I noticed that vestacp uses php-fpm and configures for every user account a different port starting with port 9000. You can find the configuration files in /etc/php-fpm.d/
I would think that communication via unix sockets will be faster then via local ports. Are there other people who know more about this and could advise on this choice. And is it [easily] possible to change the way vestacp generates the php-fpm config files.
I hope this can contribute in improving the vestacp.
I have a freshly built VPS:
Ubuntu 18.04
Virtualmin 6.09.gpl
PHP versions 7.0.33, 7.2.31, 7.4.7
Apache 2.4.29
So far everything is running well.
I’m in the process of switching Apache from mpm-prefork to mpm-event and php-fpm.
I’m using mpm-event & php-fpm on my outgoing server - the main difference being that the old server is using TCP ports for php-fpm [one for each domain\Virtual Server] and for the newly built one, I’m looking at using sockets.
[along with one php-fpm pool per domain\Virtual Server].
I can manually set Apache\PHP up to do this - but is there anyway I can do this via Virtualmin, so that each time I create a new Virtual Server\domain in Virtualmin - the correct entry for the user specific socket gets created in the domain\user conf file in /etc/php/7.x/fpm/pool.d directory?
PHP-FPM can listen on multiple sockets. I also listen on Unix sockets, or TCP sockets. See how this works and how to ensure Nginx is properly sending requests to PHP-FPM.### Default Configuration
Edit PHP-FPM configuration
# Configure PHP-FPM default resource pool
sudo vim /etc/php5/fpm/pool.d/www.conf
PHP-FPM Listen configuration:
# Stuff omitted
listen = /var/run/php5-fpm.sock
listen.owner = www-data
listen.group = www-data
Also edit Nginx and see where it's sending request to PHP-FPM:
# Files: /etc/nginx/sites-available/default
# ... stuff omitted
server ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php5-fpm.sock;
}
We can see above that Nginx is sending requests to PHP-FPM via a unix socket [faux file] at /var/run/php5-fpm.sock
. This is also where the www.conf
file is setting PHP-FPM to listen for connections.
Unix Sockets
These are secure in that they are file-based and can't be read by remote servers. We can further use linux permission to set who can read and write to this socket file.
Nginx is run as user/group www-data
. PHP-FPM's unix socket therefore needs to be readable/writable by this user.
If we change the Unix socket owner to user/group ubuntu
, Nginx will then return a bad gateway error, as it can no longer communicate to the socket file. We would have to change Nginx to run as user "ubuntu" as well, or set the socket file to allow "other" [non user nor group] to be read/written to, which is insecure.
# Stuff omitted
listen = /var/run/php5-fpm.sock
listen.owner = ubuntu
listen.group = ubuntu
So, file permissions are the security mechanism for PHP-FPM when using a unix socket. The faux-file's user/group and it's user/group/other permissions determines what local users and processes and read and write to the PHP-FPM socket.
TCP Sockets
Setting the Listen directive to a TCP socket [ip address and port] makes PHP-FPM listen over the network rather than as a unix socket. This makes PHP-FPM able to be listened to by remote servers [or still locally over the localhost network].
Change Listen to
# Stuff omitted
listen = /var/run/php5-fpm.sock
listen.owner = www-data
listen.group = www-data
0 to make PHP-FPM listen on the localhost network. For security, we can use the # Stuff omitted
listen = /var/run/php5-fpm.sock
listen.owner = www-data
listen.group = www-data
1 rather than set the owner/group of the socket. NGINX web server [as reverse proxy] serves PHP applications through the FastCGI protocol [as a backend application server]. NGINX employs PHP-FPM [FastCGI Process Manager], an alternative PHP FastCGI implementation that runs in the background as a daemon, listening for CGI requests. It comes with extra features designed for powering heavy-loaded websites or web applications, but it can be used for sites of any size.
Not only does PHP-FPM support the configuration of FastCGI resource pools, but it also improves many of the FastCGI internals and increases error reporting, script termination, and much more. It features PHP demonization, process management, a dynamic number of processes from which requests can come, error header, accelerated upload support, and more.
