sent request by email for you to check we have done ok so far and how to continue. thanks in advance!
HOWTO run a private PHP-FPM stack on Nginx or Apache on Opalstack
Thanks from our team - the private-php-fpm-stack-on-nginx rocks - professional tech & support from opalstack!
6 days later
What are pros & cons running private php-fpm for VPS userss and spplications? Estimated memory & CPU usage per fpm-php port application ? Do you recommend tuning the default values and if so, which one specially ? Is the content of VPS user protected from other VPS users/ other opalstack users/anonymous web users ? Is it so that protected content such as code can only be .php ? Thanks in advance for any advice !
dragonxi The pro is that you have total control over your Nginx/Apache/FPM configuration. The con is that you have to manage that config manually. We do recommend that you tune the config according to your needs, but it's up to you to decide exactly how to do that. Your content is protected to whatever extent that you protect it.
Thanks Sean, we know now how to proceed & everything has worked fine according to your instructions and the scripts.
6 days later
Addition to our ticket #46935: is so that
once we realized our mistake in config file
we should not have edited it and not deleted created configuration to install again,
but instead
we should have edited post configurated files to match our site routes, apps and domains?
Our mistake in anycase!
Is there need to delete or undo something ?
Is there a cron job based on wrong config ?
Server seemed to create the process and the socket but for some reason they disappeared!
We had succeeded to configure one php-fpm for each of 14 user, with these two we failed and
not because of your instructions, which are good ! Luckuly, one can get the web page running by editing the site route back!
thanks,
just to let you know, we did the following with those web pages we got to run with fpm:
(1) configured fpm according to your instructions
(2) changed site route to use
fpm2xxxxxxxx_app instead of xxxxxxx_app
(3) run
.stop
(4) waited to get 502 Gateway error with browser
which required some time and trying with
different browsers i.e
thereby verified we are using the private fpm
(5) . start
(6) tested with browser to have xxxxxxxx.app up
which required some time
i.e.
we didn' t get "file not found error" with these.
Don't remember why we did not run .restart,
is the command there ? available as stop and start ?
2 months later
How do these three commands work and how to use them in crontab:
(1) start
• if the process is dead, it starts a new one ?
• crontab is now set to call start every 10 min ?
- what will happen if process is not dead ?
- any alternatives for every 10 min ?
(2) restart
• used in cases php processes behave badly
i.e cause memory leaks etc ?
• how to define in crontab (if need) ?
• if there is no process, what will restart cause ?
(3) stop
• when to call it in crontab ?
• to stop bad behaviour ?
• start call after stop call ?
Thanks in advance for any advice
& stay covid-19 safe
- Edited
1) The start command will start your FPM stack if it is not running. If it is already running then the start command will emit an error message to let you know that, and the existing process will continue to run. The default cron job runs the start command every 10 minutes. You can use whatever interval you want.
2) The restart command runs the stop command followed by the start command. If there is no process running when you run restart, then a new process will be started. Since it stops the app before it restarts it then yes, it would conceivably help with memory leaks. Running restart via cron is not a good idea since it will take down your site for a few seconds every time it runs. I don't recommend running the restart command in your crontab unless you are absolutely certain that you need to. You can define cron jobs by running crontab e in a SSH session.
3) If there's some reason that you want to shut down your website on a recurring schedule then you could schedule the stop command in cron. If you'd want to restart it some time after doing so then yes, you'd need to use the start command to do that. If you'd want it to start right after the stop command then use the restart command instead of stop.
Thanks for your advice Sean!
We got our web sites powered by php-fpm.
Python we used to create scripts for crontab
- to start fpm processes as you recommended
and to backup - userspace-fpm-installer
- fpm applications
- corresponding apps
using timings tuned for each vps user.
We would like to know your opinion about tuning the php,
and if so, which settings and values would you recommend:
(1) emergency_restart_threshold int <-- ?
(2) mergency_restart_interval mixed <-- ?
(3) process_control_timeout mixed <-- ?
(4) any other <-- which one(s) ?
Ref:
Thanks for your excllent customers support
and if possible, pass our greetings to that WebFaction guy!
thanks
How to keep a private PHP-FPM protected against viruses while it is running and which content to virusscan and where ?
