Installing PHP 8.2 and Nginx on openSUSE Leap 15.5: Enterprise Environments for CodeIgniter 4

System Preparation and Repository Configuration

For enterprise deployments, a stable and well-maintained operating system is paramount. openSUSE Leap 15.5 provides a robust foundation. We’ll ensure the system is up-to-date and configure necessary repositories for PHP 8.2 and Nginx.

Begin by updating your system’s package index and upgrading existing packages. This is a critical first step to avoid potential conflicts and ensure you’re working with the latest stable versions of system components.

sudo zypper refresh
sudo zypper update -y

Next, we need to add the necessary repositories. openSUSE’s `zypper` package manager relies on repositories to fetch software. For PHP 8.2, we’ll leverage the Open Build Service (OBS) which hosts up-to-date PHP versions for various distributions. For Nginx, the official repository is preferred for the latest stable releases.

Add the PHP 8.2 repository. The exact URL might change with OBS updates, so it’s advisable to verify the latest available repository for openSUSE Leap 15.5 on the OBS website if you encounter issues.

sudo zypper addrepo --refresh https://download.opensuse.org/repositories/devel:languages:php:PHP_8.2/openSUSE_Leap_15.5/devel:languages:php:PHP_8.2.repo
sudo zypper refresh

Now, add the official Nginx repository. This ensures you get timely security updates and new features for Nginx.

sudo rpm -Uvh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm
sudo zypper refresh

Installing PHP 8.2 and Essential Extensions

With repositories configured, we can proceed with installing PHP 8.2 and the extensions commonly required by modern PHP applications, especially frameworks like CodeIgniter 4.

Install the PHP 8.2 core package along with common extensions such as `cli`, `fpm` (FastCGI Process Manager, essential for Nginx integration), `mbstring` (for multi-byte string support), `mysql` (for MySQL/MariaDB connectivity), `gd` (for image manipulation), `xml` (for XML processing), and `zip` (for handling zip archives).

sudo zypper install -y php82 php82-cli php82-fpm php82-mbstring php82-mysql php82-gd php82-xml php82-zip

Verify the installation by checking the PHP version.

php -v

For CodeIgniter 4, several other extensions are highly recommended or required for specific functionalities. These include `intl` for internationalization, `openssl` for cryptographic functions, `bcmath` for arbitrary precision mathematics, and `redis` if you plan to use Redis for caching or session management.

sudo zypper install -y php82-intl php82-openssl php82-bcmath php82-redis

After installing new extensions, it’s good practice to restart the PHP-FPM service to ensure they are loaded.

sudo systemctl restart php-fpm

Configuring PHP-FPM for Nginx

PHP-FPM is the bridge between Nginx and PHP. It manages PHP worker processes and communicates with Nginx via a socket or TCP port. For optimal performance and security, using a Unix socket is generally preferred over a TCP port on the same server.

Locate the PHP-FPM configuration file. On openSUSE, this is typically found at /etc/php82/fpm/php-fpm.conf and its pool configurations are in /etc/php82/fpm/pool.d/. The default pool is usually named www.conf.

Edit the pool configuration file (e.g., /etc/php82/fpm/pool.d/www.conf) to specify the listening socket. Uncomment and modify the listen directive.

; listen = /run/php-fpm/www.sock
listen = /run/php82-fpm/www.sock ; Ensure this path matches your PHP version and desired socket location

; listen.owner = www-data
; listen.group = www-data
listen.owner = apache
listen.group = apache ; Use apache user/group for consistency with Nginx on openSUSE

; listen.mode = 0660
listen.mode = 0660

Ensure the user and group specified for the socket (e.g., apache) have the necessary permissions to access it. This is crucial for Nginx to communicate with PHP-FPM. Also, adjust the pm.max_children, pm.start_servers, pm.min_spare_servers, and pm.max_spare_servers directives based on your server’s resources and expected load. For production, tuning these is critical.

pm.max_children = 100
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500 ; Restart workers after 500 requests to prevent memory leaks

After making changes to the PHP-FPM configuration, restart the service.

sudo systemctl restart php-fpm

Enable PHP-FPM to start on boot.

sudo systemctl enable php-fpm

Installing and Configuring Nginx

Now, install the Nginx web server. If you followed the repository steps correctly, `zypper` will fetch it from the official Nginx repository.

sudo zypper install -y nginx

Start and enable the Nginx service.

sudo systemctl start nginx
sudo systemctl enable nginx

The default Nginx configuration is located at /etc/nginx/nginx.conf, and site-specific configurations are typically placed in /etc/nginx/conf.d/ or /etc/nginx/sites-available/ (with symlinks in /etc/nginx/sites-enabled/, depending on your setup preference). For simplicity, we’ll create a new configuration file in conf.d/.

