HOWTO run a private PHP-FPM stack on Nginx or Apache on Opalstack

sean · Dec 21, 2020

A private PHP-FPM stack running on Nginx or Apache gives you total control over your web server configuration.

A colleague of mine at WebFaction was kind enough to create a script that will install a private backend PHP stack using either Nginx or Apache with the version of PHP of your choice. We've adapted that script to work with Opalstack's services.

To use it, first create the following items in your Opalstack dashboard:

A shell user (if you haven't already): https://docs.opalstack.com/user-guide/shell-users/#adding-a-shell-user
A PHP or WP app (if you haven't already): https://docs.opalstack.com/user-guide/applications/#adding-an-application
A new "Nginx proxy port" application to reserve a port number for the new stack: https://docs.opalstack.com/user-guide/applications/#adding-an-application
A site to serve the new proxy port application (ie your website): https://docs.opalstack.com/user-guide/sites/#adding-sites

Once that's done, SSH to the shell user and run the following commands:

cd ~
git clone https://github.com/opalstack/private-phpfpm-installer
cd private-phpfpm-installer

When that's done you will have (among other things) a file named config. Edit that file as directed in this example:

#!bash

# change these to your stack app's name and port
STACKNAME="phpfpm"
PORT="77777"

# change these to the domain and directory you want the stack to serve
DOMAIN1="mydomain.com"
APPDIR1="$HOME/apps/app1"

# change these as needed, nginx or apache, php versions 5.6, 7.3, 7.4, 8.0, 8.1, 8.2, 8.3
SERVER_TYPE="nginx"
PHP_VERSION="8.3"

# no need to change these
PREFIX="$HOME/apps/$STACKNAME"
LOGDIR="$HOME/logs/apps/$STACKNAME"

Next, run the install script:

./install.bash

The script will generate the necessary configuration and scripts needed to run your application.

The generated Nginx & Apache config will be in the conf subdirectory of the app directory. You can edit that config post-install to set up additional sites on the stack, or to modify the existing site (changing domains etc).

The generated FPM config will be in the etc subdirectory of the app dir. You can edit that post-install to adjust performance parameters, etc.

start/stop/restart scripts are in the bin subdir. start and stop are symlinked to nginx or apache depending on your config. You can change the app to either web server by changing the symlinks, for example to switch from Nginx to Apache:

cd ~/apps/appname/bin
ln -f -s start-httpd start
ln -f -s stop-httpd stop

The script also creates a cron job to restart the app if it goes down:

*/10 * * * * /home/shelluser/apps/phpfpm/bin/start &>/dev/null

That's pretty much it! If you've been wanting (or needing) to try out this sort of setup, please give it a try and let me know what you think

Ppjrobertson · Jan 19, 2021

Just a heads up, this doesn't seem to be working (on Opal2 at least):

[user@opal2 userspace-fpm-installer]$ ./install.bash
-bash: ./install.bash: /bin/bash^M: bad interpreter: No such file or directory


[user@opal2 userspace-fpm-installer]$ bash install.bash 
install.bash: line 2: $'\r': command not found
: invalid optionne 3: set: -
set: usage: set [-abefhkmnptuvxBCHP] [-o option-name] [--] [arg ...]
install.bash: line 4: $'\r': command not found
: No such file or directoryhome/smartair/userspace-fpm-installer
install.bash: line 7: $'\r': command not found
: No such file or directory/smartair/userspace-fpm-installer
install.bash: line 9: $'\r': command not found
install.bash: line 112: warning: here-document at line 56 delimited by end-of-file (wanted `EOF')
install.bash: line 113: syntax error: unexpected end of file

sean · Jan 19, 2021

pjrobertson somehow your install.bash script has DOS line-endings so it can't be executed on the server.

You can fix it by running dos2unix install.bash in the installer directory.

dragonxi · Jan 21, 2021

sent request by email for you to check we have done ok so far and how to continue. thanks in advance!

dragonxi · Jan 23, 2021

Thanks from our team - the private-php-fpm-stack-on-nginx rocks - professional tech & support from opalstack!

dragonxi · Jan 29, 2021

What are pros & cons running private php-fpm for VPS userss and spplications? Estimated memory & CPU usage per fpm-php port application ? Do you recommend tuning the default values and if so, which one specially ? Is the content of VPS user protected from other VPS users/ other opalstack users/anonymous web users ? Is it so that protected content such as code can only be .php ? Thanks in advance for any advice !

sean · Jan 29, 2021

dragonxi The pro is that you have total control over your Nginx/Apache/FPM configuration. The con is that you have to manage that config manually. We do recommend that you tune the config according to your needs, but it's up to you to decide exactly how to do that. Your content is protected to whatever extent that you protect it.

dragonxi · Jan 29, 2021

Thanks Sean, we know now how to proceed & everything has worked fine according to your instructions and the scripts.

dragonxi · Feb 4, 2021

Addition to our ticket #46935: is so that
once we realized our mistake in config file
we should not have edited it and not deleted created configuration to install again,
but instead
we should have edited post configurated files to match our site routes, apps and domains?
Our mistake in anycase!
Is there need to delete or undo something ?
Is there a cron job based on wrong config ?
Server seemed to create the process and the socket but for some reason they disappeared!

