Disqus - Latest Comments for chrismeller

Re: Creating and ManagingSSLCertificates With Nginx

chrismeller — Thu, 30 Mar 2017 19:56:10 -0000

That directory contains your SSL private key, which should be kept secret. If anyone else were to get ahold of it they could decrypt your SSL traffic, host a fake site, etc.

That command sets the permissions on the directory and all the files in it so that the owner (root, if you were following the command above it) can read and write to them, but no one else has any access at all. It's preventing someone else with a user account on the box, but without root access, from reading the keys.

Re: GettingPHPHTTPS-Detection Working in Nginx

chrismeller — Fri, 16 Jan 2015 13:55:01 -0000

That completely depends upon how your server is configured and what OS you're running Nginx on. As you can see it's in the `server` block of your vhost config. You'll have to track that down on your own (though mine are all in /etc/nginx/sites-available that is purely my convention and may not be true of yours).

Re: Configuring and OptimizingPHP-FPMand Nginx on Ubuntu (or Debian!)

chrismeller — Fri, 09 Jan 2015 12:58:48 -0000

If you've got multiple FPM pools (say to protect the resources of one site from another) then you would logically have multiple listeners (either sockets or ports) that Nginx would need to relay traffic to. So in that case you'd definitely need multiple upstreams.

One error I see in your example is that you've named both the upstreams "php". Remember that those need to be unique as well, so Nginx knows which upstream you're telling it to use.

Now the real question is... should you do this? I don't, but that's because I run a very small VPS that only hosts my own personal sites. If one of them gets clobbered it's probably going to take the entire server down anyway, so there's no point in adding the extra overhead to use multiple FPM pools (since each pool would have its own set of processes listening and its own pm. min_spare_servers).

I probably *would* recommend using multiple pools if you're hosting independent client sites, though. Giving each one their own set of processes can definitely help make sure that they're less vulnerable to one site killing everything. Just remember that all that "how many processes can I run with the amount of RAM I have?" math will get a lot more complicated.

You would also obviously need multiple upstreams (though they'd be using ports, not sockets) if you had Nginx sitting in front of more than one backend server that ran FPM (rather than running FPM on the same box as Nginx), but that opens up a whole different can of worms we won't go into.

Re: Amazon CloudFront vs. Rackspace Cloud FilesCDN Performance

chrismeller — Thu, 16 Oct 2014 13:16:46 -0000

Do you have any thoughts on the best way to test the initial "cache miss" scenario? To properly test it seems like I would need to automate a series of pushes of new versions / different files regularly over the monitoring period, then link those up with the stats again on the backend for reporting, which may take a little more effort than I'm willing to put in.

I'm also not sure there's any real way for an outsider to tell how many edge servers exist or which is being used for a given request, so I don't think there's any way to measure the "reach" of each CDN.

Re: Creating and ManagingSSLCertificates With Nginx

chrismeller — Sun, 12 Oct 2014 21:15:18 -0000

Yes, 4096 will be slower than 2048, just as 2048 was slower than 1024. No one in their right mind would advocate using a 1024 bit key simply because it's faster, though.

Unless you're running a large CDN, I'd say that the SSL overhead is such a small fraction of the load on your servers that the size of the key is not going to be a determining factor in any performance metric. One database connection is going to involve way more latency and far more resources than the extra 2048-bits in the SSL process.

I'm not sure what you're asking in regards to self-signed certs.

Re: Amazon CloudFront vs. Rackspace Cloud FilesCDN Performance

chrismeller — Tue, 07 Oct 2014 17:45:42 -0000

I've considered re-running it, but haven't. You've kind of piqued my interest, so I might... but no promises.

Re: Configuring and OptimizingPHP-FPMand Nginx on Ubuntu (or Debian!)

chrismeller — Fri, 02 May 2014 20:11:16 -0000

You've already got an instance of FPM running, then. Running `ps aux | grep -i php` should show you. I wouldn't be able to tell you how another is running, but that's your problem.

