support for FastCGI over TLS

[ctr49]

Description

Currently, php-fpm supports UNIX and TCP socket operation. However, to enhance security (and privacy of data in transit) it might be useful to also have an option for a TLS socket, ideally mTLS, additional to TCP for remote connections.

In such cases, it is already possible to use transparent transport encryption (VPN, or a TLS-tunnel), but php-fpm wouldn't have an idea about it. With integrated TLS support, information from the TLS session (e.g. X.509 attributes) could be used to populate "allowed_clients" or php-fpm's ENV to control further behavior.

Since (optional) OpenSSL support is already present in PHP, it should be relatively trivial to also support a TLS listener - with a bit more work for mTLS and actually making use of TLS session information.

[crrodriguez]

Stunnel should allow you do to this quite easily. maybe even socat..

[bukka]

I got this on my TODO list already. Stunnel is an option in the meantime but native implementation would be better as you don't need to manage addition service. It would eventually need web server support so you don't stunnel on that side either. Client cert support (mTLS) and PSK (session) support should be of course part of it.

[crrodriguez]

I got this on my TODO list already. Stunnel is an option in the meantime but native implementation would be better as you don't need to manage addition service. It would eventually need web server support so you don't stunnel on that side either. Client cert support (mTLS) and PSK (session) support should be of course part of it.

Since I did not found any formal specification on fastcgi over TLS.. wouldn't *CGI over QUIC make more sense today instead?

[bukka]

Since I did not found any formal specification on fastcgi over TLS.. wouldn't *CGI over QUIC make more sense today instead?

I would imaging that would be much harder to implement on both FPM and web server. TLS over FastCGI should be relatively straight forward. I wouldn't say it's trivial as it's still quite a bit of work but should be easier than CGI over QUIC which I didn't find any spec for either.