====== NGiNX + php-fpm ======
phpを動作させるに当たってはphpに同梱されているphp-FPM(FastCGI Process Manager)を利用する。

===== Install =====

==== NGiNX ====
オプションの設定があるのでportsからインストールする。((perlが一緒にインストールされるので、先にpkgで入れておくのが吉))\\
2017.12.27：GEOIP、IMAGE_FILTER、PERL以外は最初からONになってるのでPKGでもOK
<code>
# cd /usr/ports/www/nginx
# make config
[X] : HTTP_ADDITION_MODULE
[X] : HTTP_CACHE_MODULE
[X] : HTTP_GEOIP_MODULE
[X] : HTTP_GZIP_STATIC_MODULE
[X] : HTTP_IMAGE_FILTER_MODULE
[X] : HTTP_PERL_MODULE
[X] : HTTP_REALIP_MODULE
[X] : HTTP_REWRITE_MODULE
[X] : HTTP_SSL
[X] : HTTP_STATUS_MODULE
# make install
# make clean
</code>

  # pkg lock nginx
==== php ====
<del>オプション(FPM)の設定があるのでportsからインストールする。</del>
2017.12.27:現在はデフォルトでON

  # pkg install php71

↓ここは古い
<code>
  # cd /usr/ports/lang/php56
  # make config
  [X] : FPM
  # make install
  # make clean
</code>

  # pkg lock php56

==== php-extensions ====

  pkg install php71-extensions

===== 設定 =====
==== /usr/local/etc/php.ini ====

とりあえずこんな感じ。((/usr/local/etc/php.ini-productionをコピーして使うのも良いかと))
<code>
date.timezone = Asia/Tokyo    <= こうしないとエラーになるCMSが多い
memory_limit = 32M
upload_max_filesize = 10M
post_max_size = 20M
expose_php = off              <= phpのバージョンをheaderに表示しない
</code>

==== /usr/local/etc/php-fpm.conf ====

<code>
[global] 
events.mechanism = kqueue
...
include=/usr/local/etc/php-fpm.d/*.conf
</code>

==== /usr/local/etc/php-fpm.d/www.conf ====

<code>
[www]
user = www
group = www
listen = /var/run/php-fpm.sock  <= listenはソケットにした(DefaultはTCP:127.0.0.1:9000)
listen.owner = www              <= 設定しないと /var/run/php-fpm.sock failed (13: Permission denied) で動かない
listen.group = www              <= 
listen.mode = 0666              <= 
</code>

<del>※5.6では今は一体化されてphp-fpm.confに内包されている</del>
==== /usr/local/etc/nginx/nginx.conf ====

<code>
user  www www;
worker_processes         auto;
worker_cpu_affinity      auto;
worker_priority          0;
#worker_rlimit_nofile    8192;
error_log                /var/log/nginx/nginx-error.log  info;

pid /var/run/nginx.pid;
 
events {
  multi_accept        on;
  worker_connections  512;      <= 一つのworkerプロセスが同時に処理できる最大コネクション数
  accept_mutex on;
  accept_mutex_delay  100ms;
}
 
http {
  include       conf.d/options;  <= optionはファイルから
  include       conf.d/proxy; 
  include       conf.d/ssl;

  include       mime.types;
  default_type  application/octet-stream;

  access_log  /var/log/nginx/access.log main buffer=32k;     <= mainの定義はconf.d/options
 
  include sites/*.site;          <= site毎の設定はファイルから
}
</code>

==== /usr/local/etc/nginx/conf.d/options ====
((http節でinclude))

<code>
client_body_timeout       5s;
client_header_timeout     5s;
keepalive_timeout         75s;
send_timeout              15s;
charset                   utf-8;
gzip                      on;
gzip_static               on;
gzip_proxied              any;
ignore_invalid_headers    on;
keepalive_requests        50;
keepalive_disable         none;
max_ranges                1;
msie_padding              off;
open_file_cache           max=1000 inactive=2h;
open_file_cache_errors    on;
open_file_cache_min_uses  1;
open_file_cache_valid     1h;
output_buffers            1 512;
postpone_output           1440;
read_ahead                512K;
recursive_error_pages     on;
reset_timedout_connection on;
sendfile                  on;
server_tokens             off;
server_name_in_redirect   off;
source_charset            utf-8;
tcp_nodelay               on;
tcp_nopush                off;
gzip_disable              "MSIE [1-6]\.(?!.*SV1)";
limit_req_zone            $binary_remote_addr  zone=gulag:1m   rate=60r/m;
log_format                main  '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';
</code>

