nginx and php with fpm

It used to be relatively simple to set up PHP + webserver. You could just do the equivalent of

yum install apache php

and you would be ready to go.
Unfortunately, since the powers that be, have determined that shunting off PHP to a separate FPM is the only secure way to go, things have been a lot more complex to set up.
Additionally, some "how-to" guides, are actually WRONG, even when they are the #1 or #2 google hits at present. Or, they hardcode pathnames, which you have to edit.

So here's a way to make installation cut-n-paste simple again, as of 2020, even if you are using multiple virtual hosts.

Speaking of simple; thats why I now choose nginx over apache for PHP use. It is smaller, faster, and the config files are simpler too. There's very little reason to hassle with apache these days. Back in the day, apache was a good choice since you could avoid using a separate demon for PHP. But since you have to run a separate demon now... May as well make it nginx.

Step 1: Install binaries

Not much surprise here: Do the typical "yum install nginx php", and enable relevant boottime services. Although with centos 7, you actually have a bit more complication. It is currently required to do

yum install centos-release-scl

yum install nginx rh-php73-php-fpm

systemctl enable nginx rh-php73-php-fpm

Step 2: Set up a wildcard cert for all your sites

How to actually GET the cert isnt going to be covered here. Once you have the cert, and usually a CA chain, then create a file with the following contents:
#this is /etc/nginx/conf.d/00-ssl-wildcard.conf

    ssl_certificate "/etc/pki/tls/certs/cert-and-ca-chain-bundle.crt";
    ssl_certificate_key "/etc/pki/tls/private/server-private-key.key";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

Step 3: Add PHP enable block

Note that you also probably need to edit your php.ini file in the fpm config dir, and set
   cgi.fix_pathinfo=0


# in each of your server definition blocks 
#  (for example,  in /etc/nginx/conf.d/myserver.com.conf)
# add the following:

  location ~* \.php$ {
        fastcgi_pass 127.0.0.1:9000;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param SCRIPT_NAME     $fastcgi_script_name;
    }
    index index.php index.html;
There is further tuning that could be done. For example, it slightly improves latency if you tune both nginx and fpm to communicate with each other through a "UNIX domain socket". I dont bother going into details here, because the above works "out of the box", and it will be sufficient for 95% of the readers' needs.

The other 5% of you probably already know what to do beyond this!


[email protected]
Bolthole Top