To accept FastCGI requests from NGINX, PHP-FPM can either listen on a TCP/IP socket or UNIX domain socket. Whichever address you choose to use is what NGINX uses to connect [proxy requests] to PHP-FPM, using the
$ ls /etc/php/7.4/4 directive.
This guide explains how to configure NGINX to server PHP applications using PHP-FPM. It describes when to use a TCP/IP socket or UNIX domain socket to connect NGINX to PHP-FPM and why.
This guide assumes that you have NGINX and PHP-FPM installed on your Linux system, otherwise, see:
- How to Install LEMP Server on CentOS 8
- How to Install LEMP stack PhpMyAdmin in Ubuntu 20.04 Server
- How to Install NGINX, MySQL/MariaDB, and PHP on RHEL 8
- How to Install LEMP on Debian 10 Server
What Should I Use: UNIX Domain Socket or TCP/IP Socket?
UNIX domain [or IPC] sockets are a means of inter-process communication [IPC] that allow efficient data exchange between processes running on the same operating system while TCP/IP [or Internet Domain] sockets allow processes to communicate over a network.
Unlike a TCP/IP socket that identifies a server by an IP address and port [e.g 127.0.0.1:9000], you can bind a server to a UNIX domain socket using a file pathname [e.g /run/php-fpm/www.sock], which is visible in the filesystem.
A UNIX domain socket is a special type of file – file and directory permissions apply to it [as is the case with any other type of UNIX file] and can be used to restrict which processes on the host can read and write to the file, [and thus communicate with the backend server].
This way, a UNIX domain socket is secure because only processes on the local host can use it. A TCP/IP socket may be exposed to the internet posing a security risk unless extra security measures such as a firewall are implemented.
Importantly, using a UNIX domain socket is not the same as using a TCP/IP socket regarding performance, several tests and benchmarks have proven UNIX domain sockets to be faster. The main drawback of UNIX domain sockets is that they are less scalable, they only support inter-process communication within the same operating system[OS].
Where Can I Configure PHP-FPM Listen Address?
You can configure the address PHP-FPM listens on in a resource pool configuration file. Note that with PHP-FPM, you can run several pools of processes with different settings. The default pool is called
$ ls /etc/php/7.4/5.
The location of the resource pool configuration file depends on the way PHP and PHP-FPM are installed on a Linux system [whether it’s a default/single version or multiple versions simultaneously].
For example, on CentOS 8, with a single version, all PHP configuration files are located in the
$ ls /etc/php/7.4/6 directory and the default PHP-FPM pool
$ ls /etc/php/7.4/7 configuration file is /etc/php-fpm.d/www.conf:
To list all PHP configuration files, use the following ls command.
# ls /etc/php*
On Ubuntu 20.04, the PHP configuration files are located in the
$ ls /etc/php/7.4/8 directory and the default PHP-FPM pool
$ ls /etc/php/7.4/7 configuration file is
$ sudo vim /etc/php/7.4/fpm/pool.d/www.conf #Ubuntu/Debian OR # vim /etc/php-fpm.d/www.conf #CentOS/RHEL/Fedora0:
$ ls /etc/php/7.4/
Configuring PHP-FPM to Listen on a UNIX Domain Socket
To configure PHP-FPM to listen on a UNIX domain socket, open your default PHP-FPM pool configuration file, using your favorite text editor.
$ sudo vim /etc/php/7.4/fpm/pool.d/www.conf #Ubuntu/Debian OR # vim /etc/php-fpm.d/www.conf #CentOS/RHEL/Fedora
Then look for the listen directive and set it to the file pathname of the UNIX domain socket as follows. Note that most installations use a UNIX domain socket by default.
listen = /run/php/php7.4-fpm.sock #Ubuntu/Debian OR listen = /run/php-fpm/www.sock #CentOS/RHEL/Fedora
If you use a UNIX domain socket, you also need to set appropriate read/write permissions for the file, to allow connections from the NGINX web server. By default, NGINX runs as user and group nginx on CentOS/RHEL/Fedora and www-data on Ubuntu and Debian.
