daemon is working... i can talk to it... but is has asked me to make rpcpassword in configuration file... i set it, but what is it? when i will need it? how secure it has to be?
Moderately secure if you only access the rpc ports from local.
and second question... how to talk to this deamon from PHP?
https://en.bitcoin.it/wiki/PHP_developer_introand 3rd (probably it is somewhere already)... how to protect btc files on server (which file - which user - which permission)... i know that i have to keep all the btc out of server and i am going to do it... but i need some BTC ready to spend... and i do not want to loose them until i spend it
Run a different container (like LXC, vserver..., NOT process based, like chroot). Firewall it well. Only allow rpc connections from the php machine. Run the bitcoind daemon as user bitcoin.
This will protect you against vulnerabilities in bitcoind which could compromise your server and against vulnerabilities in your other applications which might compromise your wallet. If will NOT protect you against vulnerabilities in your bitcoin webapp!
If you don't need to do payments immediately as they are generated on the webapp, I would suggest you keep the bitcoin wallet and the app separate. The webapp should send an email to a human, who will review the transaction and manually approve it.