Re: Get Your GitHub Issues as anRSS Feed

chrismeller — Sat, 19 Apr 2014 13:08:23 -0000

You should be able to easily clone the Yahoo Pipe and use this Github API endpoint to get just pull requests: https://developer.github.co...

Re: Configuring and OptimizingPHP-FPMand Nginx on Ubuntu (or Debian!)

chrismeller — Wed, 16 Apr 2014 13:53:40 -0000

I use a redirect to SSL in two different ways depending on the goal.

In one instance, I want all requests to end up on SSL. So for http://www.example.com everything should end up at https://www.example.com. In that case, I simply set up a barebones vhost for the non-SSL version: https://gist.github.com/chr...

If you're going to always redirect all requests to SSL, you should also look at including the Strict-Transport-Security header so modern browsers never try to hit the plain text version anyway.

If there are only certain requests that I want to ensure are SSL-protected, like the login and admin pages of a CMS where passwords might be seen, you can redirect only those requests: https://gist.github.com/chr...

Here the vhost is otherwise the same as the example I gave in the guide, but if the path starts with admin or auth we want to make sure those are SSL requests.

Re: GettingPHPHTTPS-Detection Working in Nginx

chrismeller — Tue, 15 Apr 2014 15:11:17 -0000

Good catch. In my newer guide, I actually include ssl on the listen directive, but I was still including the ssl on line as well. I've updated both posts, thanks for the heads up!

Re: Configuring and OptimizingPHP-FPMand Nginx on Ubuntu (or Debian!)

chrismeller — Wed, 05 Feb 2014 01:04:04 -0000

Short answer: I put it in conf.d/php.conf
Long answer: Anywhere that nginx will include it. In my examples all the config files are in /etc/nginx/conf.d/ because those are the config files included by default. It doesn't actually matter what you name the file, just something that you will recognize (php seemed obvious to me).

Re: Configuring and OptimizingPHP-FPMand Nginx on Ubuntu (or Debian!)

chrismeller — Mon, 03 Feb 2014 12:40:13 -0000

Thanks, cakuki! That's a nice logical separation, if you need both types of listeners!

Re: Another SC Data Breach

chrismeller — Sat, 28 Dec 2013 23:01:19 -0000

Per the letter SCHIP sent out (I just happened to get one as a former subscriber who was included in the breach), the auditors found out about the breach on October 17th and notified SCHIP on October 21st. Why no one else was notified until two months later is anyone's guess.

I've already filed a FOIA request with the DOI asking for details. They claim not to have any information and haven't told me who would yet. I plan to follow up again on Monday.

Re: Configuring and OptimizingPHP-FPMand Nginx on Ubuntu (or Debian!)

chrismeller — Thu, 26 Dec 2013 21:49:19 -0000

Can you check what OS (and version) and version of Nginx you're using that you had to add SCRIPT_FILENAME? I haven't had to add that manually in quite a while.

The socket extension has no special meaning beyond letting you know it's a socket when you list directory contents. If the default has changed you can change either it or your Nginx config, it's all good.

Re: Configuring and OptimizingPHP-FPMand Nginx on Ubuntu (or Debian!)

chrismeller — Mon, 09 Dec 2013 11:57:15 -0000

The first error indicates that either Nginx or PHP-FPM is mis-configured. Check your Nginx php upstream to make sure the server directive is correct. More likely, you didn't set the listen directive in your PHP-FPM pool configuration "socket.conf" in my guide.

The latter errors are most likely because the default vhost configuration includes an incompatible `listen` directive. Double check all your vhosts and make sure they have the same `listen` directive.

If you can't find the problem, move into /etc/nginx and run `grep -ri "listen" .`, which should show you every file that might include the problem.

Re: Configuring and OptimizingPHP-FPMand Nginx on Ubuntu (or Debian!)

chrismeller — Mon, 09 Dec 2013 11:13:55 -0000

Blindly, off the top of my head, with 0 details? I have no clue. Like any time you're troubleshooting, check your error log.

The main nginx log (as opposed to the vhost-specific ones you define in each config) is usually /var/log/nginx/error.log, which may contain more details.