So, find the
$ sudo vim /etc/php/7.4/fpm/pool.d/www.conf #Ubuntu/Debian OR # vim /etc/php-fpm.d/www.conf #CentOS/RHEL/Fedora1 and
$ sudo vim /etc/php/7.4/fpm/pool.d/www.conf #Ubuntu/Debian OR # vim /etc/php-fpm.d/www.conf #CentOS/RHEL/Fedora2 parameters and set them accordingly. Also, set the mode to 0660 using the
$ sudo vim /etc/php/7.4/fpm/pool.d/www.conf #Ubuntu/Debian OR # vim /etc/php-fpm.d/www.conf #CentOS/RHEL/Fedora3 parameter.
------------- On Debian and Ubuntu ------------- listen.owner = www-data listen.group = www-data listen.mode = 0660 ------------- On CentOS/RHEL and Fedora ------------- listen.owner = nginx listen.group = nginx listen.mode = 0660
Note that if the permissions on the UNIX domain socket file are not set correctly, NGINX may return a bad gateway error.
Configuring PHP-FPM to Listen on a TCP/IP Socket
Although a UNIX domain socket is faster than a TCP/IP socket, the former is less scalable, because it can only support inter-process communication on the same OS. If NGINX and the backend application server [PHP-FPM] are running on different systems, you will have to configure PHP-FPM to listen on a TCP/IP socket for connections.
In the PHP-FPM pool configuration file, set the
$ sudo vim /etc/php/7.4/fpm/pool.d/www.conf #Ubuntu/Debian OR # vim /etc/php-fpm.d/www.conf #CentOS/RHEL/Fedora4 address as follows. Make sure that the port you have chosen is not being used by another process or service on the same system.
listen = 127.0.0.1:3000
Configuring NGINX to Work with PHP-FPM Application Server
Once you have configured the address PHP-FPM listens on, you need to configure NGINX to proxy request to it via that address, using the
$ ls /etc/php/7.4/4 configuration parameter, in a virtual server block configuration file.
For example, if the configuration file for your website is /etc/nginx/conf.d/example.com.conf, open it for editing.
# vim /etc/nginx/conf.d/example.com.conf
Look for the
$ sudo vim /etc/php/7.4/fpm/pool.d/www.conf #Ubuntu/Debian OR # vim /etc/php-fpm.d/www.conf #CentOS/RHEL/Fedora6 block for processing
$ sudo vim /etc/php/7.4/fpm/pool.d/www.conf #Ubuntu/Debian OR # vim /etc/php-fpm.d/www.conf #CentOS/RHEL/Fedora7 files and set the
$ ls /etc/php/7.4/4 parameter as follows, if you configured PHP-FPM to listen on a UNIX domain socket.
fastcgi_pass unix:/run/php/php7.4-fpm.sock #Ubuntu/Debian OR fastcgi_pass unix:/run/php-fpm/www.sock #CentOS/RHEL/Fedora
Or use a TCP/IP address if you configured PHP-FPM to listen on a TCP/IP socket. If the backend application server [PHP-FPM] is running on a separate server [replace 10.42.0.10 with the IP address of the machine on which the PHP-FPM FastCGI server is running].
fastcgi_pass 10.42.0.10:3000;
Important: On CentOS 8, PHP-FPM is defined as an upstream server in the /etc/nginx/conf.d/php-fpm.conf file, within an upstream block, with the name php-fpm.
You can make changes here accordingly depending on the address PHP-FPM is configured to listen on, in the pool configuration file. The default configuration points to a UNIX domain socket.
upstream php-fpm { server unix:/run/php-fpm/www.sock; }
and in your site’s server block file, simply set the
$ ls /etc/php/7.4/4 parameter as shown.
$ ls /etc/php/7.4/0
After making changes to the PHP-FPM and NGINX configurations, check their configuration syntax for correctness as follows.
$ ls /etc/php/7.4/1
While the command output shows the main configuration file only, all the other configuration files are included and checked as well.
Next, you need to restart the two services to apply the changes, using the systemctl command.
$ ls /etc/php/7.4/2
If you get any errors, you can check the NGINX and PHP-FPM log files using the cat command.
$ ls /etc/php/7.4/3
That’s all we had for you. The comment section below can be used to ask questions. For more information, see the NGINX documentation and PHP-FPM documentation.