====== NGiNX + php-fpm ======
phpを動作させるに当たってはphpに同梱されているphp-FPM(FastCGI Process Manager)を利用する。
===== Install =====
==== NGiNX ====
オプションの設定があるのでportsからインストールする。((perlが一緒にインストールされるので、先にpkgで入れておくのが吉))\\
2017.12.27:GEOIP、IMAGE_FILTER、PERL以外は最初からONになってるのでPKGでもOK
# cd /usr/ports/www/nginx
# make config
[X] : HTTP_ADDITION_MODULE
[X] : HTTP_CACHE_MODULE
[X] : HTTP_GEOIP_MODULE
[X] : HTTP_GZIP_STATIC_MODULE
[X] : HTTP_IMAGE_FILTER_MODULE
[X] : HTTP_PERL_MODULE
[X] : HTTP_REALIP_MODULE
[X] : HTTP_REWRITE_MODULE
[X] : HTTP_SSL
[X] : HTTP_STATUS_MODULE
# make install
# make clean
# pkg lock nginx
==== php ====
オプション(FPM)の設定があるのでportsからインストールする。
2017.12.27:現在はデフォルトでON
# pkg install php71
↓ここは古い
# cd /usr/ports/lang/php56
# make config
[X] : FPM
# make install
# make clean
# pkg lock php56
==== php-extensions ====
pkg install php71-extensions
===== 設定 =====
==== /usr/local/etc/php.ini ====
とりあえずこんな感じ。((/usr/local/etc/php.ini-productionをコピーして使うのも良いかと))
date.timezone = Asia/Tokyo <= こうしないとエラーになるCMSが多い
memory_limit = 32M
upload_max_filesize = 10M
post_max_size = 20M
expose_php = off <= phpのバージョンをheaderに表示しない
==== /usr/local/etc/php-fpm.conf ====
[global]
events.mechanism = kqueue
...
include=/usr/local/etc/php-fpm.d/*.conf
==== /usr/local/etc/php-fpm.d/www.conf ====
[www]
user = www
group = www
listen = /var/run/php-fpm.sock <= listenはソケットにした(DefaultはTCP:127.0.0.1:9000)
listen.owner = www <= 設定しないと /var/run/php-fpm.sock failed (13: Permission denied) で動かない
listen.group = www <=
listen.mode = 0666 <=
※5.6では今は一体化されてphp-fpm.confに内包されている
==== /usr/local/etc/nginx/nginx.conf ====
user www www;
worker_processes auto;
worker_cpu_affinity auto;
worker_priority 0;
#worker_rlimit_nofile 8192;
error_log /var/log/nginx/nginx-error.log info;
pid /var/run/nginx.pid;
events {
multi_accept on;
worker_connections 512; <= 一つのworkerプロセスが同時に処理できる最大コネクション数
accept_mutex on;
accept_mutex_delay 100ms;
}
http {
include conf.d/options; <= optionはファイルから
include conf.d/proxy;
include conf.d/ssl;
include mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log main buffer=32k; <= mainの定義はconf.d/options
include sites/*.site; <= site毎の設定はファイルから
}
==== /usr/local/etc/nginx/conf.d/options ====
((http節でinclude))
client_body_timeout 5s;
client_header_timeout 5s;
keepalive_timeout 75s;
send_timeout 15s;
charset utf-8;
gzip on;
gzip_static on;
gzip_proxied any;
ignore_invalid_headers on;
keepalive_requests 50;
keepalive_disable none;
max_ranges 1;
msie_padding off;
open_file_cache max=1000 inactive=2h;
open_file_cache_errors on;
open_file_cache_min_uses 1;
open_file_cache_valid 1h;
output_buffers 1 512;
postpone_output 1440;
read_ahead 512K;
recursive_error_pages on;
reset_timedout_connection on;
sendfile on;
server_tokens off;
server_name_in_redirect off;
source_charset utf-8;
tcp_nodelay on;
tcp_nopush off;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
limit_req_zone $binary_remote_addr zone=gulag:1m rate=60r/m;
log_format main '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';
==== /usr/local/etc/nginx/sites/default.site ====
以下の設定でデフォルトでは接続しなくなる
server {
listen 80 default_server; <= default_server:デフォルトサーバに指定
return 444; <= コネクションクローズ
}
==== /usr/local/etc/nginx/sites/*.site ====
server {
server_name example.com www.example.com; <= 環境に合わせる
# add_header Cache-Control "public"; <= HTTP キャッシュ ヘッダの設定
add_header Cache-Control "private, no-store, no-cache, must-revalidate";
add_header Pragma "no-cache";
add_header X-Frame-Options "DENY"; <= クリックジャッキング対策
limit_req zone=gulag burst=2000 nodelay; <= かなり低めに設定しているので注意
<= gulag の定義はconf.d/options
expires max;
listen 80;
listen 443 ssl; <= SSL関連
include conf.d/ssl; <= SSL関連
root /usr/local/www/mySite; <= 環境に合わせる
index index.html index.htm index.php;
location = /favicon.ico { return 204; } <= No Content
location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ { deny all; }
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location / {
root /usr/local/www/mySite; <= 環境に合わせる
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ { include conf.d/php-fpm; }
error_page 500 502 503 504 /50x.html;
location = /50x.html { root /usr/local/www/nginx-dist; }
}
==== /usr/local/etc/nginx/conf.d/ssl ====
ssl_certificate /path/to/myCertificate.pem; <= 環境に合わせる
ssl_certificate_key /path/to/myKey.pem; <= 環境に合わせる
ssl_dhparam /path/to/dhparam4096.pem; <= 環境に合わせる
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
==== /usr/local/etc/nginx/conf.d/php-fpm ====
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files $uri = 404;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
#fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
#fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
include fastcgi_params; # pkg default file
===== 起動 =====
==== /etc/rc.conf ====
php_fpm_enable="YES"
nginx_enable="YES"
==== チェック ====
# service nginx configtest
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
==== チェック用のページを作る ====
# sh -c 'echo "" > /usr/local/www/mySite/info.php' <= 環境に合わせる
==== 起動 ====
# service php-fpm restart
# service nginx restart
===== 参考 =====
[[http://heartbeats.jp/hbblog/2012/02/nginx03.html|nginxの設定、その1]]
[[http://heartbeats.jp/hbblog/2012/04/nginx05.html|nginxの設定、その3 - locationディレクティブ]]