Re: Configuring and OptimizingPHP-FPMand Nginx on Ubuntu (or Debian!)

chrismeller — Fri, 06 Dec 2013 20:10:50 -0000

Like I said, it all depends on exactly what you're running. You should start off low, run your application for a while (even if it's just you stepping through it like a normal user for a while, possibly over a day or two), and then see how much memory each php-fpm process is occupying on your system (`ps aux | grep php` or similar).

After that, you need to divide out the amount of RAM you have left on your box (make sure to account for MySQL or any other background processes that you'll have running) and figure out the number of processes you can reasonably accommodate.

Without the exact error, I can't help with the "too many processes" error either.

Re: Configuring and OptimizingPHP-FPMand Nginx on Ubuntu (or Debian!)

chrismeller — Wed, 20 Nov 2013 16:30:46 -0000

In the example he provides, FPM actually understands that the request is for random.gif, even if Nginx attempts to pass the request to it based on the ending of .php.

If you check your error.log file you'll see a response from FPM along the lines of: Access to the script '/whatever/public/random.gif' has been denied (see security.limit_extensions)

The security.limit_extensions pool option was added in PHP 5.3.9 and defaults to only including the extension .php, preventing exactly this problem. Since 5.3.9 was released almost two years ago (January, 2012) there's a pretty good bet most of us are fine (Ubuntu 12.04 LTS includes 5.3.10, but if you're still running 10.04 LTS you might have an issue).

For some inexplicable reason this isn't included in the PHP documentation, but the top comment on the page points it out: http://php.net/manual/en/in...

Re: Configuring and OptimizingPHP-FPMand Nginx on Ubuntu (or Debian!)

chrismeller — Thu, 10 Oct 2013 09:34:45 -0000

The Ubuntu and Debian defaults I've seen usually have a `gzip_disable msie` line, which is a faster version of the regex pattern most people stick in there: http://nginx.org/en/docs/ht...

If you don't have one you can simply add: gzip_disable msie; in your gzip.conf.

Re: Configuring and OptimizingPHP-FPMand Nginx on Ubuntu (or Debian!)

chrismeller — Thu, 23 May 2013 08:02:03 -0000

I've actually just recently stopped using the PPA. It looks like it's not being updated as regularly as it used to be... But the official Nginx Debian / Ubuntu repository works fine. I'll update that soon.

As for the default config, you're probably correct. I may have accidentally skipped over removing that bit from the default config. That's what happens when you're writing a guide after the fact! I'm in the process of migrating some sites to a new box now (it's there, I just have to get around to configuring it!), so I'll be sure to give everything another run-through as I do and make any needed updates.

Thanks very much for the feedback!

Re: Configuring and OptimizingPHP-FPMand Nginx on Ubuntu (or Debian!)

chrismeller — Tue, 14 May 2013 07:45:29 -0000

The filenames for those pieces are the headings for each section (expires is in /etc/nginx/conf.d/expires.conf, for example). There is no block - all of those declarations are server-wide, and conf.d/*.conf gets included in the main nginx.conf in the `server` block.

Re: TestingSNICertificates With OpenSSL

chrismeller — Thu, 21 Mar 2013 14:57:22 -0000

Per the SNI Wikipedia page, OpenSSL has supported SNI since 0.9.8f in October 2007 with a custom compile-time flag and 0.9.8j in January 2009 by default.

If things were back-ported for RHEL, you'd have to figure that out for yourself by checking the RedHat docs.

Re: Boost your productivity: kill some variables in your life

chrismeller — Mon, 18 Feb 2013 12:01:35 -0000

What service do you use for the food shipments?

Re: #624,683 — PaulStamatiou.com

chrismeller — Wed, 23 Jan 2013 16:08:24 -0000

Heads up: The footnote links are broken when the post is summarized on your front page.

Re: Why the NewsGatorAPIStill Sucks

chrismeller — Sun, 20 Jan 2013 11:35:09 -0000

The Newsgator Sync service was discontinued in 2009: http://nick.typepad.com/blo...