Welcome! Log In Create A New Profile

Advanced

nginx + suphp

Posted by floweringmind 
nginx + suphp
January 06, 2010 10:49PM
I need help configuring nginx to use suphp. I have compiled suphp and installed it, but I can't figure out how to configure nginx to work with it.

Any help would be greatly appreciated.

Chris
Re: nginx + suphp
January 07, 2010 07:23AM
I haven't seen it done. What have you tried? Shouldn't it be a simple proxy_pass statement back to Apache? The rest is in the httpd.conf.

--
Jim Ohlstein
Re: nginx + suphp
January 07, 2010 11:01AM
Actually the whole route is kinda of pointless after reading some articles. It is much better to use php-fpm.

There is a decent article on doing this here: http://interfacelab.com/nginx-php-fpm-apc-awesome/

By the time php 5.3.2 comes out, php-fpm will be integrated into it.

Chris
Re: nginx + suphp
January 07, 2010 11:18AM
floweringmind Wrote:
-------------------------------------------------------
> Actually the whole route is kinda of pointless
> after reading some articles. It is much better to
> use php-fpm.

I agree. Suphp is slow.

>
> There is a decent article on doing this here:
> http://interfacelab.com/nginx-php-fpm-apc-awesome/
>
>
> By the time php 5.3.2 comes out, php-fpm will be
> integrated into it.

Is that so? I haven't seen an official announcement to that effect (doesn't mean there hasn't been one!). In the meantime, if you want to use official "php-cgi" you can use supervisord as the process manager with multiple pools with different UID's. That's what I have done recently for a few reasons. First, php-fpm has been all over the board in terms of its development and can hardly be considered "stable" and its much easier to maintain PHP with FreeBSD ports. Also, I am still supporting legacy code that that doesn't work properly with PHP 5.3 and won't be re-written for awhile.

I don't mean to discourage use of php-fpm necessarily. It just doesn't suit my needs at the time and I am not convinced that the php-fpm SAPI will improve things [i]that much[/i] for me compared to the standard PHP fastcgi SAPI. I haven't benchmarked it however, so I can't say with any certainty.

--
Jim Ohlstein



Edited 1 time(s). Last edit at 01/07/2010 11:19AM by Jim Ohlstein.
Re: nginx + suphp
January 07, 2010 11:38AM
If you look here you can see that php-fpm is in the official php repo: http://php-fpm.org/download/

But I am very interested in what you are doing with supervisord as my main concern is limiting php to the user account after I found someone put g00nshell.php on my server and was able to hack it. I now use that program to test the security of my php and that was why I started using suphp.

Could explain how you setup supervisord to work with php-cgi and nginx? Does this work with spawn-fcgi and what do you think of spawn-fcgi, I have heard that there maybe issues with spawn-fcgi, but I am not sure what they are.

Thanks!

Chris
Re: nginx + suphp
January 07, 2010 12:42PM
floweringmind Wrote:
-------------------------------------------------------
> If you look here you can see that php-fpm is in
> the official php repo:
> http://php-fpm.org/download/

I am aware of that, but that hasn't been merged and that announcement is unofficial and says "might be" and "most likely" not "will be".

>
> But I am very interested in what you are doing
> with supervisord as my main concern is limiting
> php to the user account after I found someone put
> g00nshell.php on my server and was able to hack
> it. I now use that program to test the security of
> my php and that was why I started using suphp.
>
> Could explain how you setup supervisord to work
> with php-cgi and nginx? Does this work with
> spawn-fcgi and what do you think of spawn-fcgi, I
> have heard that there maybe issues with
> spawn-fcgi, but I am not sure what they are.

No, spawn-fcgi is not used. Supervisord is a daemon that serves as a process manager and monitor. Installation instructions are at http://supervisord.org/manual/current/installing.html. In FreeBSD Setuptools can be installed from /usr/ports/devel/py-setuptools/.

So for each user I can set up a pool that runs under that user's UID/GID. If you then set file permissions appropriately no one else's PHP processes can read them.

[code]
[fcgi-program:php-cgi_01]
command=/usr/local/bin/php-cgi -c /usr/local/etc/php.ini -b 127.0.0.1:9001
;socket=unix:///var/run/supervisor/%(program_name)s.sock
socket=tcp://127.0.0.1:9001
process_name=%(program_name)s_%(process_num)02d
numprocs=1
priority=999
autostart=true
autorestart=true
startsecs=1
startretries=3
exitcodes=0,2
stopsignal=QUIT
stopwaitsecs=10
user=bob
group=bob
redirect_stderr=true
stdout_logfile=/usr/local/etc/php-cgi.log
stdout_logfile_maxbytes=1MB
stdout_logfile_backups=10
stderr_logfile=/usr/local/etc/php-cgi-error.log
stderr_logfile_maxbytes=1MB
stderr_logfile_backups=10
environment=PHP_FCGI_MAX_REQUESTS=50,PHP_FCGI_CHILDREN=10

