You are viewing revision #3 of this wiki article.
This version may not be up to date with the latest version.
You may want to view the differences to the latest version or see the changes made in this revision.
This config is built on an Ubuntu 11.04 server. Software is nginx, php-fpm (php5-fpm). For performance, it's recommended to run php-fpm in SOCKET mode, instead of accessing via IP:PORT. That is the method shown below.
# Implement upstream connection to PHP-FPM
# "phpfpm" here is a name for this upstream connection, which you can customize
# I create a custom upstream connection per vhost, to better segregate PHP processes by vhost
# To do the same, you need a unique upstream name, and a unique filename for your php5-fpm.sock file
upstream phpfpm {
server unix:/var/run/php5-fpm.sock;
}
server {
# Listening on port 80 without an IP address is only recommended if you are not running multiple v-hosts
#listen 80;
# Bind to the public IP bound to your domain
listen 123.456.789.012:80;
# Specify this vhost's domain name
server_name mydomainname.com;
root /var/www/mydomainname.com/public;
index index.php index.html index.htm;
# Specify log locations for current site
access_log /var/www/mydomainname.com/log/access.log;
error_log /var/www/mydomainname.com/log/error.log warn;
# Typically I create a restrictions.conf file that I then include across all of my vhosts
#include conf.d/restrictions.conf;
# I've included the content of my restrictions.conf in-line for this example
# BEGIN restrictions.conf
# Disable logging for favicon
location = /favicon.ico {
log_not_found off;
access_log off;
}
# Disable logging for robots.txt
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# END restrictions.conf
# Typically I create a yiiframework.conf file that I then include across all of my yii vhosts
#include conf.d/yiiframework.conf;
# I've included the content of my yiiframework.conf in-line for this example
# BEGIN yiiframework.conf
# Block access to protected, framework, and nbproject (artifact from Netbeans)
location ~ /(protected|framework|nbproject) {
deny all;
access_log off;
log_not_found off;
}
# Block access to theme-folder views directories
location ~ /themes/\w+/views {
deny all;
access_log off;
log_not_found off;
}
# Attempt the uri, uri+/, then fall back to yii's index.php with args included
# Note: old examples use IF statements, which nginx considers evil, this approach is more widely supported
location / {
try_files $uri $uri/ /index.php?$args;
}
# END yiiframework.conf
# Tell browser to cache image files for 24 hours, do not log missing images
# I typically keep this after the yii rules, so that there is no conflict with content served by Yii
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires 24h;
log_not_found off;
}
# Block for processing PHP files
# Specifically matches URIs ending in .php
location ~ \.php$ {
try_files $uri =404;
# Fix for server variables that behave differently under nginx/php-fpm than typically expected
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Include the standard fastcgi_params file included with nginx
include fastcgi_params;
fastcgi_index index.php;
# Override the SCRIPT_FILENAME variable set by fastcgi_params
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# Pass to upstream PHP-FPM; This must match whatever you name your upstream connection
fastcgi_pass phpfpm;
}
}
PHP-FPM config is below, have not had to optimize settings yet as they work fine for my usage. Replace any instance of USER,GROUP with the user and group you want to run the website under. Typical is www-data in Ubuntu. ~~~ [phpfpm]
listen = /var/run/php5-fpm.sock listen.owner = USER listen.group = GROUP listen.mode = 0666 ;listen.backlog = 4096 user = USER group = GROUP pm = dynamic pm.max_children = 50 pm.start_servers = 20 pm.min_spare_servers = 5 pm.max_spare_servers = 35 pm.status_path = /fpm-status ping.path = /fpm-ping ping.response = pong chdir = /var/www/mydomainname.com catch_workers_output = yes
request_terminate_timeout = 180s
; The following phpadmin* settings below, override php.ini settings php_admin_value[error_log] = /var/www/mydomainname.com/log/fpm-php-error.log
; The following settings are specifically used on development sites ; Should review/disable for production site php_admin_value[max_execution_time] = 180 php_admin_flag[log_errors] = on php_admin_value[memory_limit] = 320m php_admin_value[error_reporting] = E_ALL php_admin_flag[display_errors] = on php_admin_flag[display_startup_errors] = on ~~~
Duplicate?
http://www.yiiframework.com/wiki/15/how-to-hide-index-php-on-nginx
Not a duplicate
@samdark, this is not a duplicate posting, as the one that you linked only shows a partial config, and does not reference any configuration to disable folders that should be inaccessible (though best practice is to deploy /protected/ in a non-web-accessible folder).
The config as-posted needs a bit of tweaking, but is a good start.
Note on example domain name
"example.com" or similar should be used. See http://www.iana.org/domains/example/.
Wrong conf.d/yiiframework.conf
I have been struggling with moving yiiframework.conf to conf.d/. Since I'm new to Nginx, it didn't work creating yiiframework.conf with just the location configuraiton. As far as I figured out, conf.d files are autoloaded by nginx, so they have to be complete config files. Creating a separate directory to my "global" includes worked.
So:
1) create /etc/nginx/globals
2) create restrictions.conf and yiiframework.conf there
3) reference those files from your server config section.
That's it!
fastcgi_split_path_info is useless
fastcgi_split_path_info just defines a variable, it is useless without passing the parameters to PHP:
fastcgi_split_path_info ^(.+.php)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
Here is my version of Nginx configuration:
http://yii.grik.net/index.php?title=Apache_and_Nginx_configurations
avoid unix sockets
There is a linux-specific issue for unix sockets, don't use them to connect FPM and Nginx or you will get errors on load.
There were a couple of long threads between Sysoev and Nigmatulin on this topic a few years ago.
Local sockets still an issue?
@grigori are you possibly referring to this? Does it still stand? I've got a couple of CentOS setups running (which means heavily patched 2.6.18 kernels) relying on local sockets a lot for both, MySQL and php-fpm. Haven't had any problems so far.
Re: Local sockets still an issue?
Yes, they are and will as far as I know. I'll ask Andrei or Tony if they heard anything about a fix in the linux kernel, but I don't rely on this.
You may not experience any problem until some load, and you won't see them - some users will.
Also, it is important to set cgi.fix_pathinfo 0 in php.ini to avoid a serious security issue and improve performance.
I committed a safe and flexible Nginx configuration to the yii guide, it should get published with 1.1.9
Re[2]: Local sockets still an issue?
Hm, that is worrying to hear. Especially since I've managed to save some precious memory that way. I think I'm going to set up a test system soon and see if I'll be able to reproduce the issue.
Regarding the rest: Isn't that part of the nginx Pitfalls already?
Yii + Nginx + SSL
Thanks for the article. I wondering if you've experienced any strange issues in regards to using Nginx and SSL. I have an unsolved blog post that maybe you could help me with:
http://www.yiiframework.com/forum/index.php?/topic/24169-https-302-redirect-issue-when-posting-form/page__p__117336__fromsearch__1#entry117336
Please consider to use a wider list of file types, because glyphicons can be unvisible due to access problems. My list is:
If you have any questions, please ask in the forum instead.
Signup or Login in order to comment.