Fix DOCUMENT_ROOT for PHP-FPM in shared httpd mode

WordPress plugins like WordFence use $_SERVER['DOCUMENT_ROOT'] to locate config/log files. With ProxyPassMatch, Apache sends its own mount path (/mnt/users/...) as DOCUMENT_ROOT, which doesn't exist in the FPM container. ProxyFCGISetEnvIf can't override DOCUMENT_ROOT when using ProxyPassMatch (Apache sets it after the directive evaluates). Instead, set it via the FPM pool config's env[] directive which takes precedence. create-php-config.sh now adds env[DOCUMENT_ROOT] = /home/$user/public_html when in TCP listen mode (shared httpd), giving PHP the correct path. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 13:04:53 -07:00
parent 1490bde56e
commit e20f5620d7
1 changed files with 8 additions and 2 deletions
--- a/scripts/create-php-config.sh
+++ b/scripts/create-php-config.sh
@@ -6,14 +6,19 @@ FPM_LISTEN=${FPM_LISTEN:-/run/php-fpm/www.sock}

 # Determine listen directive and ownership based on socket vs TCP
 if echo "$FPM_LISTEN" | grep -q '/'; then
-  # Unix socket mode
+  # Unix socket mode (standalone — Apache and FPM in same container)
  listen_directive="$FPM_LISTEN"
  listen_owner_block="listen.owner = apache
 listen.group = apache"
+  env_block=""
 else
-  # TCP port mode
+  # TCP port mode (shared httpd — FPM in separate container)
  listen_directive="0.0.0.0:${FPM_LISTEN}"
  listen_owner_block=""
+  # Override DOCUMENT_ROOT so PHP plugins (e.g., WordFence) that use
+  # $_SERVER['DOCUMENT_ROOT'] find files at the FPM container's path,
+  # not the shared httpd's /mnt/users/ mount path.
+  env_block="env[DOCUMENT_ROOT] = /home/$user/public_html"
 fi

 cat <<EOF > /etc/php-fpm.d/$user.conf
@@ -46,6 +51,7 @@ request_slowlog_timeout = 3s
 php_admin_value[error_log] = /home/$user/logs/php-fpm/error.log
 php_admin_flag[log_errors] = on
 php_value[soap.wsdl_cache_dir]  = /var/lib/php/wsdlcache
+${env_block}

 EOF