php-fpm + nginx + codeigniter 使用 virtual host設定調校

 當使用nginx + php-fpm建立virtual host (server block)時，要注意權限問題，最好不同的site用不同的使用者去存取php-fpm的pool，以下以建立site1及site2二個網站為例：

1.建立使用者，並記得修改/etc/passwd為nologin
sudo groupadd site1
sudo useradd -g site1 site1
sudo groupadd site2
sudo useradd -g site2 site2

2.建立php-fpm的pool設定檔，複製 /etc/php/8.1/fpm/pool.d/www.conf 來修改即可
(/etc/php/8.1/fpm/pool.d/site1.conf)
[site1]
user = site1
group = site1
listen = /run/php/php8.1-fpm-site1.sock
pm.max_children = 200
pm.start_servers = 10
pm.min_spare_servers = 10
pm.max_spare_servers = 30
pm.max_request = 10000
...(其它不用改)

(/etc/php/8.1/fpm/pool.d/site2.conf)
[site2]
user = site2
group = site2
listen = /run/php/php8.1-fpm-site2.sock
pm.max_children = 200
pm.start_servers = 10
pm.min_spare_servers = 10
pm.max_spare_servers = 30
pm.max_request = 10000
...(其它不用改)

pm.max_children的算法是，先找出每個php process所需要的記憶體(譬如23M)：
ps --no-headers -o "rss,cmd" -C php-fpm8.3 | awk '{ sum+=$1 } END { printf ("%d%s\n", sum/NR/1024,"M") }'

再用free -h找出available memory(如6gb)，再得出 6*1024/23=267，當然可以給小一點較保險。

3.修改/etc/php/8.1/fpm/php.ihi
disable_functions = passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
allow_url_fopen = On
opcache.enable=1
opcache.use_cwd=1
opcache.validate_permission=1

4.建立 /var/www/site1.example.com.tw 及 /var/www/site2.example.com.tw 二個網站目錄

5.修改/etc/security/limits.conf，加入(4core使用131072)

*       hard    nofile  131072
*       soft    nofile  131072
#*       hard    nproc   31289
#*       soft    nproc   31289

6. 修改/etc/nginx/nginx.conf，加入：
...
worker_rlimit_nofile 65536;
...
events {
        worker_connections 2048;
        # multi_accept on;
        use epoll;
}
...
http {
...
# set real ip
        real_ip_header X-Real-IP;
        set_real_ip_from your_fronted_proxy_ipv4;
        set_real_ip_from your_fronted_proxy_ipv6;
...
}

7.修改/etc/nginx/sites-available/defult:

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        #server_name site1.example.com.tw site2.example.com.tw;
        server_name ~^(?<domain>site1|site2)\.example\.com\.tw$;
        root /var/www/$host;

        #change 403 to 404
        error_page 403 =404 /404.html;

        #use mirror to log headers
        #then log to find header => nc -kl 6677 > ~/headers.log
        #mirror /mirror;
        #mirror_request_body off;

        # Add index.php to the list if you are using PHP
        index index.php index.html index.htm;

        client_max_body_size 50M;
        proxy_busy_buffers_size 512k;
        proxy_buffers 4 512k;
        proxy_buffer_size 256k;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;

        if ($http_user_agent ~* (baidu|sogou|bloghoo|scooter|mj12bot|petalbot|ahrefsbot|semrushnot|dotbot)){
                return 403;
        }

        location / {
                # Check if a file or directory index file exists, else route it to index.php.
                try_files $uri $uri/ /index.php?$is_args$args;
        }

        location /sites/ {
                valid_referers none blocked *.example.com.tw;

                if ($invalid_referer) {
                        return 403;
              }
        }

        #use log log headers
        #location /mirror {
        #    internal;
        #    proxy_read_timeout 1;
        #    proxy_pass http://127.0.0.1:6677;
        #    proxy_set_header X-Original-URI $request_uri;
        #}

        location ~* ^/(application|system)/ { #forbidden path
            deny all;
            access_log off;
            log_not_found off;
        }

        location ~* ^/sites/.*\.php[^\.]*$ { #not allow php execute in sites folder
            deny all;
            access_log off;
            log_not_found off;
        }

        location ~* /.*(\.ht|\.htaccess|\.db)$ { #forbidden file type
            deny all;
            access_log off;
            log_not_found off;
        }

        location ~* \.(ico|css|js|gif|jpeg|jpg|png|bmp)$ { # expiration header
                set $expires_time 7d;
                if ($request_uri ~* \.(css|js)$) {
                        set $expires_time 1d;
                }
                expires $expires_time;
                log_not_found off;
        }

        # pass PHP scripts to FastCGI server
        location ~* \.php$ {
                include snippets/fastcgi-php.conf;
                # With php-fpm (or other unix sockets):
                #fastcgi_pass unix:/run/php/php7.4-fpm.sock;
               #setting pool in /etc/php/8.1/fpm/pool.d/ according to domain, change user/group/sock-name
                fastcgi_pass unix:/run/php/php8.1-fpm-$domain.sock;

                # With php-cgi (or other tcp sockets):
                #fastcgi_pass 127.0.0.1:9000;

                fastcgi_buffers 16 32k;
                fastcgi_buffer_size 64k;
                fastcgi_busy_buffers_size 64k;
                fastcgi_temp_file_write_size 256k;
                fastcgi_read_timeout 300;

                include fastcgi_params;

                #replace $_SERVER['remote_addr'] with X-Forwarded-For
                fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
        }

}
                                                            

ref: 

https://www.digitalocean.com/community/tutorials/php-fpm-nginx https://loadforge.com/guides/maximizing-php-performance-nginx-and-php-fpm-best-practices