We had succeeded to configure one php-fpm for each of 14 user, with these two we failed and
not because of your instructions, which are good ! Luckuly, one can get the web page running by editing the site route back!

sean · Feb 4, 2021

dragonxi I've followed up on your ticket. Your app is working normally following a restart.

dragonxi · Feb 4, 2021

thanks,
just to let you know, we did the following with those web pages we got to run with fpm:
(1) configured fpm according to your instructions
(2) changed site route to use
fpm2xxxxxxxx_app instead of xxxxxxx_app
(3) run
.stop
(4) waited to get 502 Gateway error with browser
which required some time and trying with
different browsers i.e
thereby verified we are using the private fpm
(5) . start
(6) tested with browser to have xxxxxxxx.app up
which required some time
i.e.
we didn' t get "file not found error" with these.

Don't remember why we did not run .restart,
is the command there ? available as stop and start ?

sean · Feb 4, 2021

dragonxi yes, there is a restart command for your private FPM stack, as mentioned in the OP:

sean start/stop/restart scripts are in the bin subdir

So, for an app named appname the commands are:

~/apps/appname/bin/start
~/apps/appname/bin/stop
~/apps/appname/bin/restart

dragonxi · Apr 12, 2021

How do these three commands work and how to use them in crontab:

(1) start
• if the process is dead, it starts a new one ?
• crontab is now set to call start every 10 min ?

what will happen if process is not dead ?
any alternatives for every 10 min ?

(2) restart
• used in cases php processes behave badly
i.e cause memory leaks etc ?
• how to define in crontab (if need) ?
• if there is no process, what will restart cause ?

(3) stop
• when to call it in crontab ?
• to stop bad behaviour ?
• start call after stop call ?

Thanks in advance for any advice
& stay covid-19 safe

sean · Apr 12, 2021

dragonxi

1) The start command will start your FPM stack if it is not running. If it is already running then the start command will emit an error message to let you know that, and the existing process will continue to run. The default cron job runs the start command every 10 minutes. You can use whatever interval you want.

2) The restart command runs the stop command followed by the start command. If there is no process running when you run restart, then a new process will be started. Since it stops the app before it restarts it then yes, it would conceivably help with memory leaks. Running restart via cron is not a good idea since it will take down your site for a few seconds every time it runs. I don't recommend running the restart command in your crontab unless you are absolutely certain that you need to. You can define cron jobs by running crontab e in a SSH session.

3) If there's some reason that you want to shut down your website on a recurring schedule then you could schedule the stop command in cron. If you'd want to restart it some time after doing so then yes, you'd need to use the start command to do that. If you'd want it to start right after the stop command then use the restart command instead of stop.

dragonxi · Apr 14, 2021

Thanks for your advice Sean!

We got our web sites powered by php-fpm.

Python we used to create scripts for crontab

to start fpm processes as you recommended
and to backup
userspace-fpm-installer
fpm applications
corresponding apps
using timings tuned for each vps user.

We would like to know your opinion about tuning the php,
and if so, which settings and values would you recommend:

(1) emergency_restart_threshold int <-- ?
(2) mergency_restart_interval mixed <-- ?
(3) process_control_timeout mixed <-- ?
(4) any other <-- which one(s) ?

Ref:

https://www.php.net/manual/en/install.fpm.configuration.php

Thanks for your excllent customers support
and if possible, pass our greetings to that WebFaction guy!

sean · Apr 14, 2021

dragonxi The only FPM parameter that I usually adjust on a private stack is pm.max_children, which I usually raise to higher value when a site needs to handle a higher level of traffic.

I do not have have any other opinions or general recommendations regarding tuning your FPM config.

dragonxi · Apr 15, 2021

thanks

dragonxi · Apr 16, 2021

How to keep a private PHP-FPM protected against viruses while it is running and which content to virusscan and where ?
(1) /apps <-- all apps for one vps user
(2) /apps/fpm2xxxx_app <-- proxy ports
(3) /apps/xxxx_app <-- php applications
(4) /userspace-fpm-installer
(5) any good virusscan program to install
for vps users and to let cronjob to virusscan ?
(6) in case virusscan software is not available
in server and we ftp download content to a workstation, run virusscan there then what do we have to take into account with (2) ?
(a) stop
(b) download
(c) if virus found then delete the current (2) and configure it again once we have checked also
the (4)
or
is it better to download /temp/backup
files taken by cron and virusscan them in work stations ?
(7) is safer to have viruses scanned in the server
and using a virusscan software which is specialized to find php-fpm viruses and if so
which open source one would you recommed ?
(8) is no open source one in (7) and in case
we'll find a good commercial one, could opalstack install it provided it fits with php-fpm ?

Thank you in advance for any help and
as said before you have helped a lot by bringing this php-fpm system available and supporting it!

sean · Apr 16, 2021

dragonxi I recommend you scan your files locally on your own computer before you ever upload them to your Opalstack server.

There is no virus scanner installed on your VPS at this time. We can install the open-source ClamAV scanner on your VPS if you'd like, but you'll need to email support via your registered account email address to request it.

We're not able to install commercial software on our platform for you.