配置 php-fpm 监听的socket
2016-01-07 18:38
776 查看
一般现在我们配置的PHP的web环境,如LNMP(linux+Nginx+Mysql+PHP),这里linux可能是centos,ubuntu...,数据库可能是mysql,postgresql,sqlserver等。。
在服务器上安装PHP-FPM,nginx后,我们要配置Nginx的http模块,让.php的文件由nginx转发给PHP-FPM处理,然后在将php-fpm的处理结果通过http响应传给浏览器,就完成了一次http的请求。。
在配置Nginx的http模块的时候,通常是这样:
那么这两种方式有什么区别呢??
这就是我这篇博文所要解释的问题。下面,我带大家来分析一下其中的原理,一下是我的一些理解,不对的地方还请大家不吝赐教,我将很感激~~[/code]
PHP-FPMcanlistenonmultiplesockets.IalsolistenonUnixsockets,orTCPsockets.SeehowthisworksandhowtoensureNginxisproperlysendingrequeststoPHP-FPM.
PHP-FPMListenconfiguration:
AlsoeditNginxandseewhereit'ssendingrequesttoPHP-FPM:
WecanseeabovethatNginxissendingrequeststoPHP-FPMviaaunixsocket(fauxfile)at
Nginxisrunasuser/group
IfwechangetheUnixsocketownertouser/group
So,filepermissionsarethesecuritymechanismforPHP-FPMwhenusingaunixsocket.Thefaux-file'suser/groupandit'suser/group/otherpermissionsdetermineswhatlocalusersandprocessesandreadandwritetothePHP-FPMsocket.
ChangeListento
PHP-FPM:
Nginx:
Previousmessage:unixdomainsocketsvs.internetsockets
Nextmessage:unixdomainsocketsvs.internetsockets
Messagessortedby:[date][thread][subject][author]
在服务器上安装PHP-FPM,nginx后,我们要配置Nginx的http模块,让.php的文件由nginx转发给PHP-FPM处理,然后在将php-fpm的处理结果通过http响应传给浏览器,就完成了一次http的请求。。
在配置Nginx的http模块的时候,通常是这样:
server~\.php${ includesnippets/fastcgi-php.conf; fastcgi_pass127.0.0.1:9000; }
也可以这样,
server~\.php${ includesnippets/fastcgi-php.conf; fastcgi_passunix:/var/run/php5-fpm.sock; }
那么这两种方式有什么区别呢??
这就是我这篇博文所要解释的问题。下面,我带大家来分析一下其中的原理,一下是我的一些理解,不对的地方还请大家不吝赐教,我将很感激~~[/code]
PHP-FPMcanlistenonmultiplesockets.IalsolistenonUnixsockets,orTCPsockets.SeehowthisworksandhowtoensureNginxisproperlysendingrequeststoPHP-FPM.
CommandRundown
DefaultConfiguration
EditPHP-FPMconfiguration#ConfigurePHP-FPMdefaultresourcepool sudovim/etc/php5/fpm/pool.d/www.conf
PHP-FPMListenconfiguration:
#Stuffomitted listen=/var/run/php5-fpm.sock listen.owner=www-data listen.group=www-data
AlsoeditNginxandseewhereit'ssendingrequesttoPHP-FPM:
#Files:/etc/nginx/sites-available/default
#...stuffomitted
server~\.php${ includesnippets/fastcgi-php.conf; fastcgi_passunix:/var/run/php5-fpm.sock; }
WecanseeabovethatNginxissendingrequeststoPHP-FPMviaaunixsocket(fauxfile)at
/var/run/php5-fpm.sock.Thisisalsowherethe
www.conffileissettingPHP-FPMtolistenforconnections.
UnixSockets
Thesearesecureinthattheyarefile-basedandcan'tbereadbyremoteservers.Wecanfurtheruselinuxpermissiontosetwhocanreadandwritetothissocketfile.Nginxisrunasuser/group
www-data.PHP-FPM'sunixsocketthereforeneedstobereadable/writablebythisuser.
IfwechangetheUnixsocketownertouser/group
ubuntu,Nginxwillthenreturnabadgatewayerror,asitcannolongercommunicatetothesocketfile.WewouldhavetochangeNginxtorunasuser"ubuntu"aswell,orsetthesocketfiletoallow"other"(nonusernorgroup)toberead/writtento,whichisinsecure.
#Stuffomitted listen=/var/run/php5-fpm.sock listen.owner=ubuntu listen.group=ubuntu
So,filepermissionsarethesecuritymechanismforPHP-FPMwhenusingaunixsocket.Thefaux-file'suser/groupandit'suser/group/otherpermissionsdetermineswhatlocalusersandprocessesandreadandwritetothePHP-FPMsocket.
TCPSockets
SettingtheListendirectivetoaTCPsocket(ipaddressandport)makesPHP-FPMlistenoverthenetworkratherthanasaunixsocket.ThismakesPHP-FPMabletobelistenedtobyremoteservers(orstilllocallyoverthelocalhostnetwork).ChangeListento
Listen127.0.0.1:9000tomakePHP-FPMlistenonthelocalhostnetwork.Forsecurity,wecanusethe
listen.allowed_clientsratherthansettheowner/groupofthesocket.