==== /usr/local/etc/nginx/sites/default.site ====
以下の設定でデフォルトでは接続しなくなる
<code>
server {
    listen 80 default_server;        <= default_server：デフォルトサーバに指定
    return 444;                      <= コネクションクローズ
}
</code>
==== /usr/local/etc/nginx/sites/*.site ====
<code>
server {
        server_name example.com www.example.com;   <= 環境に合わせる
        # add_header  Cache-Control "public";      <= HTTP キャッシュ ヘッダの設定
        add_header  Cache-Control "private, no-store, no-cache, must-revalidate";
        add_header  Pragma "no-cache";
        add_header  X-Frame-Options "DENY";        <= クリックジャッキング対策
        limit_req   zone=gulag burst=2000 nodelay; <= かなり低めに設定しているので注意
                                                   <= gulag の定義はconf.d/options
        expires     max;
 
        listen 80;
        listen 443 ssl;                            <= SSL関連
        include conf.d/ssl;                        <= SSL関連
 
        root /usr/local/www/mySite;                <= 環境に合わせる
        index index.html index.htm index.php;
 
        location = /favicon.ico { return 204; }    <= No Content
 
        location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_ { deny all; }
 
        location ~ /\. {
                deny all;
                access_log off;
                log_not_found off;
        }
 
        location / {
                root /usr/local/www/mySite;       <= 環境に合わせる
                try_files $uri $uri/ /index.php?$args;
        }
 
 
        location ~ \.php$ { include conf.d/php-fpm; }
 
        error_page   500 502 503 504  /50x.html;
        location = /50x.html { root   /usr/local/www/nginx-dist; }
}
</code>
==== /usr/local/etc/nginx/conf.d/ssl ====

<code>
ssl_certificate /path/to/myCertificate.pem;       <= 環境に合わせる
ssl_certificate_key /path/to/myKey.pem;           <= 環境に合わせる
ssl_dhparam /path/to/dhparam4096.pem;             <= 環境に合わせる
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
</code>

==== /usr/local/etc/nginx/conf.d/php-fpm ====

<code>
fastcgi_pass unix:/var/run/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files  $uri = 404;
fastcgi_split_path_info  ^(.+\.php)(.*)$;
fastcgi_index  index.php;
fastcgi_intercept_errors  on;
fastcgi_ignore_client_abort  off;
fastcgi_connect_timeout  60;
fastcgi_send_timeout  180;
fastcgi_read_timeout  180;
fastcgi_buffer_size  128k;
fastcgi_buffers  4 256k;
fastcgi_busy_buffers_size  256k;
fastcgi_temp_file_write_size  256k;
#fastcgi_param GEOIP_COUNTRY_CODE $geoip_country_code;
#fastcgi_param GEOIP_COUNTRY_NAME $geoip_country_name;
include fastcgi_params;  # pkg default file
</code>
===== 起動 =====
==== /etc/rc.conf ====
  php_fpm_enable="YES"
  nginx_enable="YES"

==== チェック ====
  # service nginx configtest
  Performing sanity check on nginx configuration:
  nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
  nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
  
==== チェック用のページを作る ====

  # sh -c 'echo "<?php phpinfo(); ?>" >  /usr/local/www/mySite/info.php'      <= 環境に合わせる

==== 起動 ====

  # service php-fpm restart
  # service nginx restart
===== 参考 =====
[[http://heartbeats.jp/hbblog/2012/02/nginx03.html|nginxの設定、その1]]

[[http://heartbeats.jp/hbblog/2012/04/nginx05.html|nginxの設定、その3 - locationディレクティブ]]