Komunitas Indonesia Open Source

WST · 04-01-2010 22:25:30

Sorry, cannot find more suitable forum for this topic.

Iâ€™d like to say some words about nginx web server and running it to serve PHP websites. nginx does not have built-in PHP support (as module), so PHP can be used only as FactCGI server. Letâ€™s seeâ€¦

First of all, about PHP. When running PHP as FactCGI server, it is very good to use FPM (FastCGI processes manager). PHP-FPM is currently a patch for PHP, but it was included into the main source, so it will be available with PHP soon. The official FPM website is http://php-fpm.org

The task of php-fpm is to start worker processes as described it itâ€™s configuration file. The worker processes can be grouped into pools that serve 1 TCP port or UNIX socket. Any pool can be chroot-ed into any directory for security purposes. So, letâ€™s see 2 situations

Situation 1. One user, many websites

It is simple, because it is not needed to think about security so much as when serving many users. So, for example, you run a VPS server for your own web projects. In this case using nginx+php-fpm is very good idea because it can save much RAM that costs money for you. You probably donâ€™t need to chroot your PHP worker processes. So, the configuration will be easy:

Code:

<!-- FPM config file fragment -->
<section name="pool">
    <value name="name">default</value>
    <value name="listen_address">/tmp/php.sock</value>
    <value name="listen_options">
        <value name="backlog">-1</value>
        <value name="owner">web</value>
        <value name="group">web</value>
        <value name="mode">0666</value>
    </value>
    <value name="php_defines"></value>
    <value name="user">dbb</value>
    <value name="group">dbb</value>
    <value name="pm">
        <value name="style">static</value>
        <value name="max_children">4</value>
        <value name="apache_like">
            <value name="StartServers">2</value>
            <value name="MinSpareServers">1</value>
            <value name="MaxSpareServers">1</value>
        </value>
    </value>
    <value name="request_terminate_timeout">0s</value>
    <value name="request_slowlog_timeout">0s</value>
    <value name="slowlog">logs/slow.log</value>
    <value name="rlimit_files">1024</value>
    <value name="rlimit_core">0</value>
    <value name="chroot"></value>
    <value name="chdir"></value>
    <value name="catch_workers_output">yes</value>
    <value name="max_requests">10</value>
    <value name="allowed_clients">127.0.0.1</value>
    <value name="environment">
        <value name="HOSTNAME">$HOSTNAME</value>
        <value name="PATH">/usr/local/bin:/usr/bin:/bin</value>
        <value name="TMP">/tmp</value>
        <value name="TMPDIR">/tmp</value>
        <value name="TEMP">/tmp</value>
        <value name="OSTYPE">$OSTYPE</value>
        <value name="MACHTYPE">$MACHTYPE</value>
        <value name="MALLOC_CHECK_">2</value>
    </value>
</section>

/tmp/php.sock in this example is the UNIX socket for connecting to the FastCGI server, <value name="max_children">4</value> â€” number of worker processes.

The corresponding nginx configuration will look like this:

Code:

# nginx vhost config
server {
    listen 80;
    server_name your_website.com;
    location / {
        root /home/dbb/www/your_website.com;
        index redir.php index.php index.html index.htm;
    }
    location ~ \.php$ {
        root html;
        fastcgi_pass unix:/tmp/php.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /home/dbb/www/your_website.com/$fastcgi_script_name;
        include fastcgi_params;
    }
    location ~ /\.ht {
        deny all;
    }
}

Just ensure that all the paths here are valid. If something doesnâ€™t work, just check your nginx serverâ€™s logs.

In this situation everything is easy. You may use little count of php workers because all of them will serve your sites. nginx uses very little RAM, so your total RAM usage will be much less than with Apache.

Situation 2. Many users, each user has a few websites

It is the most complex situation. In this case each user can upload some php shell script and browse the serverâ€™s filesysytem. He can look MySQL passwords of the other users, corrupt their data & so onâ€¦ Also your users are able to run any UNIX command (if you didnâ€™t disable exec/system/passthu/etc in your php.ini) which is insecure, too.

