|
Size: 1643
Comment:
|
Size: 1758
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 28: | Line 28: |
To use a [[Linux/UnixSocket|Unix socket]] to pass requests, try `fastcgi_pass unix:/run/php-fpm/php-fpm.sock;`. |
NGINX FastCGI
Unlike other web servers, nginx(8) does not offer a built-in FastCGI implementation.
Contents
PHP-FPM
First install and configure PHP-FPM.
nginx(8) just needs to be configured to proxy requests.
location ~ \.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
try_files $uri =404;
fastcgi_pass localhost:9000;
include fastcgi_params;
}To use a Unix socket to pass requests, try fastcgi_pass unix:/run/php-fpm/php-fpm.sock;.
Hardening
A common tactic for hardening a FastCGI program is to run php-fpm(8) in a different working directory.
This can lead to issues with the try_files directive, which checks for the existence of a file before responding to a request. On success it overwrites the $uri variable with the local URI. This is a mitigation for embedded PHP attacks.
A workaround is to create empty files in the web root to satisfy try_files.
location ~ \.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME /path/to/php/working/directory/$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
try_files $uri =404;
fastcgi_pass localhost:9000;
include fastcgi_params;
}Alternatively, replace try_files with a custom instruction.
location ~ \.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
}