(1) /apps <-- all apps for one vps user
(2) /apps/fpm2xxxx_app <-- proxy ports
(3) /apps/xxxx_app <-- php applications
(4) /userspace-fpm-installer
(5) any good virusscan program to install
for vps users and to let cronjob to virusscan ?
(6) in case virusscan software is not available
in server and we ftp download content to a workstation, run virusscan there then what do we have to take into account with (2) ?
(a) stop
(b) download
(c) if virus found then delete the current (2) and configure it again once we have checked also
the (4)
or
is it better to download /temp/backup
files taken by cron and virusscan them in work stations ?
(7) is safer to have viruses scanned in the server
and using a virusscan software which is specialized to find php-fpm viruses and if so
which open source one would you recommed ?
(8) is no open source one in (7) and in case
we'll find a good commercial one, could opalstack install it provided it fits with php-fpm ?
Thank you in advance for any help and
as said before you have helped a lot by bringing this php-fpm system available and supporting it!
dragonxi I recommend you scan your files locally on your own computer before you ever upload them to your Opalstack server.
There is no virus scanner installed on your VPS at this time. We can install the open-source ClamAV scanner on your VPS if you'd like, but you'll need to email support via your registered account email address to request it.
We're not able to install commercial software on our platform for you.
a year later
- Edited
If anyone's interested, I built a more streamlined version of this approach using a single Python script, so there's no need to clone a repo, update the configuration etc. and then run a script - you just run one script directly, so it's a simpler process.
Prerequisites
- A newly-created Opalstack static-only application - let's assume it's called static_app.
- A newly-created Opalstack proxy-port application - let's assume it's called proxy_app, and that the port number for it is proxy_port.
- Decide on the domain to be served by proxy_app - let's assume it's called proxy.domain.
Process
Download the Python script, private_stack.py, from this gist:
https://gist.githubusercontent.com/vsajip/3c6d6d269d9f406953bf34b450b033f4/raw/private_stack.py
Run the script using a command line like this (feel free to look at it first, I'll explain what it does below):
python3 private_stack.py proxy_app proxy_port static_app proxy.domain --php 8.1
Of course, substitute in the actual values for proxy_app, proxy_port, static_app and proxy.domain for your specific needs.
If you don't specify the
--phpoption, then just an nginx or Apache proxy is created. Otherwise, PHP-FPM with the specified PHP version is set up, too.You can also specify a
-dry-run(or-n) option - this prints to stdout a Bash script with commands to do the setting up. You might use this to inspect what would be done, as well as pipe it to a file if you want to customize the configurations in any way.By default, an nginx-based proxy is created. For an Apache proxy, specify
--server apacheas a command-line option.
End Result
The following directory tree is created:
~/apps/proxy_app
├── bin
│ ├── nginx -> /usr/sbin/nginx [if you didn't specify --server apache] OR
| ├── httpd -> /usr/sbin/httpd [if you specified --server apache]
│ ├── php-fpm -> /opt/remi/php81/root/usr/sbin/php-fpm [if you specified --php VERSION]
│ ├── restart [scripts to restart/start/stop the stack]
│ ├── start
│ └── stop
├── conf
│ ├── nginx.conf [if you didn't specify --server apache] OR
│ └── httpd.conf [if you specified --server apache]
├── etc
│ └── php-fpm.conf [if you specified --php VERSION]
├── lib [if you specified --php VERSION]
│ └── php.ini
├── log [log files will appear in here once you start the stack]
├── tmp
└── var
└── run [pid and socket files will appear in here once you start the stack]How it works
Basically, the same way as the repository Sean posted above. Symlinks are created to the system binaries for nginx/Apache/php-fpm, configuration files for them to use are created, and scripts to start/stop/restart the stack are created. The static_app isn't touched at all - it's in the arguments because its path ends up inside some of the configuration files.
Feel free to try out the script and give me feedback if you have any questions, find any problems or want to suggest any improvements!
a year later
1 post was split to Django protected media on private nginx stack.
a year later
FYI we've moved the script to a new repository and have updated the original post to reflect that.