PHP-FPM
Who's this?
Tom Adam
Developer / Director at Instantiate
http://instantiate.co.uk
WHat is FPM?
- FastCGI Process Manager
- Runs as a service
- TCP / socket connection
- Independent pools
- Dynamically manages workers
- Status output
- Slow log
Why should I use it?
Apache
- Allows non thread safe MPM's
- Separation between PHP and Apache
- Opcode caches work
- Security, configurability and simplicity
Nginx
- You aren't using a FCGI wrapper, are you?
Apache and FPM
Still using 2.2?
- mod_fcgid
- mod_proxy + mod_proxy_fcgi
- mod_fastcgi
2.4
- mod_proxy + mod_proxy_fcgi
Apache and FPM
mod_fcgid
- Is a process manager itself
- Not suited to connecting to FPM
APACHE and FPM
mod_proxy + mod_proxy_fcgi
- Needs compiled
- Deps not listed
- Must be patched for 2.2
- Unsupported and ancient
- Faster than mod_fastcgi
APACHE and FPM
mod_fastcgi
- Needs compiling
- Ancient and unsupported
- Bloated by a process manager
- Sketchy license
APACHE and FPM
Apache 2.4 + mod_proxy + mod_proxy_fcgi
- Supported by ASF
- Current
- Bolt on module
- High performance
Nginx and FPM
- Built in module
- Fully supported
- Don't follow the guides online
NGINX and FPM
Security issue
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
}Request: /uploads/death.jpg/something.php
PHP's fix_pathinfo splits this into:
SCRIPT_FILENAME = /uploads/death.jpg
PATH_INFO = /something.phpSo death.jpg is executed as a script!
NGINX and FPM
Security issue
Fix options:
- Disable cgi.fix_pathinfo
- Change the way Nginx splits paths:
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
} Use PHP 5.4's security.limit_extensions.
Performance
Questions?
PHP-FPM
By tomadam
