I'm new to nginx and php-fpm.
My question: Do I need to create two php-fpm config files or just one?
Can both nginx config (different domain/app) point to the same php socket? If so will it cause session conflicts or any other issues?
Below there's two nginx config and one php-fpm config. As mentioned above should I have two php-fpm configs?
php-fpm configs:
[appname1]
listen = /var/www/apps/appname1/tmp/php.sock
user = www-data
group = www-data
pm = dynamic
pm.max_children = <%= node['php5-fpm']['max_children'] %>
pm.start_servers = <%= node['php5-fpm']['start_servers'] %>
pm.min_spare_servers = <%= node['php5-fpm']['min_spare_servers'] %>
pm.max_spare_servers = <%= node['php5-fpm']['max_spare_servers'] %>
pm.max_requests = 1000
pm.status_path = /php_status
request_terminate_timeout = 0
request_slowlog_timeout = 0
slowlog = /var/www/apps/appname1/logs/slow.log
nginx config 1:
upstream backend {
server unix:/var/www/apps/appname1/tmp/php.sock;
}
server {
listen 80 default;
root /var/www/apps/appname1/public/app/webroot;
index index.php index.html index.htm;
access_log /var/www/apps/appname1/logs/access.log;
error_log /var/www/apps/appname1/logs/error.log;
client_max_body_size 20M;
rewrite_log on;
# Not found this on disk?
# Feed to CakePHP for further processing!
if (!-e $request_filename) {
rewrite ^/(.+)$ /index.php last;
break;
}
# Pass the PHP scripts to FastCGI server
# listening on 127.0.0.1:9000
location ~ \.php$ {
fastcgi_pass backend;
fastcgi_index index.php;
fastcgi_intercept_errors on; # to support 404s for PHP files not found
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# ... some other stuff hidden ...
location ~ ^/(php_status|php_ping)$ {
fastcgi_pass backend;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
include fastcgi_params;
allow 127.0.0.1;
deny all;
}
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
# Deny access to .htaccess files,
# git & svn repositories, etc
location ~ /(\.ht|\.git|\.svn) {
deny all;
}
}
nginx config 2:
upstream backend {
server unix:/var/www/apps/appname1/tmp/php.sock;
}
server {
listen 80 default;
server_name test2.com
root /var/www/apps/appname2/public/app/webroot;
index index.php index.html index.htm;
access_log /var/www/apps/appname2/logs/access.log;
error_log /var/www/apps/appname2/logs/error.log;
client_max_body_size 20M;
rewrite_log on;
# Not found this on disk?
# Feed to CakePHP for further processing!
if (!-e $request_filename) {
rewrite ^/(.+)$ /index.php last;
break;
}
# Pass the PHP scripts to FastCGI server
# listening on 127.0.0.1:9000
location ~ \.php$ {
fastcgi_pass backend;
fastcgi_index index.php;
fastcgi_intercept_errors on; # to support 404s for PHP files not found
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# ... some other stuff hidden ...
location ~ ^/(php_status|php_ping)$ {
fastcgi_pass backend;
fastcgi_param SCRIPT_FILENAME $fastcgi_script_name;
include fastcgi_params;
allow 127.0.0.1;
deny all;
}
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
# Deny access to .htaccess files,
# git & svn repositories, etc
location ~ /(\.ht|\.git|\.svn) {
deny all;
}
}
For setting up my server with Nginx and PHP, I followed the Ars Technica Web Served series. I have a server serving multiple domains that all use PHP in some fashion, and I haven't encountered any errors reported that are related to PHP. Maybe it can help you, too?
Normally you should go with n fpm instances for n domains you're configuring (unless they all point to the same application).
Keep each webapplication in its own space and create a separate UNIX user for them, which you will later use for FPM instances.
This way you will have separation of privileges (very important) as if someone hacks your application1 they will still not have write access to application2.
There are many other benefits from this configuration, like controlling which app is using more CPU or RAM (ps will show the FPM processes as owned by the user).
And please stop using
www-data
for webapplications!!! It's reserved for the webserver when running as an unprivileged user, if you want to allow the browser to access your data, use secondary groups or set the permissions to allow others to read your files.Another option could be use to Docker to host several php5-fpm app in their own containers and then tell nginx to proxy the requests. I have not tried it yet but I plan to. Similar set up works with my Django apps.