Script to spawn php5-cgi to enable Nginx to serve PHP code/pages


#1

The php5-cgi (until 5.2.4) package does not include a script to
automatically start it in external FASTCGI Mode (Daemon mode).

As there is some confusion on the Internet on how to properly set PHP
script execution in the Nginx Web server, I am attaching the script that
we reliably use at our servers.

This is how we install it in Ubuntu/Debian(sudo enabled):
sudo nano /etc/init.d/php-fastcgi # copy and paste the text between
the “— cut here —” to this file and save it (+x, Y, ).
sudo chmod u+x /etc/init.d/php-fastcgi
sudo chown 0.0 /etc/init.d/php-fastcgi
sudo update-rc.d php-fastcgi defaults 21 23

I hope it may also help you at your setups.

M.

— cut here —
#! /bin/sh

BEGIN INIT INFO

Provides: php-fastcgi

Required-Start: $all

Required-Stop: $all

Default-Start: 2 3 4 5

Default-Stop: 0 1 6

Short-Description: Start and stop php-cgi in external FASTCGI mode

Description: Start and stop php-cgi in external FASTCGI mode

END INIT INFO

Do NOT “set -e”

Default values are enclosed in []

PATH=/usr/sbin:/usr/bin:/sbin:/bin

Start php-fastcgi? [no]

START=yes

Read configuration data

NAME=php-fastcgi
DESC=“php-cgi runing in external FASTCGI mode”
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

Daemon pathname and args: IP=[127.0.0.1], port=[9000]

/usr/bin/php-cgi links to -> /etc/alternatives/php-cgi ->

/usr/bin/php5-cgi
DAEMON=/usr/bin/php-cgi
DAEMON_ARGS="-q -b 127.0.0.1:9000"

Which user runs PHP? [www-data]

EXEC_AS_USER=www-data

php-cgi env. variables: spawned children [5] , concurrent requests

[1000]
PHP_FCGI_CHILDREN=5
PHP_FCGI_MAX_REQUESTS=125
export PHP_FCGI_CHILDREN PHP_FCGI_MAX_REQUESTS

Exit if php-cgi is not installed

[ -x “$DAEMON” ] || exit 0

Load rcS variable settings and set (re)start/stop verbosity

[ -f /etc/default/rcS ] && . /etc/default/rcS
VERBOSE=yes

Define LSB log_* functions.

Depend on lsb-base (>= 3.0-6) to ensure that this file is present.

. /lib/lsb/init-functions

If $START not ‘yes’ AND we are not stopping the $DAEMON

if [ “$START” != “yes” -a “$1” != “stop” ]; then
log_warning_msg “To enable $NAME, edit /etc/init.d/$NAME and set
START=yes”
exit 0
fi

do_start()
{

Return values: 0=started ok,1=already running,2=unable to start

start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON
–test > /dev/null || return 1
start-stop-daemon --start --quiet --background
–chuid $EXEC_AS_USER --pidfile $PIDFILE --make-pidfile
–exec $DAEMON – $DAEMON_ARGS
|| return 2
}

do_stop()
{

Return values: 0=stopped ok,1=already stopped,2=unable to stop,

other if a failure occurred

start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 \
  --pidfile $PIDFILE > /dev/null # --name $DAEMON

RETVAL="$?"
[ “$RETVAL” = 2 ] && return 2

Wait for children to finish too.

start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5
–exec $DAEMON
[ “$?” = 2 ] && return 2

Many daemons don’t delete their pidfiles when they exit.

rm -f $PIDFILE
return “$RETVAL”
}

case “$1” in
start)
[ “$VERBOSE” != no ] && log_daemon_msg “Starting $DESC”
do_start
case “$?” in
0|1) [ “$VERBOSE” != no ] && log_end_msg 0 ;;
2) [ “$VERBOSE” != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ “$VERBOSE” != no ] && log_daemon_msg “Stopping $DESC”
do_stop
case “$?” in
0|1) [ “$VERBOSE” != no ] && log_end_msg 0 ;;
2) [ “$VERBOSE” != no ] && log_end_msg 1 ;;
esac
;;
restart|force-reload)
log_daemon_msg “Restarting $DESC”
do_stop
case “$?” in
0|1)
do_start
case “$?” in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
echo “Usage: $SCRIPTNAME {start|stop|restart|force-reload}” >&2
exit 3
;;
esac

— cut here —


#2

Mark A. wrote:

DAEMON_ARGS="-q -b 127.0.0.1:9000"
Isn’t it better to use a unix socket for connection?