[fcgi-program:php-cgi_02]
command=/usr/local/bin/php-cgi -c /usr/local/etc/php.ini -b 127.0.0.1:9002
;socket=unix:///var/run/supervisor/%(program_name)s.sock
socket=tcp://127.0.0.1:9002
process_name=%(program_name)s_%(process_num)02d
numprocs=1
priority=999
autostart=true
autorestart=true
startsecs=1
startretries=3
exitcodes=0,2
stopsignal=QUIT
stopwaitsecs=10
user=david
group=david
redirect_stderr=true
stdout_logfile=/usr/local/etc/php-cgi.log
stdout_logfile_maxbytes=1MB
stdout_logfile_backups=10
stderr_logfile=/usr/local/etc/php-cgi-error.log
stderr_logfile_maxbytes=1MB
stderr_logfile_backups=10
environment=PHP_FCGI_MAX_REQUESTS=50,PHP_FCGI_CHILDREN=5
[/code]

etc.

In this case Bob has 10 processes and David has 5. You might want to have pools that are larger or smaller. Each pool has a "master" process which also runs under the UID/GID of that user.

Ten you use fastcgi_pass for each user's domain(s) to the appropriate port.

So for Bob's domains:

[code]
server {
server_name bob.com;
...

location ~ \.php$ {
fstcgi_pass 127.0.0.1:9001;
...
}
}
[/code]


And for David's

[code]
server {
server_name david.com;
...

location ~ \.php$ {
fstcgi_pass 127.0.0.1:9002;
...
}
}
[/code]

I'm a bit paranoid, so I have monit watch critical daemons (sshd, nginx, mysql, dovecot, exim, syslogd, proftpd, supervisord) and have supervisord mange php-cgi processes. It works for me. YMMV of course.

--
Jim Ohlstein
Re: nginx + suphp
January 07, 2010 01:17PM
Doesn't this defeat the whole purpose of using nginx? If you are limiting the number of processes that a user can spawn with php and running a site like wordpress and 400 people hit it, then that user would have dead pages. I really don't care about doing that, just controlling what each user's php has access to.
Re: nginx + suphp
January 07, 2010 04:53PM
It's the same with php-fpm. There is no adaptive process management. It was planned, and may still be planned, but it's not yet available. It's up to you as the sysadmin to figure out the needs of the system and its users. If you want adaptive process management you need Apache but then you have much more overhead. If I understand suPHP correctly, you are running PHP as a cgi so each process is spawned, serves one request, and dies. That's a lot of spawning, which is actually what consumes memory and, perhaps more importantly in a heavily loaded system, CPU. It's also why suPHP is slow. As a result, it also probably defeats the purpose of using nginx. On the other hand an unused running php-cgi process consumes little memory and virtually no CPU. On a blog with 400 concurrent users you aren't necessarily seeing 400 requests/second. Bear in mind that each php-cgi process may be able to handle multiple requests per second. You can also use the [url=http://wiki.nginx.org/NginxHttpLimitReqModule]HTTP Limit Request Module[/url] If you expect a site to get slash-dotted.

--
Jim Ohlstein
Re: nginx + suphp
January 07, 2010 05:02PM
I notice supervisord uses Python. What are your experiences with how much memory it uses? I was originally going to use Cherokee instead of Nginx but boy it uses a lot more memory than either Apache or Nginx and that has to do with it running Python.
Re: nginx + suphp
January 07, 2010 06:47PM
Depends what you consider a lot.

[code]
$ ps -auxw | grep supervisord | grep -v grep
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 80542 0.0 0.3 44820 13904 ?? Ss Fri04PM 1:37.12 /usr/local/bin/python2.6 /usr/local/bin/supervisord
[/code]

(Column headers added for ease of reading.)

--
Jim Ohlstein
Re: nginx + suphp
January 28, 2010 04:16AM
I have testet php-fpm with nginx.
I have runned 3 virtual host with different users and pools.
Unfortunately It can not block php shells.I have upload a php shell and could access whole system! php-fpm has a chroot() function which can be used to chroot php process and can block php shells but then you can not use mysql because php process is chrooted to home directory.
Is it possible to [b]convert suPHP Apache module for nginx[/b] ??
I am going to test supervised.



Edited 1 time(s). Last edit at 01/28/2010 04:18AM by ghadamyari.
Re: nginx + suphp
January 28, 2010 11:58AM
I have tested both [b]php-fpm[/b] and [b]supervisord[/b].
php-fpm works fine and uses very less memory but supervisord and php-cgi processes which have runed by supervisord uses more than 200mb memory just to host 3 websites.
I suggest php-fpm.
Can anyone convert apache module of suphp to a nginx module in order to nginx users be able to use it???



Edited 1 time(s). Last edit at 01/28/2010 11:58AM by ghadamyari.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 121
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready