Difference between revisions of "Talk:Nginx"

From ArchWiki
Jump to: navigation, search
(PHP garbage collector (session files removal) in chrooted environment)
(Old, and not useful for the Wiki)
Line 1: Line 1:
== New directive in /etc/php/php-fpm.conf : clear_env ==
 
Recent versions of php-fpm have the following lines in the config file :
 
 
<nowiki>
 
; Clear environment in FPM workers
 
; Prevents arbitrary environment variables from reaching FPM worker processes
 
; by clearing the environment in workers before env vars specified in this
 
; pool configuration are added.
 
; Setting to "no" will make all environment variables available to PHP code
 
; via getenv(), $_ENV and $_SERVER.
 
; Default Value: yes
 
; clear_env = no</nowiki>
 
 
(I think that) <code>clear_env</code> did not exist in old versions.
 
 
If you use something like Nginx + php-fpm + Dokuwiki + latex plugin (many configs may fit), you may experience
 
errors when php is trying to use latex/pdflatex/convert/dvips... :
 
 
<nowiki>
 
lstat(./latex) failed ...
 
./latex: No such file or directory
 
latex: ../../../texk/kpathsea/progname.c:316: remove_dots: Assertion `ret' failed.
 
</nowiki>
 
 
It seems to be a <code>PATH</code> problem but it is not (eventhough you can fix it (not totally) by launching /usr/bin/latex instead of latex in yout PHP code...
 
but then you will have other problems).
 
 
The problem seem to be <code>clear_env = yes</code>, preventing php from getting env vars (not PATH... another one... may be related to kpathsea) and leading to a failure.
 
 
If you just update from an old php-fpm package, you will not be able to launch latex from hp anymore.
 
 
The fix is REALLY simple. Just add :
 
 
<nowiki>
 
clear_env = no
 
</nowiki>
 
 
to your <code>/etc/php/php-fpm.conf</code>
 
 
It may lead to security issues, but it took me so long before I found this... :(
 
 
Hope this helps.
 
 
[[User:Snarkturne|Snarkturne]] ([[User talk:Snarkturne|talk]]) 13:10, 8 May 2014 (UTC)
 
 
Don't know it this page is the right place for this kind of information. Please tell me.
 
 
 
== Reverse Proxying and Security section missing ==
 
== Reverse Proxying and Security section missing ==
  

Revision as of 12:03, 9 July 2015

Reverse Proxying and Security section missing

Wouldn't it be nice to add more examples of how to reverse proxying with Nginix and having another section with an in-depth look at SSL security like here [1]? --T.ask (talk) 11:16, 9 March 2014 (UTC)

systemd fails to start php-fpm with settings in this article

systemd gave error "Failed to get D-Bus connection". To fix, change the following in /etc/php/php-fpm.conf :

;error_log = log/php-fpm.log

to

error_log = /var/log/php-fpm.log

Not sure if this is confirmed, but seems to be common. Source: Installing Nginx With PHP5

Does anybody with wikiskills want to make the changes? I am new to wiki editing.

Check Help:Editing and Help:Style, it is a good opportunity to get involved. -- Fengchao (talk) 05:54, 20 March 2013 (UTC)

Running nginx jailed

Wouldn't be better to use systemd's RootDirectory= User= & Group= Options in the [Service] section instead of running each Exec* with chroot?

/etc/sistemd/system/nginx.service
[Unit]
Description=A high performance web server and a reverse proxy server
After=syslog.target network.target

[Service]
Type=forking
RootDirectory=/srv/http
User=http
Group=http
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload
ExecStop=/usr/sbin/nginx -g 'pid /run/nginx.pid;' -s quit

[Install]
WantedBy=multi-user.target

Also Jail's /tmp and /run tmpfs should be added to fstab for the service to load on reboot.

Bash Script for the Whole Setup

I've created a bash script to run all the steps in the setup described in the main article:

https://gist.github.com/adityamukho/7365731

This can be used as is, for 64-bit systems. For 32-bit systems, a few modifications need to be made, esp line 41.

Copying libraries

This one-liner should take care of all the libraries, not just the ones in /usr/lib, provided they are all listed as absolute paths:

# ldd /usr/bin/nginx | sed -n 's!.*\(\s\|^\)\(/\S\+\).*!\2!p' | while read -r LIB; do cp "$LIB" "$JAIL$LIB"; done

I too have made a bash script which automates this tutorial:

https://github.com/bdusell/make-jailed-nginx/blob/master/make-jailed-nginx

CA certificates

I would suggest adding a comment about tls-ca-bundle.pem file that should be made available from chroot jail. I was running mantis on installation described in this wiki and found out emails have not been working. After making tls-ca-bundle.pem available everything is working again.

Gregosky (talk) 22:23, 3 February 2015 (UTC)Gregosky

PHP garbage collector (session files removal) in chrooted environment

I noticed session files are not being removed automaticaly when running nginx from chrooted configuration. If left not maintained /srv/http/tmp will grow in size and in time may even take down whole server (if /srv does not reside within separate file system).

Gregosky (talk) 23:29, 28 April 2015 (UTC)Gregosky