/usr/bin/php-cgi -q -b unix:/tmp/php-fastcgi

Phillip B Oldham
The Activity People
removed_email_address@domain.invalid mailto:removed_email_address@domain.invalid


Policies

This e-mail and its attachments are intended for the above named
recipient(s) only and may be confidential. If they have come to you in
error, please reply to this e-mail and highlight the error. No action
should be taken regarding content, nor must you copy or show them to
anyone.

This e-mail has been created in the knowledge that Internet e-mail is
not a 100% secure communications medium, and we have taken steps to
ensure that this e-mail and attachments are free from any virus. We must
advise that in keeping with good computing practice the recipient should
ensure they are completely virus free, and that you understand and
observe the lack of security when e-mailing us.


#3

Phillip B Oldham wrote:

DAEMON_ARGS="-q -b 127.0.0.1:9000"
Isn’t it better to use a unix socket for connection?

/usr/bin/php-cgi -q -b unix:/tmp/php-fastcgi

Why?

Unix sockets will need buffers in kernel memory instead of simply using
the file system. If that is better or worse is something that need
further testing. Have you tested it?

M.


#4

Mark A. wrote:

further testing. Have you tested it?

  1. Works like a charm for me for 1 year.
  2. Security can be added so only specified users can connect to this
    socket. You can’t do this to tcp port, so tcp can be locally compromised
    to get privileges of the user running php-cgi.
  3. TCP is slower then unix sockets. And it is buffered too.

#5

Volodymyr K. wrote:

  1. Security can be added so only specified users can connect to this
    socket. You can’t do this to tcp port, so tcp can be locally
    compromised to get privileges of the user running php-cgi.
    Didn’t know about that, but that’s very interesting.
  2. TCP is slower then unix sockets. And it is buffered too.
    I thought sockets were faster. There’s also some good IBM articles on
    how to squeeze even more performance out of them, for instance to
    increase the buffer size.

Phillip B Oldham
The Activity People
removed_email_address@domain.invalid mailto:removed_email_address@domain.invalid


Policies

This e-mail and its attachments are intended for the above named
recipient(s) only and may be confidential. If they have come to you in
error, please reply to this e-mail and highlight the error. No action
should be taken regarding content, nor must you copy or show them to
anyone.

This e-mail has been created in the knowledge that Internet e-mail is
not a 100% secure communications medium, and we have taken steps to
ensure that this e-mail and attachments are free from any virus. We must
advise that in keeping with good computing practice the recipient should
ensure they are completely virus free, and that you understand and
observe the lack of security when e-mailing us.


#6

Volodymyr K. wrote:

  1. Works like a charm for me for 1 year.

That seems interesting. I am inclined to give it a try.

How do you set them up? Are you using Ubuntu or a Debian based Linux?
Could you post example scripts on how to set up the Unix domain sockets?

  1. Security can be added so only specified users can connect to this
    socket. You can’t do this to tcp port, so tcp can be locally compromised
    to get privileges of the user running php-cgi.

That is interesting.

  1. TCP is slower then unix sockets. And it is buffered too.

Do you have any pointers to papers or other work about comparative speed
testing?

Regards,
M.


#7

Mark A. wrote:

That seems interesting. I am inclined to give it a try.

How do you set them up? Are you using Ubuntu or a Debian based Linux?
Could you post example scripts on how to set up the Unix domain sockets?
/usr/bin/php-cgi -q -b unix:/tmp/php-fastcgi

That’s all you need. Rather than speficy “ip:port”, specify
“unix:socketpath”

Do you have any pointers to papers or other work about comparative
speed testing?
http://www.ibm.com/developerworks/linux/library/l-hisock.html

Phillip B Oldham
The Activity People
removed_email_address@domain.invalid mailto:removed_email_address@domain.invalid


Policies

This e-mail and its attachments are intended for the above named
recipient(s) only and may be confidential. If they have come to you in
error, please reply to this e-mail and highlight the error. No action
should be taken regarding content, nor must you copy or show them to
anyone.

