Skip to main content

Installing php-fpm and nginx on Debian 8

From the stable and fast server depends on the fate of the site. Its slow work and frequent drops can scare away both visitors and search engines. The latter will also lower the rating of the braking site in the search results and it will not be in the top 10, but, say, in the top 100 for all queries.

Using a bunch of nginx and php-fpm for site maintenance allows you to increase the speed of their work, as well as the stability of the system as a whole. In addition, by refusing to use apache, we simplify the system somewhat and even protect it. After all, if there is no apache, then the attacker will not be able to use, for example, the .htaccess file for his own purposes.

The nginx + php-fpm bundle is quite easy to configure and it is supported by many popular CMS: WordPress, MODX, DLE, various frameworks. All this can work without bulky apache.

When installing a web server, do not do without creating users. Ideally, a separate user should be created for each site. So we can protect other sites if one of the users is hacked. The examples in this article are written taking into account the fact that you created users according to the instructions .

First, install the basic modules: php-fpm, mysql, curl, GD. All the rest is individual necessity.

  # aptitude install nginx php5-fpm php5-mysqlnd php5-curl php5-gd 

The configuration files are located in the / etc / php5 / fpm / directory .

The content of the article:

We configure php-pool for service of requests

Initially, php-fpm has only one pool called www. We will use it as a basis for other pools.

Open the configuration file /etc/php5/fpm/pool.d/www.conf , consider some variables and select values ​​for them.

The first variable is the name of the pool. It is enclosed in square brackets and cannot coincide with the name of any user existing in the system.


Next we indicate the name of the user and his group, in whose home directory the site is located.

  user = username
 group = www-data 

Specify that the pool should work as a unix-socket. The variable $ pool will be replaced with the name.

listen = /var/run/php-$pool.sock

We determine the use of the static mode, in which a certain number of pool processes are created during fpm startup. They serve all incoming requests.

pm = static

Why such a choice? :) This is the most economical option. Each process of the pool will occupy the amount of RAM allocated to the variable memory_limit plus several megabytes per connected module, cache, etc. In the static version, all requests will be processed only by the created processes, and new ones will not be generated (and will occupy precious memory). As a result, we obtain a fixed memory consumption.

Specify the required number of processes serving requests. It is selected depending on the workload.

pm.max_children = 3

I recommend adding the following parameters to the end of the pool configuration file.

Directory for placing temporary files:

  php_admin_value [upload_tmp_dir] = "/ var / www / username / tmp" 

The directory for storing session files:

  php_admin_value [session.save_path] = "/ var / www / username / sessions" 

For security reasons, access to these directories should only be available to the user, with the permissions of which the php-fpm pool is started. Also, do not use the same directory for storing session files and for temporary files.

The memory limit for running scripts should be selected based on the requirements of the site. To start:

  php_admin_value [memory_limit] = 50M 

Specify a required parameter that eliminates the vulnerability :

  php_admin_value [cgi.fix_pathinfo] = 0 

The sendmail_path and open_basedir variables are not specifically indicated. They will be passed as fast-cgi parameters in the nginx configuration file. Thus, for each specific site you can define your own settings. :)

After all the necessary parameters are specified, you should reload the php-fpm configuration with the command:

  # service php5-fpm reload 

Processing php scripts using nginx

It remains to configure nginx to work with php-fpm. Ready config

  server {
  server_name ;
  listen 80;
  access_log / var / log / nginx / .access.log;
  error_log / var / log / nginx / .error.log;
  charset utf-8;
  index index.php;
  root / var / www
  location / {
   try_files $ uri $ uri / /index.php$args;
  location ~ \ .php $ {
   try_files $ uri = 404;
   fastcgi_pass unix: /run/php-www.sock;
   fastcgi_index index.php;
   include fastcgi_params;
   fastcgi_param SCRIPT_FILENAME $ document_root $ fastcgi_script_name;
   fastcgi_param PHP_VALUE "sendmail_path = / usr / sbin / sendmail -t -i";
   fastcgi_param PHP_ADMIN_VALUE "open_basedir = / var / www / /: / var / save_path /: / var / tmp_dir /";
 } replace with your domain.

Description of parameters :

try_files $uri =404; will display error 404 in the user's browser, instead of the message no input file specified , in case this error occurs.

fastcgi_pass - path to the php-fpm socket.

  fastcgi_pass unix: /run/php-www.sock; 

The following variable sets the path to sendmail and the parameter that specifies the email address of the site administrator. Replace with your own .

  fastcgi_param PHP_VALUE "sendmail_path = / usr / sbin / sendmail -t -i"; 

We list the directories for open_basedir: the directory with the site, the directory for saving temporary files, the directory for session files.

  fastcgi_param PHP_ADMIN_VALUE "open_basedir = / var / www / /: / var / save_path /: / var / tmp_dir /"; 

If you need to pass several parameters, you should do it this way:

  fastcgi_param PHP_ADMIN_VALUE "sendmail_path = / usr / sbin / sendmail -t -i \ nopen_basedir = / var / www / /: / var / save_path /: / var / tmp_dir /"; 

As you can see, the parameters are separated by a line break: \ n .

We save all the changes we made and restart nginx.

  # service nginx reload 

How do you rate the article?
Звёзд: 1Звёзд: 2Звёзд: 3Звёзд: 4Звёзд: 5 ( 8 ratings, average: 2.63 out of 5)

” 4 Comments “ Installing php-fpm and nginx on Debian 8

  1. Good day. The root directive in the httpd config with a semicolon should probably be closed .. and the config itself should be placed in / etc / nginx / sites-enabled with the name of the site address.

  2. Why create users for each site separately?
    What does it mean if one user is hacked, then other sites will be safe?

    Do I need to create different users, if I work in the system only one, login to the system via SSH through a certificate.
    DB also does not look in the Internet.


Add a comment

Your email will not be published.