Jump to content


Photo

ProcessWire on NGINX


  • Please log in to reply
25 replies to this topic

#1 jose

jose

    Jr. Member

  • Members
  • PipPip
  • 20 posts
  • 3

Posted 24 June 2011 - 11:15 AM

Hello Everyone,

Sorry that I have not been on the forums much of late.  As my development team moves to use ProcessWire as our main cms tool for clients.  We have needed to make sure that ProcessWire works on nginx platform.  We use both apache and nginx, we found as many already have that nginx is faster and easier to configure.  It scales well and when you really need speed it is a great solution.

Anyways with all that being said ProcessWire was surprisingly easy to configure for nginx and did not require adding or modifying any code. Using the same "try_files"  directives used for Wordpress and Dupral I was able to run it under nginx, here is a sample config:

upstream php {
        server unix:/tmp/php-cgi.socket;
        server 127.0.0.1:9000;
}

server 
{
    listen       80;
    server_name  hostname;

    root   /websites/path/to/processwire;
    index index.php;

    try_files $uri $uri/ /index.php?it=$uri&$args;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        include fastcgi.conf;
        fastcgi_intercept_errors on;
        fastcgi_pass php;
    }
}

There are a few things that still need to be done like protecting the wire and certain directories like assets but so far everything looks to be working correctly. 

If ProcessWire has a test suite, I could run it against this server to see if everything is functioning properly. I think that advertising the fact that ProcessWire works under nginx would greatly help to attract more eyes to the project(not that it isn't doing great already) and to give options to hosting and scalability. If you would like help working on this for official support of the platform, perhaps with adding detection algorithms to the install or anything else that is needed, I would be glad to help.  Anyways I hope someone finds this post useful.


#2 ryan

ryan

    Reiska

  • Administrators
  • 7,779 posts
  • 6511

  • LocationAtlanta, GA

Posted 24 June 2011 - 08:34 PM

Jose,
Thanks so much for your efforts here. We would definitely appreciate your help in getting official nginx support for PW. I don't have experience with nginx, but your post makes me want to try it out. For starters, I will update our site next week to cross reference your info here so it'll be easy for others to find, and let me know what else I can do to provide better support for nginx. You'd mentioned the installer, but I'm not exactly sure what to detect--I think I need to get nginx installed on my dev server. I look forward to the next steps here.

Thanks!!
Ryan

#3 Adam Kiss

Adam Kiss

    Master of the universe

  • Moderators
  • 1,129 posts
  • 327

Posted 25 June 2011 - 03:48 PM

Ryan, I think that information like this (and installin PW under IIS likewise) should not be linked from page to forums; we should ask autors to rewrite this 'tips' into installing on different server notes. just btw :) Thanks, Jose :)

#4 jose

jose

    Jr. Member

  • Members
  • PipPip
  • 20 posts
  • 3

Posted 29 June 2011 - 02:20 AM

Ryan,

I think that you will like nginx a whole lot.  It is light weight, easy to use, asynchronous, over all a great piece of software.  That's not to knock apache at all since we still use apache and it is rock solid.

If you want to play with it quickly I recommend a virtual machine, either hosted like on cloudserver by rackspace(just started using this service and so far I am happy with it) or fire up virtual box or vmware and install debian linux(squeeze).  With a basic install add the dotdeb repositories and install these packages

apt-get install nginx php5-mysql php5-fpm php5-gd postfix mysql-server

Install postfix as an internet site/with direct delivery and keep all defaults.

Once everything is installed you can edit and create the configuration files /etc/nginx/sites-available and sites-enabled directories.

A simple start of nginx server
/etc/init.d/nginx start

and your off and running.

There is a lot of great documentation out there this is just meant to peak your appetite for nginx.

As far as the install is concerned, the are 2 areas:

1)  .htaccess file is not supported under nginx the fact that its not there should not fire off an error (perhaps a warning) if we are not under apache.

2) rewrite module detection, again not needed for nginx, perhaps a warning instead of an error.  I am sure we can detect nginx with the simple $_SERVER['SERVER_SOFTWARE'] global. 

Other then that ProcessWire seems to install and work perfectly under nginx. I will be updating the rewrite rules for nginx to exclude the core folder from direct access when I get closer to deployment of 3 projects we are building with ProcessWire.

I would tend to agree that a more formal documentation would be better then relying on a forum, you never know what can happen to a forum.  I would be glad to help write formal configuration documentation as well as help write the detection code in the installer.  I am excited to see this project moving forward so well and hope to be a consistent contributer and community member.  Thanks again for all your efforts.


#5 ryan

ryan

    Reiska

  • Administrators
  • 7,779 posts
  • 6511

  • LocationAtlanta, GA

Posted 29 June 2011 - 09:29 AM

Thanks for these instructions Jose, I will definitely have to give this a try sometime. I've been running on entry-level VPSs for a long time, and something that uses less resources than Apache could actually be very useful in this environment.