This e-mail has been created in the knowledge that Internet e-mail is
not a 100% secure communications medium, and we have taken steps to
ensure that this e-mail and attachments are free from any virus. We must
advise that in keeping with good computing practice the recipient should
ensure they are completely virus free, and that you understand and
observe the lack of security when e-mailing us.


#8

2008/11/6 Volodymyr K. removed_email_address@domain.invalid:

I use FreeBSD at large, but have composed a tiny snippet for some old CentOS
server:

I like to spawn php processes like jail_* does: :slight_smile:

/etc/rc.conf

phpfcgi_enable=“YES”
phpfcgi_list=“roundcube roundcube2”

phpfcgi_roundcube_pid="/home/www/roundcube/pid"
phpfcgi_roundcube_socket="/home/www/roundcube/fcgi"
phpfcgi_roundcube_children=“64”
phpfcgi_roundcube_requests="1000

phpfcgi_roundcube2_pid="/home/www/roundcube2/pid"
phpfcgi_roundcube2_socket=“127.0.0.1:8080”

/usr/local/etc/rc.d/phpfcgi start

/usr/local/etc/rc.d/phpfcgi restart roundcube

/usr/local/etc/rc.d/phpfcgi stop roundcube2

vim /usr/local/etc/rc.d/phpfcgi

#!/bin/sh

PROVIDE: phpfcgi

REQUIRE: DAEMON

BEFORE: LOGIN

KEYWORD: shutdown

. /etc/rc.subr

name=“phpfcgi”
rcvar=set_rcvar
start_cmd=“phpfcgi_start”
stop_cmd=“phpfcgi_stop”

init_variables()
{
_f="$1"

if [ -z "$_f" ]; then
    warn "init_variables: you must specify a phpfcgi"
    return
fi

eval _user=\"\$phpfcgi_${_f}_user\"
eval _pid=\"\$phpfcgi_${_f}_pid\"
eval _program=\"\$phpfcgi_${_f}_program\"
eval _socket=\"\$phpfcgi_${_f}_socket\"
eval _children=\"\$phpfcgi_${_f}_children\"
eval _requests=\"\$phpfcgi_${_f}_requests\"

[ -z "${_user}" ] && _user="www"
[ -z "${_program}" ] && _program="/usr/local/bin/php-cgi"
[ -z "${_children}" ] && _children="8"
[ -z "${_requests}" ] && _requests="1000"

if [ -z "${_pid}" ]; then
    err 3 "$name: No pid has been defined for ${_f}"
fi
if [ -z "${_socket}" ]; then
    err 3 "$name: No socket has been defined for ${_f}"
fi

}

phpfcgi_start() {
echo -n 'Starting phpfcgis: ’
for _phpfcgi in ${phpfcgi_list}; do
init_variables $_phpfcgi
echo -n "${_phpfcgi} "

    PHP_FCGI_CHILDREN=${_children} \
    PHP_FCGI_MAX_REQUESTS=${_requests} \
    /usr/sbin/daemon -u ${_user} -p ${_pid} ${_program} -b 

${_socket}
done
echo ‘.’
}

phpfcgi_stop() {
echo -n 'Stopping phpfcgis: ’
for _phpfcgi in ${phpfcgi_list}; do
init_variables $_phpfcgi

    if [ -f ${_pid} ]; then
        echo -n "${_phpfcgi} "
        kill -TERM $(cat ${_pid}) && rm -f ${_pid}
    fi
done
echo '.'

}

load_rc_config $name
cmd="$1"
if [ $# -gt 0 ]; then
shift
fi
if [ -n “$" ]; then
phpfcgi_list="$

fi
run_rc_command “${cmd}”


regards,
Artis Caune

<----. CCNA | BSDA
<----|====================
<----’ didii FreeBSD


#9

Mark A. wrote:

  1. Works like a charm for me for 1 year.

That seems interesting. I am inclined to give it a try.

