nginx for SilverStripe

Philipp Krenn, @xeraa

GSoC student 2007 Book 2011 GSoC mentor 2012 SilverStripe Austria
meetup

there's this russian server nginx. all the porn sites use
it. it must be decent. 1 Jonathan Vanasco, http://www.destructuring.net/2006/10/09/nginx/

Subversion vs Git

I only believe in statistics that I doctored myself. (Winston
Churchill) http://w3techs.com/technologies/ cross/web_server/ranking

Apache is like Microsoft Word, it has a million options
but you only need six.

nginx does those six things, and it does five of
them 50 times faster than Apache. 1 Chris Lea, http://maisonbisson.com/post/12249/chris- lea-on-nginx-and-wordpress/

Public launch in 2004 by Igor Sysoev http://www.rambler.ru BSD licensed
(two-clause)

Stable 1.6.2, Preview 1.7.6 C, cross-platform Commercial support from Nginx
Inc.

Features Load balancer Reverse proxy TLS/SSL (SNI), SPDY,... support

Users WordPress.com app server + load balancer Static content on
GitHub SSL termination Wikipedia

nginx is a lightweight event-driven reverse proxy for web and
mail services. 1 http://nginx.org

Great! But...

...it doesn't work the Apache way For example .htaccess

Performance For every request, check every directory, read and parse
every file Changes effective immediately

Example http://example.com/assets/Uploads/ gallery/image.jpg

Apache Thread / process-oriented Spawn a process for each connection
(1MB+ RAM) Apache 2.4 multi-process mode reduces memory usage

Problem 200KB response Milliseconds to generate or retrieve 10s to
transmit at 160kbps (20KB/s) 1000 connections :(

it's time for web servers to handle ten thousand clients
simultaneously 1 Daniel Kegel

C10K challenge nginx solution: Event- driven architecture

Event-driven Single nonblocking thread (one process per core) — node.js,
Redis,... Stable memory usage, no context switches

Event-driven Receive request, trigger events in a process Process handles
events, returns output http://en.wikipedia.org/wiki/Reactor_pattern

http://www.aosabook.org/en/nginx.html#fig.nginx.arch

However... PHP is blocking node.js isn't — similar to nginx

Details "The Architecture of Open Source Applications" http://www.aosabook.org/en/ nginx.html

PHP-FPM FastCGI Process Manager, included in PHP 5.3.3+ Standalone process
like MySQL, Memcached,...

Install (Ubuntu) $ sudo apt-get update && sudo apt-get install
nginx php5-fpm -y

Base nginx http { include mime.types; default_type application/octet-stream; access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log debug; sendfile on; keepalive_timeout 65; gzip on;

SilverStripe projects server { root /Users/philipp/Sites/silverstripe-30; server_name silverstripe-30.local; include _silverstripe3;
} server { root /Users/philipp/Sites/silverstripe-31; server_name silverstripe-31.local; include _silverstripe3; }

_silverstripe3 error_page 404 /assets/error-404.html; error_page 500 /assets/error-500.html; location ~* ^.+.(htm|html|jpg|jpeg|gif|png|svg|ico|css|
zip|tgz|gz|rar|bz2|doc|docx|xls|xlsx|pdf| ppt|pptx|txt|tar|mid|midi|wav|bmp|rtf|js)$ { access_log off; expires max; }

_silverstripe3 location ~* \.php$ { fastcgi_keep_conn on; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass
unix:/var/run/php-fpm.sock; fastcgi_index index.php; include fastcgi.conf; fastcgi_read_timeout 120; fastcgi_connect_timeout 60; fastcgi_send_timeout 120; fastcgi_buffer_size 64k; fastcgi_buffers 4 65k; fastcgi_busy_buffers_size 128k; }

_silverstripe3 location / { try_files $uri @silverstripe; } location @silverstripe
{ fastcgi_keep_conn on; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php-fpm.sock; fastcgi_index index.php; include fastcgi.conf; fastcgi_read_timeout 120; fastcgi_connect_timeout 60; fastcgi_send_timeout 120; fastcgi_buffer_size 64k; fastcgi_buffers 4 65k; fastcgi_busy_buffers_size 128k; fastcgi_param SCRIPT_FILENAME $document_root/framework/main.php; fastcgi_param SCRIPT_NAME /framework/main.php; fastcgi_param QUERY_STRING url=$uri&$args; }

_silverstripe3 # CMS & Framework .htaccess rules location ~ ^/(cms|framework|mysite)/.*\.(php|php[345]|phtml|inc)$
{ deny all; } location ~ ^/(cms|framework)/silverstripe_version$ { deny all; } location ~ ^/framework/.*(main|static-main|rpc|tiny_mce_gzip)\.php$ { allow all; }

_silverstripe3 # Don't execute scripts in the assets folder location
^~ /assets/ { sendfile on; try_files $uri $uri/ =404; } location ~ ^/silverstripe-cache { deny all; } location ~ ^/logs { deny all; }

_silverstripe3 location ~ ^/(vendor|composer.json|composer.lock) { deny all; } location ~
\.yml$ { deny all; } location ~ \.ss$ { satisfy any; allow 127.0.0.1; deny all; } location ~ /\. { deny all; }

Show me some benchmarks

http://wiki.dreamhost.com/ Web_Server_Performance_Comparison 25,000 requests, 5KB PNG $ ab -n 25000
-c 50 http://example.com/ logo.png Concurrency 50, 100, 500, 1000, 1500, 2000, 2500, 3000

Benchmark your projects Build Benchmark Repeat

Solution? Is this your bottleneck? Could you configure Apache to
be fast (enough)? Is PHP-FPM the solution?

Nevertheless...

Questions?

PS: PHP Secure Configuration Checker

https://github.com/sektioneins/pcc SektionEins (Suhoshin) PHP 5.4+ BSD license

Security checks Critical: Fix this NOW Example: Register globals

Security checks High: You should really look at this Example:
Allow URL fopen

Security checks Medium: This might be a problem Example: Display
errors on

Security Checks Low: Boring stuff Example: Execution time > 300s

Security checks Maybe: Not sure, check manually Example: Memory limit
> 128MB

Security checks Comment: Just mentioning it Example: Upload max filesize
is the default (8MB)

Modes CLI Web

Web security 127.0.0.1 mtime < 2d

How good / bad are the Ubuntu 14.04 defaults? nginx
+ PHP-FPM

Give it a try https://github.com/xeraa/ppc-test Vagrant — more tomorrow

Conclusion: Simple but gets the job done

nginx for SilverStripe

nginx for SilverStripe

More Decks by Philipp Krenn

Other Decks in Programming

Featured

Transcript