I would appreciate your help in writing the formal documentation for install under nginx and making the installer more nginx friendly. It sounds like what we should do is have the installer suppress a couple of it's error messages if it detects nginx as the server software. If you can send me the output of this from an nginx server sometime, this may help:

<?php print_r($_SERVER);

I think adding a page a formal documentation to the site would be great, so lets plan on that, and I'll definitely take you up on your offer to help write it.

I will be updating the rewrite rules for nginx to exclude the core folder from direct access when I get closer to deployment of 3 projects we are building with ProcessWire.


For security, there are actually quite a few things that you need to block access to. It's important that http access be blocked to all of these:

  • *.module
  • *.cache
  • /wire/core/*.php and *.inc
  • /wire/modules/*.php and *.inc (and all dirs below)
  • /site/modules/*.php and *.inc (and all dirs below)
  • /site/templates/*.php and *.inc (and all dirs below)
  • /site/templates-admin/*.php and *.inc
  • /wire/templates-admin/*.php and *.inc
  • /site/assets/*.php (and all dirs below)
  • /site/assets/cache/* everything
  • /site/assets/logs/* everything
  • /site/assets/sessions/* everything
  • /site/assets/backups/* everything
  • /site/assets/config/* everything
  • /site/assets/install/* everything
  • /site/install/* (and all dirs below)
  • /site/config.php

Lastly, the server should not pass the request to ProcessWire if the URL doesn't match this pattern:

-_.a-zA-Z0-9/

If the URL contains anything other than those characters (and ranges), the server should not send the request to PW. (excluding query strings, which aren't a consideration). Let me know if this is not possible in nginx for some reason, as it may still be okay since PW sanitizes this too. But this can really help with keeping out a lot of junk/bot/exploratory traffic.


#6 diogo

diogo

    Hero Member

  • Moderators
  • 2,882 posts
  • 2274

  • LocationPorto, Portugal

Posted 15 October 2011 - 08:10 PM

Anything new on this subject? Apparently nginx is really faster and less ram consuming than apache.

#7 ryan

ryan

    Reiska

  • Administrators
  • 7,779 posts
  • 6511

  • LocationAtlanta, GA

Posted 17 October 2011 - 08:18 AM

I haven't heard any more on it here. What environments are people using it in? Is this something used by any hosting providers, or just something one would use on their own dedicated server? Just wondering what might be the best way for me to get a test environment going sometime in the future.

#8 diogo

diogo

    Hero Member

  • Moderators
  • 2,882 posts
  • 2274

  • LocationPorto, Portugal

Posted 17 October 2011 - 08:56 AM

I'm asking because I was reading some tutorials and advices for installing the server on Linode, and there are lots of people using nginx instead of apache. they advice it especially for vps plans with less ram. It also seems like a growing number of people are using it, might be worth to have a look.

The configuration for php applications doesn't look too complicated. here is an example for joomla http://docs.joomla.org/Nginx, and here you can find some more applications http://wiki.nginx.org/Configuration

and here is a primer http://blog.martinfj...7/nginx-primer/


#9 ryan

ryan

    Reiska

  • Administrators
  • 7,779 posts
  • 6511

  • LocationAtlanta, GA

Posted 17 October 2011 - 09:18 AM

Thanks those looks should be helpful, I will take a closer look soon. It sounded to me like Jose had things working well with nginx, though I never did hear back about the directories that needed to be blocked and rewrite rules that need to be maintained for security. I'm guessing that will be a relatively simple solution, but would want to make sure those issues are covered before running it.

#10 neildaemond

neildaemond

    Sr. Member

  • Members
  • PipPipPipPip
  • 123 posts
  • 32

  • LocationHong Kong

Posted 23 May 2012 - 09:30 PM

I too am thinking about switching to ngynx, can't wait to see the full documentation on this! But I'll tinker as well and report back what I find.

#11 netcarver

netcarver

    Hero Member

  • Members
  • PipPipPipPipPip
  • 526 posts
  • 483

  • LocationUK

Posted 24 May 2012 - 02:55 AM

Coincidentally, I started looking at this last night and found these...I hope to try PW out on nginx in a virtual machine tonight.
Steve ☧

#12 netcarver

netcarver

    Hero Member

  • Members
  • PipPipPipPipPip
  • 526 posts
  • 483

  • LocationUK

Posted 25 May 2012 - 06:59 PM

Update: I now have PW running on nginx. It took a little longer than expected & I'll post more when I've investigated it further.
Steve ☧

#13 recyclerobot

recyclerobot

    Distinguished Member

  • Members
  • Pip
  • 9 posts
  • 5

Posted 30 May 2012 - 08:01 AM

Update: I now have PW running on nginx. It took a little longer than expected & I'll post more when I've investigated it further.

