Hey guys, not sure if this is the best place to post this stuff, but oh well.
Firstly, looking at implementing php-fpm might be a good idea, as then it's similar to how you setup apache/nginx config files. Drop a file in /etc/php5/fpm/pool.d/ containing the port number, the user/group ids, number of children, and you are basically done!
Also, while the default nginx config works, it's not great for a few reasons.
As we are running php on the same machine as nginx, we can follow the recommended security practices. http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP So instead of
location ~ \.php$ {
fastcgi_pass localhost:9001;
}
We have
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass localhost:9001;
}
A simple change that increases security.
We also might like to look at the default "handler" to something that may make more applications work out of the box. Something like
location / {
# This is cool because no php is touched for static content
try_files $uri $uri/ /index.php;
}
Will work for just about any php application that uses an index.php in the root directory to do "pretty" urls.
Just some suggestions. Thanks heaps for implementing Nginx support. I was considering abondoning Virtualmin for a new server I was setting up, as I wanted to be using Nginx, and now I can use Nginx and Virtualmin! If you need any assistance with Nginx feature development, I'm happy to assist.
Oh. And maybe adding an option to listen on any ipv4 address would be useful. The reason being is that if we have some hosts without a "listen" line, and then other hosts with a listen line for the ipv4 address, then it can become the "default" host for that ip address, even though other hosts are also listening on that address. (And hence example.com could serve up personalsite.org). Probably not an issue if every host is created by Virtualmin, but if any are created manually, then it causes problems. I'll talk to the Nginx list about how this should be done to prevent problems.
Tim
Thanks for the suggestions .. I will definitely implement at least the try_files fix, and will look into the others.
''
Thanks.
Also, I'll do some more digging, but it appears the log files when using nginx aren't readable by the users who "own" them. Looking in the logrotate file, maybe we need to set each servers files to be owned by the nginx, group of the user, and readable by group? I'll poke some more to make sure it's not just my setup.
Tim
Another reason I really would like to see php5-fpm support (other than it being "cleaner" IMHO), is that if you do any php updates (like installing php-gd), then you need to individually restart every php-fcgi process! Where as php-fpm is a single restart and they all restart gracefully. (And php-fpm gives us better pool support if we want dynamic pools).
I suppose with php-fcgi we could just pkill -HUP all the php processes and let the loop controller restart it, but that's not very clean.
Tim
So does php-fpm support running PHP scripts with domain owner permissions, from a single pool of server processes?
''
Not exactly.
Each domain "user" needs it's own pool.
i.e.
[user1]
user = user1
group = user1
[user2]
user = user2
group = user2
However, each pool can be static or dynamic. i.e. we start 4 php process for each pool. Or we start 1 process for the pool, as as usage increase we can grow up to 30 processes. etc etc It's probably worth noting that all "sub-servers" run under the domain user anyway, so no extra pool is needed, just the pool for that "main" server. It's here that we get the most benefit from php-fpm, as we can be then sharing the php processes between a server and it's sub servers (i.e. I have a server with 3-4 sub-servers that aren't used much, so I don't need the 3-4 extra php processes sitting around, it instead uses the pool for the main server).
The other big benefit is we don't need to maintain an init script per server, just the one php5-fpm init script, and it takes care of the rest.
In a setup like this with pools, can the php.ini path be set only on a per-user basis, or per-domain?
''
Each pool would share a php.ini file. So assuming that under domain1.com we have domain2.com and domain3.com as sub-servers, then they would share the php.ini file.
I kinda envision it being an option. a) Each subserver and server has it's own pool of fpm processes. (So mirrors the current fcgi setup except it's a single point to maintain instead of a init script per server) b) Each subserver can share it's main servers pool, and hence share the php.ini file.
This allows the use case of "large" sub-servers but needing the be independent of each sub-server or server. And smaller sub-servers where running a php process for each is a waste of resources, so sharing the pool of the main server it's a sub server for.
Also, a big advantage of fpm over fcgi, is that we can have multiple php processes for server (dynamically as needed if we want), where a single fcgi process blocks while processing a page (IIRC) and so for a longer running page, we end up with a slower server as we are waiting for the one php-fcgi process for that website. (I think I'm right about that). I'm not sure if we can get php5-cgi to spawn child processes to handle multiple requests. But php-fpm manages a pool of workers, so a long running script won't block (unless we use static, and then we are limited to the number of workers we start).
Tim
Most likely I would end up implementing one pool per domain then, as Virtualmin depends on being able to set php.ini options on a per-domain basis for script installs.
As of the most recent version of the Nginx plugin, each domain can have multiple php-cgi processes to allow concurrent processing of requests. However the number is fixed, rather than scaling dynamically as with php-fpm.
''