~/home/~~user~~/public_html/$1"
+    # The shared httpd serves files from /mnt/users/{user}/{domain}/public_html
+    # but the FPM container has them at /home/{user}/public_html.
+    # Override both DOCUMENT_ROOT and SCRIPT_FILENAME so PHP sees the
+    # correct paths (required for plugins like WordFence that use
+    # $_SERVER['DOCUMENT_ROOT'] to locate config files).
+    ProxyFCGISetEnvIf "true" DOCUMENT_ROOT "/home/~~user~~/public_html"
+    ProxyFCGISetEnvIf "true" SCRIPT_FILENAME "/home/~~user~~/public_html%{reqenv:SCRIPT_NAME}"
 
     DirectoryIndex index.php index.html index.htm