Hi Netcarver, I'm currently transferring some PW projects to a nginx server, can you give some more details about important steps to make this less painfull? :)

#14 netcarver

netcarver

    Hero Member

  • Members
  • PipPipPipPipPip
  • 526 posts
  • 483

  • LocationUK

Posted 30 May 2012 - 03:51 PM

Hi recyclerobot,

I don't know if this will help but here's a quick rundown of what I did to get this working.

I setup a new Ubuntu 12.04 64-bit server in a fresh virtual machine & configured it as an SSH server with a static IP address (Actually, I just cloned one I'd prepared for something else). Then I followed this HowToForge tutorial about installing nginx + mysql + php-fpm. Only thing I did different to the linked tutorial was that I setup APC instead of Xcache.

Following that I installed vim-nox, git & phpmyadmin and then created a new DB and DB user for ProcessWire to use. I then did a git clone into /usr/share/nginx/www/pw and added an entry to /etc/hosts called "pw-nginx.test" and also setup this config file in /etc/nginx/sites-available/pw-nginx.test ...

server {
		listen 80;
		server_name pw-nginx.test;
		root /usr/share/nginx/www/pw;
		index index.php;
		try_files $uri /index.php?it=$uri&$args;
		location ~ \.php$ {
				fastcgi_split_path_info ^(.+\.php)(/.+)$;
				include fastcgi_params;
				fastcgi_index index.php;
				fastcgi_intercept_errors on;
				fastcgi_pass unix:/tmp/php5-fpm.sock;
		}
		location ~ /\.ht {
				deny all;
		}
}

That's about as bare bones as I could make it.

Next, I created a symlink to this file in /etc/nginx/sites-enabled, reloaded nginx and pointed my browser at pw-nginx.test (I had to add pw-nginx.test to /etc/hosts on my client box too) and I saw the ProcessWire installation page. You may need to fix any permission issues and definitely ignore the warning about .htaccess problems in order to install ProcessWire.

Well, to cut a long story short, ProcessWire installed fine and, as far as I can tell, the admin and public interfaces work correctly too.

But note this: This configuration is totally insecure. All the protected assets that Ryan posted about above (except for the .htaccess file) are accessible from publicly accessible URLs. As I'm new to nginx, I've not had time to lock down what I posted above.

All the above is from memory and I may have missed something. If something occurs to me, I'll update the above.

Anyway, hope that helps.
Steve ☧

#15 recyclerobot

recyclerobot

    Distinguished Member

  • Members
  • Pip
  • 9 posts
  • 5

Posted 01 June 2012 - 01:12 PM

server {
		listen 80;
		server_name pw-nginx.test;
		root /usr/share/nginx/www/pw;
		index index.php;
		try_files $uri /index.php?it=$uri&$args;
		location ~ \.php$ {
				fastcgi_split_path_info ^(.+\.php)(/.+)$;
				include fastcgi_params;
				fastcgi_index index.php;
				fastcgi_intercept_errors on;
				fastcgi_pass unix:/tmp/php5-fpm.sock;
		}
		location ~ /\.ht {
				deny all;
		}
}

That's about as bare bones as I could make it.


Hi Netcarver, thx so much for your help, managed to get it up and running, now testing a nginx in the cloud with assets on an amazon S3 and shared database, that should give me enough breathing room to let this baby grow :)

#16 Miguel

Miguel

    Newbie

  • Members
  • Pip
  • 6 posts
  • 1

Posted 03 October 2012 - 01:01 PM

Hi, there
I run pw on nginx too, here you are my $0.02
When I was setting up pw I got a page with the error "No input file specified" which I think served to me not nginx, but a php engine.

I solved that by adding this line to the location block in nginx site config:
fastcgi_param SCRIPT_FILENAME /path/to/processwire/root/folder/$fastcgi_script_name;

#17 k07n

k07n

    Distinguished Member

  • Members
  • PipPipPip
  • 62 posts
  • 55

  • LocationSamara, Russia

Posted 17 December 2012 - 01:18 AM

Hi! Can anyone share config with "security section"?
thx
Necessity is the mother of invention.

#18 neildarlow

neildarlow

    Newbie

  • Members
  • Pip
  • 4 posts
  • 14

Posted 17 December 2012 - 02:58 PM

Hi,

I use ProcessWire under NGiNX on both FreeBSD for production and Fedora for development. My security configuration is as follows:

	    ### SECURITY - Protect crucial files
	    location ~ /\. {
		    deny  all;
	    }
	    location ~ /(COPYRIGHT|LICENSE|README|htaccess)\.txt {
		    deny  all;
	    }
	    location ~ ^/site(-[^/]+)?/assets/(.*\.php|backups|cache|config|install|logs|sessions) {
		    deny  all;
	    }
	    location ~ ^/site(-[^/]+)?/install {
		    deny  all;
	    }
	    location ~ ^/(site(-[^/]+)?|wire)/(config(-dev)?|index\.config)\.php {
		    deny  all;
	    }
	    location ~ ^/((site(-[^/]+)?|wire)/modules|wire/core)/.*\.(inc|module|php|tpl) {
		    deny  all;
	    }
	    location ~ ^/(site(-[^/]+)?|wire)/templates(-admin)?/.*\.(inc|html?|php|tpl) {
		    deny  all;
	    }

I can share rewriting and php-fpm configuration also if required.