I am now trying to find the best sulution for this case and ask everybody for his/her help. It seems to be impossible to give open_basedir to a worker. My current solution is chroot, but chroot-ing FastCGI pools causes a huge count of problems. Letâ€™s see some of them.

1. 5-6 worker processes work MUCH as hellllllllll more effective when they all serve all users, but not when each process serves itâ€™s 1 user. It can cause 502 Bad Gateway & 504 Gateway Timeout errors. Making more processes per user solves the problem, but makes PHP to consume too much RAM.

2. PHP inside chroot environment cannot resolve domain names. This problem may be solved by creating needed hard links (or copies) in the chroot directory. The needed files are (for Debian lenny): /etc/resolv.conf, /etc/nsswitch.conf, /lib/libnss_dns.so.2. Note that /lib/libnss_dns.so.2 in Debian lenny is a hard link by itself.

3. PHP cannot access /tmp directory. The same solution â€” to create tmp directory inside the chroot environment.

4. PHP cannot send mail becase it cannot access sendmail. This problem is a little more complex than 2 & 3, because the solution may differ for various MTAs, but another possible solution is to put inside chroot some sendmail alternative that connects to local SMTP server with TCP/IP. There is a little problem: PHP does not run sendmail directly, it requires /bin/sh executable (wtf? why?)â€¦ So, you have to put /bin/sh to your chroot environment. I used my systemâ€™s /bin/bash for it. Also it is needed to put some dependancies:

Code:

us:~# ldd /bin/bash
    libncurses.so.5 => /lib/libncurses.so.5 (0xb7ee2000)
    libdl.so.2 => /lib/libdl.so.2 (0xb7ede000)
    libc.so.6 => /lib/libc.so.6 (0xb7da0000)
    /lib/ld-linux.so.2 (0xb7f1c000)
us:~#

WST · 06-01-2010 17:58:21

Just a little addition.
Of course, itâ€™s possible not to use chroot â€” just to run pools with their usersâ€™ permissions (but it does not solve problem #1). Or simply to use Apache for the second situationâ€¦ Anyway I donâ€™t want to agree that my problem is impossible to solve with nginx + php-fpmâ€¦

WST · 16-01-2010 20:44:45

Yeah, found the solution!
The solution is to add special php script that will process each request and set security settings (PHPâ€™s auto_prepend_file does not suit :-p ).
nginx vhost config:

Code:

fastcgi_param SCRIPT_FILENAME /path/to/security.php;
fastcgi_param USER_SCRIPT_FILENAME /home/username/www/site_address.com/$fastcgi_script_name;

Then, in security.php we can detect hostname ($_SERVER['SERVER_NAME']) and, depending on it, launch the userâ€™s script ($_ENV['USER_SCRIPT_FILENAME']). The security settings may include ini_setâ€™ing open_basedir & disable_functions. Nice
I will write an article for my website soon.
Thanks for interest.

(UPD) Here it is: http://the1st.net.ru/php-fastcgi.shtml
Sorry for my English

Last edited by WST (17-01-2010 02:21:22)

WST · 24-01-2010 21:36:53

Many people dislike www prefix. Some sites work only with â€œwwwâ€ prefix, some only without it, some sites open different pages with â€œwwwâ€ and without it. Itâ€™s global infection :-D
Example: link1, link2
nginx can be configured to disallow users to visit sites with addresses â€œwww.somethingâ€ and redirect them to â€œsomethingâ€ .
http://the1st.net.ru/nginx-nowww.shtml

hermawan_fsi · 23-02-2010 09:11:36

tertarik juga..pake ginx ada tutorial nya..bhs indonesia. ada ngak..

WST · 23-02-2010 16:33:54

Maaf untuk inggrisâ€¦ Saya gak bisa bhs indonesia.

I never saw nginx tutorials in indonesian language, but I know some servers running nginx (http://unpad.ac.id, http://mirror.unej.ac.id, http://indowebster.com and many others). I use nginx, too.