Create a new Nginx server block configuration file for your CodeIgniter 4 application. Let’s assume your application will be served from /srv/www/my_ci4_app and the domain is ci4.example.com.

server {
    listen 80;
    server_name ci4.example.com;
    root /srv/www/my_ci4_app/public; # CodeIgniter 4's public directory

    index index.php index.html index.htm;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        include fastcgi_params;
        # Use the PHP-FPM socket we configured earlier
        fastcgi_pass unix:/run/php82-fpm/www.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }

    # Deny access to hidden files
    location ~ /\.ht {
        deny all;
    }

    # Cache static assets for a year
    location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg|webp)$ {
        expires 1y;
        add_header Cache-Control "public, no-transform";
    }
}

Save this configuration as /etc/nginx/conf.d/ci4.example.com.conf. After creating or modifying Nginx configuration files, it’s essential to test the configuration for syntax errors before reloading Nginx.

sudo nginx -t

If the test is successful, reload Nginx to apply the new configuration.

sudo systemctl reload nginx

Deploying CodeIgniter 4 Application

With the web server and PHP environment ready, you can now deploy your CodeIgniter 4 application. Ensure your application files are placed in the correct directory, and importantly, that the web server user (typically apache on openSUSE) has read and execute permissions for the application files and write permissions for the writable directory.

Create the application directory and set appropriate permissions. Replace /srv/www/my_ci4_app with your actual deployment path.

sudo mkdir -p /srv/www/my_ci4_app/public
# Assuming your CodeIgniter 4 application is zipped and ready to be deployed
sudo unzip /path/to/your/ci4_app.zip -d /srv/www/my_ci4_app/
sudo chown -R apache:apache /srv/www/my_ci4_app
sudo chmod -R 755 /srv/www/my_ci4_app
sudo chmod -R 775 /srv/www/my_ci4_app/writable

The writable directory is crucial for CodeIgniter 4 to store logs, cache files, and session data. Ensure it has write permissions for the web server user.

Security Hardening and Best Practices

For enterprise environments, security is non-negotiable. Implement the following hardening measures.

• Firewall Configuration: Ensure your firewall (e.g., firewalld) is configured to allow only necessary ports (HTTP/80, HTTPS/443).

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

• PHP Configuration (php.ini): Review and adjust php.ini settings for security and performance. Key parameters include:
  • expose_php = Off: Hides the PHP version in HTTP headers.
  • display_errors = Off: Prevents error messages from being displayed to users in production.
  • log_errors = On: Ensures errors are logged.
  • error_log = /var/log/php82-fpm/error.log: Specify a dedicated error log file.
  • session.cookie_httponly = 1: Protects sessions from client-side scripting.
  • session.cookie_secure = 1: Ensures cookies are only sent over HTTPS.
  • disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source: Restrict dangerous functions.
  The php.ini file for PHP-FPM is typically located at /etc/php82/fpm/php.ini. Remember to restart PHP-FPM after making changes.

After modifying php.ini, restart PHP-FPM:

sudo systemctl restart php-fpm

• Nginx Configuration:
  • HTTPS: Implement SSL/TLS certificates (e.g., Let’s Encrypt) for all production traffic.
  • Rate Limiting: Configure Nginx to limit request rates to prevent DoS attacks.
  • Security Headers: Add security-related HTTP headers like Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy.
  Example snippet for security headers in your Nginx server block:

  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options DENY;
  add_header X-XSS-Protection "1; mode=block";

This setup provides a robust, secure, and performant environment for running CodeIgniter 4 applications in enterprise settings on openSUSE Leap 15.5.