Regards,
Neil Darlow

#19 k07n

k07n

    Distinguished Member

  • Members
  • PipPipPip
  • 62 posts
  • 55

  • LocationSamara, Russia

Posted 18 December 2012 - 03:12 AM

Thanks for the reply!

I can share rewriting and php-fpm configuration also if required.


I think it will be very useful.
Necessity is the mother of invention.

#20 neildarlow

neildarlow

    Newbie

  • Members
  • Pip
  • 4 posts
  • 14

Posted 18 December 2012 - 03:42 AM

Hi,

This is a complete server configuration block for NGiNX communicating with php-fpm.

There are a few things that will require customisation:
  • server_name
  • root
  • access_log and error_log
  • fastcgi_pass - socket or TCP specification
  • configuration blocks relating to 40x and 50x error handling
Note the use of fastcgi_param HTTP_MOD_REWRITE On; which quiets an installer error about requiring mod_rewrite. You might also want to copy htaccess.txt to .htaccess in the ProcessWire top-level directory.
    server {
	    listen	    80 default_server;
	    server_name   localhost localhost.localdomain;
	    index		 index.php index.html;
	    root		  /var/www/html;
	    access_log    /var/log/nginx/access.log  main;
	    error_log	 /var/log/nginx/error.log  notice;
	    default_type  application/x-php;

	    ### SECURITY - Protect crucial files
	    location ~ /\. {
		    deny  all;
	    }
	    location ~ /(COPYRIGHT|LICENSE|README|htaccess)\.txt {
		    deny  all;
	    }
	    location ~ ^/site(-[^/]+)?/assets/(.*\.php|backups|cache|config|install|logs|sessions) {
		    deny  all;
	    }
	    location ~ ^/site(-[^/]+)?/install {
		    deny  all;
	    }
	    location ~ ^/(site(-[^/]+)?|wire)/(config(-dev)?|index\.config)\.php {
		    deny  all;
	    }
	    location ~ ^/((site(-[^/]+)?|wire)/modules|wire/core)/.*\.(inc|module|php|tpl) {
		    deny  all;
	    }
	    location ~ ^/(site(-[^/]+)?|wire)/templates(-admin)?/.*\.(inc|html?|php|tpl) {
		    deny  all;
	    }

	    ### GLOBAL REWRITE
	    location / {
		    try_files  $uri  $uri/  /index.php?it=$uri&$args;
	    }

	    # pass the PHP scripts to FastCGI server on local socket
	    #
	    location ~ .+\.php((/|\?).*)?$ {
		    fastcgi_pass					 unix:/run/php-fpm/php-fpm.sock;
		    fastcgi_index				    index.php;
		    fastcgi_split_path_info		  ^(.+\.php)(.*)$;
		    fastcgi_param  SCRIPT_FILENAME   $document_root$fastcgi_script_name;
		    fastcgi_param  PATH_INFO		 $fastcgi_path_info;
		    fastcgi_param  HTTP_MOD_REWRITE  On;
		    include  fastcgi_params;
	    }
	    # redirect server error pages to the static page /40x.html
	    #
	    error_page  404  /404.html;
	    location = /40x.html {
		    root  /usr/share/nginx/html;
	    }
	    # redirect server error pages to the static page /50x.html
	    #
	    error_page   500 502 503 504  /50x.html;
	    location = /50x.html {
		    root  /usr/share/nginx/html;
	    }
    }

In the php-fpm configuration you need to specify unix socket or TCP connection parameters and possibly the chdir setting. These are distribution-dependent values and you will need to determine the correct values for your scenario.

My configuration is as follows:
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific address on
;						    a specific port;
;   'port'				 - to listen on a TCP socket to all addresses on a
;						    specific port;
;   '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
;listen = 127.0.0.1:9000
listen = /run/php-fpm/php-fpm.sock

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
;				 mode is set to 0666
listen.owner = nginx
listen.group = nginx
listen.mode = 0660

; Chdir to this directory at the start. This value must be an absolute path.
; Default Value: current directory or / when chroot
chdir = /var/www/html

Please note that I researched these configurations and the preceeding security configuration from original documentation. I did not rely on howtos available on the Internet. Each has been carefully implemented and undergone significant testing before going into production.

Regards,
Neil Darlow




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users