How do you set them up? Are you using Ubuntu or a Debian based Linux?
Could you post example scripts on how to set up the Unix domain sockets?

I use FreeBSD at large, but have composed a tiny snippet for some old
CentOS server:

#!/bin/ash

chkconfig: 234 25 75

description: php FastCGI daemon

case $1 in
restart)
/etc/init.d/phpFcgid stop
/etc/init.d/phpFcgid start
;;
start)
users=“user1 user2”
user1_childs=‘8’
user2_childs=‘2’
user3_childs=‘8’
for user in ${users}; do
socketdir="/tmp/.php.fastcgi.${user}"
mkdir -p ${socketdir}
chown ${user}:nobody ${socketdir}
chmod 0750 ${socketdir}
eval export PHP_FCGI_CHILDREN=${${user}_childs}
su -m ${user} -c “/opt/php5/bin/php-cgi -b
${socketdir}/socket&”
done
;;
stop) /usr/bin/pkill php-cgi ;;
esac

This way only the user running php and group www gets access to the
socket.

  1. TCP is slower then unix sockets. And it is buffered too.
    Do you have any pointers to papers or other work about comparative speed
    testing?

http://oss.sgi.com/archives/netdev/2003-03/msg00024.html

That was long ago… But the numbers show UDP is 25% slower then AF_UNIX
at establishing connections and TCP can handle only 22% of AF_UNIX
throughoutput. And I don’t think AF_INET will ever become faster then
AF_UNIX - it covers a lot more possibilities and as such require more
computational power.


#10

Phillip B Oldham wrote:

How do you set them up? Are you using Ubuntu or a Debian based Linux?
Could you post example scripts on how to set up the Unix domain sockets?
/usr/bin/php-cgi -q -b unix:/tmp/php-fastcgi

That’s all you need. Rather than speficy “ip:port”, specify

From an Ubuntu 8.04 LTS server (Debian based):

/usr/bin/php-cgi -q -b unix:/tmp/php-fastcgi

Cannot bind/listen socket - [2] No such file or directory.
Couldn’t create FastCGI listen socket on port unix:/tmp/php-fastcgi

Doing a touch /tmp/php-fastcgi before issuing the command has no effect
either.

“unix:socketpath”

Do you have any pointers to papers or other work about comparative
speed testing?
http://www.ibm.com/developerworks/linux/library/l-hisock.html

This starts looking good. That page has several links to interesting
reference material. Thank you.

Regards,
M.


#11

Mark A. wrote:

/usr/bin/php-cgi -q -b unix:/tmp/php-fastcgi

Cannot bind/listen socket - [2] No such file or directory.
Couldn’t create FastCGI listen socket on port unix:/tmp/php-fastcgi
sudo?

Phillip B Oldham
The Activity People
removed_email_address@domain.invalid mailto:removed_email_address@domain.invalid


Policies

This e-mail and its attachments are intended for the above named
recipient(s) only and may be confidential. If they have come to you in
error, please reply to this e-mail and highlight the error. No action
should be taken regarding content, nor must you copy or show them to
anyone.

This e-mail has been created in the knowledge that Internet e-mail is
not a 100% secure communications medium, and we have taken steps to
ensure that this e-mail and attachments are free from any virus. We must
advise that in keeping with good computing practice the recipient should
ensure they are completely virus free, and that you understand and
observe the lack of security when e-mailing us.


#12

On Thursday 06 November 2008, Mark A. wrote:

/usr/bin/php-cgi -q -b unix:/tmp/php-fastcgi

php-cgi -b /tmp/php-fastcgi


#13

Roxis wrote:

On Thursday 06 November 2008, Mark A. wrote:

/usr/bin/php-cgi -q -b unix:/tmp/php-fastcgi

php-cgi -b /tmp/php-fastcgi

You are right. Thank you

I have posted the changed HowTo “20081106 - Script to spawn php5-cgi
enabling Nginx to serve PHP code/pages”

M.