System Engineering

Install nginx + php-fpm on openSUSE

1. Download and install packages

zypper install nginx php5-fpm
chmod 1733 /var/lib/php5

2. Configure php-fpm

cp -p /etc/php5/fpm/php-fpm.conf.default /etc/php5/fpm/php-fpm.conf
vi /etc/php5/fpm/php-fpm.conf

include=/etc/php5/fpm/vhosts.d/*.conf
pm.max_children = 30
rlimit_files = 102400
catch_workers_output = yes
emergency_restart_threshold 10
emergency_restart_interval 30s
process_control_timeout 10s
;listen = 127.0.0.1:9000
listen = /var/run/php5-fpm.sock
listen.owner = nginx
error_log = /var/log/php-fpm/php-fpm.log
security.limit_extensions = .php .do .json .soap

3. Configure php-fpm

cp /etc/php5/cli/php.ini /etc/php5/fpm/
vi /etc/php5/fpm/php.ini
# add below line
cgi.fix_pathinfo=0

4. Configure nginx for reverse proxy

vi /etc/nginx/nginx.conf

# Config for 4 Xeon CPU
# Total amount of users you can serve = worker_processes * worker_connections
worker_processes       8;                   # 2 * Number of CPUs
worker_rlimit_nofile   102400;              # Each connection needs a filehandle (or 2 if you are proxying)
events {
    worker_connections 8192;                # 4096 clients/second = It's the key to high performance 
    use epoll;
}

http {
    # ............
    server_tokens  off;

    # DDoS Defense
    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:20m;
    limit_req_zone  $binary_remote_addr zone=req_limit_per_ip:20m rate=50r/s;

    server {
        # ............

        # DDoS Defense
        limit_conn  conn_limit_per_ip 100;
        limit_req   zone=req_limit_per_ip burst=100 nodelay;

        # reverse proxy configuration
        location ~* ^.+\.(php|do|json|soap)$ {
            root           /srv/www/htdocs;
            try_files      $uri =404;       # prevent attack 
            fastcgi_connect_timeout  3s;
            fastcgi_read_timeout     10s;
            #fastcgi_pass  127.0.0.1:9000;
            fastcgi_pass   unix:/var/run/php5-fpm.sock;
            fastcgi_index  index.do;
            fastcgi_split_path_info  ^(.+\.[^\.\?\/]+)(/.*)$;
            fastcgi_hide_header      x-powered-by;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            if (!-f $document_root$fastcgi_script_name) {
                return 404;
            }
            include        fastcgi_params;
        }
    }
}

5. Restart service

systemctl enable nginx.service
systemctl restart nginx.service
systemctl enable php-fpm.service
systemctl restart php-fpm.service

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.