PHP-FPM:
#Listenonlocalhostport9000 Listen127.0.0.1:9000 #EnsureonlylocalhostcanconnecttoPHP-FPM listen.allowed_clients=127.0.0.1
Nginx:
#Files:/etc/nginx/sites-available/default
#...stuffomitted
server~\.php${ includesnippets/fastcgi-php.conf; fastcgi_pass127.0.0.1:9000; }http://lists.freebsd.org/pipermail/freebsd-performance/2005-February/001143.html
unixdomainsocketsvs.internetsockets
RobertWatsonrwatsonatFreeBSD.org FriFeb2502:29:14PST2005
Previousmessage:
Nextmessage:
Messagessortedby:
OnFri,25Feb2005,BarisSimsekwrote: >Iamcodingadaemonprogram.Iamnotsureaboutwhichtypeofsockets >ishoulduse.Couldyoucompareipsocketsandunixdomainsockets?My >maincriterionsareperformanceandprotocolload.Whatarethe >differencesbetweenimpelementationsofthematkernellevel? Thereareafewdifferencesthatmightbeofinterest,inadditiontothe alreadypointedoutdifferencethatifyoustartoutusingIPsockets,you don'thavetomigratetothemlaterwhenyouwantinter-machine connectivity: -UNIXdomainsocketsusethefilesystemastheaddressnamespace.This meansyoucanuseUNIXfilepermissionstocontrolaccesstocommunicate withthem.I.e.,youcanlimitwhatotherprocessescanconnecttothe daemon--maybeoneusercan,butthewebservercan't,orthelike. WithIPsockets,theabilitytoconnecttoyourdaemonisexposedoff thecurrentsystem,soadditionalstepsmayhavetobetakenfor security.Ontheotherhand,yougetnetworktransparency.WithUNIX domainsockets,youcanactuallyretrievethecredentialoftheprocess thatcreatedtheremotesocket,andusethatforaccesscontrolalso, whichcanbequiteconvenientonmulti-usersystems. -IPsocketsoverlocalhostarebasicallyloopedbacknetworkon-the-wire IP.Thereisintentionally"nospecialknowledge"ofthefactthatthe connectionistothesamesystem,sonoeffortismadetobypassthe normalIPstackmechanismsforperformancereasons.Forexample, transmissionoverTCPwillalwaysinvolvetwocontextswitchestogetto theremotesocket,asyouhavetoswitchthroughthenetisr,which occursfollowingthe"loopback"ofthepacketthroughthesynthetic loopbackinterface.Likewise,yougetalltheoverheadofACKs,TCP flowcontrol,encapsulation/decapsulation,etc.Routingwillbe performedinordertodecideifthepacketsgotothelocalhost. LargesendswillhavetobebrokendownintoMTU-sizedatagrams,which alsoaddsoverheadforlargewrites.It'sreallyTCP,itjustgoesover aloopbackinterfacebyvirtueofaspecialaddress,ordiscoveringthat theaddressrequestedisservedlocallyratherthanoveranethernet (etc). -UNIXdomainsocketshaveexplicitknowledgethatthey'reexecutingon thesamesystem.Theyavoidtheextracontextswitchthroughthe netisr,andasendingthreadwillwritethestreamordatagramsdirectly intothereceivingsocketbuffer.Nochecksumsarecalculated,no headersareinserted,noroutingisperformed,etc.Becausetheyhave accesstotheremotesocketbuffer,theycanalsodirectlyprovide feedbacktothesenderwhenitisfilling,ormoreimportantly, emptying,ratherthanhavingtheaddedoverheadofexplicit acknowledgementandwindowchanges.Theonepieceoffunctionalitythat UNIXdomainsocketsdon'tprovidethatTCPdoesisout-of-banddata.In practice,thisisanissueforalmostnoone. Ingeneral,theargumentforimplementingoverTCPisthatitgivesyou locationindependenceandimmediateportability--youcanmovetheclient orthedaemon,updateanaddress,anditwill"justwork".Thesockets layerprovidesareasonableabstractionofcommunicationsservices,so it'snothardtowriteanapplicationsothattheconnection/binding portionknowsaboutTCPandUNIXdomainsockets,andalltherestjust usesthesocketit'sgiven.Soifyou'relookingforperformancelocally, IthinkUNIXdomainsocketsprobablybestmeetyourneed.Manypeople willcodetoTCPanywaybecauseperformanceisoftenlesscritical,and thenetworkportabilitybenefitissubstantial. Rightnow,theUNIXdomainsocketcodeiscoveredbyasubsystemlock;I haveaversionthatusedmorefine-grainlocking,buthavenotyet evaluatedtheperformanceimpactofthosechanges.I'veyou'rerunningin anSMPenvironmentwithfourprocessors,itcouldbethatthosechanges mightpositivelyimpactperformance,soifyou'dlikethepatches,letme know.Rightnowthey'reonmyscheduletostarttesting,butnotonthe pathforinclusioninFreeBSD5.4.Theprimarybenefitofgreater granularitywouldbeifyouhadmanypairsofthreads/processes communicatingacrossprocessorsusingUNIXdomainsockets,andasaresult therewassubstantialcontentionontheUNIXdomainsocketsubsystemlock. Thepatchesdon'tincreasethecostofnormalsend/receiveoperations,but dueaddextramutexoperationsinthelisten/accept/connect/bindpaths. RobertNMWatson
相关文章推荐
- php写入数据到txt文件
- laravel中路由、视图、控制器的工作流程
- [转]验证E-mail、用户名、社保号、IP地址等10个实用的PHP正则表达式
- 2、FileOutputStream--->文件输出流(向文件写入数据)
- 如何写一个yii2的插件
- 过完免费的内容管理系统(CMS)的PHP脚本
- PHP验证码无scripts的一些知识
- Yii分析相关
- 设置php编译功能
- php 安装教程
- PHP图像裁剪缩略裁切类源码及使用方法
- PHP截断函数mb_substr()
- php数据库链接
- 安装并配置基于虚拟用户的vsftpd
- 学习笔记:百度Web开发工程师笔试题+新浪PHP工程师笔试题
- ftp 操作,支持断点续传或者继续下载。
- php
- PHP
- 有关ftp4j的FTPListParseException异常
- PHP可阅读随机字符串