Anyway, if you have any questions, feel free to ask here, I will try to help.

hermawan_fsi · 23-02-2010 22:06:25

Regarding to mr google from this site..
http://www.joeandmotorboat.com/2008/02/ … eathmatch/

i am trying to install to my server just for testing only, my server now is working with apache. suppose i have to change to ngix, is it not problem, cause now my server runing such as.

squid
webmin.
mrtg
webalizer
calamaris
zabbix

thanks

WST · 24-02-2010 03:57:27

hermawan_fsi,
So, what is the problem? Uding webalizer for nginxâ€™s logs? I never used webalizer, but I think it should not be a problem â€” nginxâ€™s log format is fully customizable. The official documentation is available here (unfortunately, Russian only, but you may try to read it with Google Translate).

---

Btwâ€¦ I wanted to say some words on how to use nginx for chosing the most suitable mirror of the web site.
For example, you have 2 servers â€” one in Singapore and the other in Moscow. Singapore server serves website sg.site.com, Moscow server serves ru.site.com and site.com. You need to solve next task: visitors from Indonesia, Malaysia and Singapore should be directed to sg.your_site.com and all the others â€” to ru.site.com. It can be easilly done with nginx â€” all what you need is to add some checks to your vhost configuration:

Code:

if ($geoip_country_code = ID) {
  rewrite ^(.*)$ http://sg.site.com$1 permanent;
}
if ($geoip_country_code = SG) {
  rewrite ^(.*)$ http://sg.site.com$1 permanent;
}
if ($geoip_country_code = MY) {
  rewrite ^(.*)$ http://sg.site.com$1 permanent;
}

rewrite ^(.*)$ http://ru.site.com$1 permanent;

The variable $geoip_country_code is automatically set by ngx_http_geoip_module, be sure to have compiled it (--with-http_geoip_module). You will also need to specify path to GeoIP database:

Code:

http {
  geoip_country  /path/to/GeoIP.dat;
  â€¦

hermawan_fsi · 24-02-2010 18:35:17

thanks for your replay..
actually i see some web here using ngnix such as www.indowebster.com those web is good for filesharing, but when those site down i see that using ngix.. but formerly they using apache..

this what i am worry about building webserver,

WST · 28-02-2010 14:49:55

hermawan_fsi wrote:
this what i am worry about building webserver,

If some web server is down then there is some reason for that. For example, with nginx you may get 502 or 504 errors if you configure your FastCGI server not well. 502 (â€œBad gatewayâ€ or â€œProxy errorâ€ ) error may occur when the FastCGI server is busy and cannot handle new request, 504 may occur when the FastCGI server processes the request too long time. So, if you get 502 error, it is needed to increase FastCGI workers count, if 504 then needed to analyse your website for slow parts and rewrite them if needed (or order a more powerful server).
502 error may also occur when you are using proxy_pass directive (for example, to forward Apacheâ€™s output).

WST · 11-04-2010 18:08:47

Itâ€™s now time for me to ask. Does anybody know whether it is possible to calculate vhostâ€™s traffic or not? For example, if I want to make limit 10G/month for some vhost and to show HTTP 509 error to site visitors if the vhost exceeded itâ€™s quotaâ€¦

Komunitas Indonesia Open Source

Announcement

#1 04-01-2010 22:25:30

nginx + PHP â€” good alternative to Apache

Code:

Code:

Code:

#2 06-01-2010 17:58:21

Re: nginx + PHP â€” good alternative to Apache

#3 16-01-2010 20:44:45

Re: nginx + PHP â€” good alternative to Apache

Code:

#4 24-01-2010 21:36:53

Re: nginx + PHP â€” good alternative to Apache

#5 23-02-2010 09:11:36

Re: nginx + PHP â€” good alternative to Apache

#6 23-02-2010 16:33:54

Re: nginx + PHP â€” good alternative to Apache

#7 23-02-2010 22:06:25

Re: nginx + PHP â€” good alternative to Apache

#8 24-02-2010 03:57:27

Re: nginx + PHP â€” good alternative to Apache

Code:

Code:

#9 24-02-2010 18:35:17

Re: nginx + PHP â€” good alternative to Apache

#10 28-02-2010 14:49:55

Re: nginx + PHP â€” good alternative to Apache

hermawan_fsi wrote:

#11 11-04-2010 18:08:47

Re: nginx + PHP â€” good alternative to Apache

Board footer