# Running only PHP-FPM in jail



## pentago (Mar 7, 2015)

I'm trying to test setup where i have multiple instances of www/nginx jails and each of them to have PHP backend which is separate jail to avoid creating multiple jails with both Nginx/PHP.

I set up php-fpm(8) jail pool to listen on 192.168.1.6:9000, set up Nginx jail to use that IP:PORT for PHP files but I can't make it to process PHP files.

Is this setup even possible?


----------



## junovitch@ (Mar 7, 2015)

It is possible but there is one little "gotcha".  The PHP files have to exist in both locations, one for nginx(8) to see that it exist and the same file for php-fpm(8) to actually execute.  So you'll need to come up with some way to keep things synced up be it manually if things don't change often or automated if they do change often.  Here's an example that I have for managing my media server.  I have one jail with www/nginx and a handful of web relates things and another jail running my net/serviio media server and PHP.  The /usr/local/www/Web-UI-for-Serviio-Serviio-1.5 directory is identical between both jails.


```
server {
        listen       80;
        server_name  serviio-console;

        access_log   /var/log/nginx/serviio_console_access.log;
        root         /usr/local/www/Web-UI-for-Serviio-Serviio-1.5;

        location / {
            index index.php;
        }
        location ~ \.php$ {
            fastcgi_pass 10.100.102.14:9000;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME /usr/local/www/Web-UI-for-Serviio-Serviio-1.5$fastcgi_script_name;
            include fastcgi_params;
        }
        location ~ /\.ht {
            deny all;
        }
    }
```

The WebUI is from https://github.com/SwoopX/Web-UI-for-Serviio for the curious.


----------



## pentago (Mar 7, 2015)

Hmm, having same files on multiple locations kinda beats the purpose of this setup, isn't it? :/
I can swear I read somewhere that this thing worked the way I thought it would..


----------



## junovitch@ (Mar 8, 2015)

I don't remember the reference now but a search for "Nginx PHP-FPM different servers" shows that it's the most common recommendation.  Maybe there is a better way to tell Nginx to try to forward the request anyway even if it doesn't exists locally.  If you come up with anything please share what you find.  Thanks!


----------



## pentago (Mar 8, 2015)

junovitch said:


> I don't remember the reference now but a search for "Nginx PHP-FPM different servers" shows that it's the most common recommendation.  Maybe there is a better way to tell Nginx to try to forward the request anyway even if it doesn't exists locally.  If you come up with anything please share what you find.  Thanks!


From what I see,  there's no clean solution for this.
Syncing files between jails is totally our if question for me, I'd rather go with jails containing both servers.

Thanks for suggestions!


----------



## Toast (Mar 10, 2015)

pentago said:


> Syncing files between jails is totally our if question for me, I'd rather go with jails containing both servers.


You could keep all your www files in one place then mount_nullfs(8) it into each jail.

```
mount_nullfs /usr/local/www <nginx jail 1>/usr/local/www
mount_nullfs /usr/local/www <nginx jail 2>/usr/local/www
mount_nullfs /usr/local/www <nginx jail 3>/usr/local/www
mount_nullfs /usr/local/www <php-fpm jail>/usr/local/www
```


----------



## junovitch@ (Mar 10, 2015)

pentago said:


> Syncing files between jails is totally our if question for me, I'd rather go with jails containing both servers.


Was that supposed to be "out of the question"?  If so I think the suggestion above for nullfs(5) is sound and does get around the pains of manually syncing things.  Security-wise it does give root in one jail the ability to remove or modify the files used by the other files if you use a read-write mount.  You can mitigate that be either using all read-only mounts or only using a read-write mount on say, the backend PHP jail, but not the front end WWW jails that are directly connected to the Internet.


----------



## kalleboy (Jul 29, 2022)

pentago said:


> I'm trying to test setup where i have multiple instances of www/nginx jails and each of them to have PHP backend which is separate jail to avoid creating multiple jails with both Nginx/PHP.
> 
> I set up php-fpm(8) jail pool to listen on 192.168.1.6:9000, set up Nginx jail to use that IP:PORT for PHP files but I can't make it to process PHP files.
> 
> Is this setup even possible?



I have the same problem, php-fpm in my jail always outputs "no input file specified", for all other nginx jails.

It's been many years passed since the original post here, and just kindly wanted to bump, thinking (actually hoping) something might have been changed. Any clue on this matter?

Best.


----------

