Установка Nginx с PHP-FPM и Varnish на CentOS

Varnish Cache — ускоритель веб-приложений также известен как обратный прокси-сервер кэширования HTTP. Итак, вы хотите, чтобы ускорить свой сайт? Я покажу вам, как установить и настроить Varnish с Nginx и PHP-FPM на Centos.

Прежде всего скачайте и установите remi репо и epel репо для этого выполните.

Теперь установим PHP с часто используемыми модулями и PHP-FPM, для этого в терминале выполните:

# yum --enablerepo=remi install php php-fpm php-common php-mysql php-pdo php-pecl-apc php-cli php-mcrypt php-xml php-gd php-mbstring

Теперь нужно установить Nginx

# yum install nginx

Теперь необходимо отредактировать файл конфигурации PHP-FPM и изменить пользователя и группу для Nginx:

# ee /etc/php-fpm.d/www.conf

listen = /var/run/php-fpm/php-fpm.sock
user = nginx
group = nginx

Отредактируем файл конфигурации Nginx и установим (поменяем) порт на 8080, затем установить (пропишем) правильный путь к файлу сокету PHP-FPM:

# ee /etc/nginx/conf.d/linux-notes.org.conf

Содержание у меня следующее:

server {
listen *:8080;
#listen 127.0.0.1:8080 default; 
server_name linux-notes.org www.linux-notes.org;
#charset koi8-r;
access_log /var/log/nginx/access-linux-notes.org.log main;
error_log /var/log/nginx/error-linux-notes.org.log;
include conf.d/gzip.conf;
root /home/www/linux-notes/public_html;
index index.php index.html index.htm;

#errors
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html/;
}

location / {
try_files $uri $uri/ /index.php?$args;
} 
location ~ (xmlrpc.php|wp-config.php|wp-settings.php|readme.html|license.txt)$ {
return 404;
access_log off;
}
# PHP-FPM
# PHP scripts -> PHP-FPM server listening on 127.0.0.1:9000
location ~ \.php$ {
# The following line prevents malicious php code to be executed through some uploaded file (without php extension, like image)
# This fix shoudn't work though, if nginx and php are not on the same server, other options exist (like unauthorizing php execution within upload folder)
# More on this serious security concern in the "Pass Non-PHP Requests to PHP" section, there http://wiki.nginx.org/Pitfalls
try_files $uri =404;

# PHP 
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_pass 127.0.0.1:9000;
fastcgi_cache fastcgicache;
fastcgi_cache_valid any 1m;
fastcgi_cache_use_stale error timeout invalid_header http_500;

fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffers 4 256k;
fastcgi_buffer_size 128k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_keep_conn on;
#Помещать страницу в кеш, после 3-х использований. Меньшее число вызвало у меня труднообъяснимые глюки на формах регистрации
fastcgi_cache_min_uses 3;
#Кешировать перечисленные ответы
fastcgi_cache_valid 200 301 302 304 5m;
#Формат ключа кеша - по этому ключу nginx находит правильную страничку
fastcgi_cache_key "$request_method|$host|$request_uri";
}
#----------------------------------------------------------
# Define default caching of 24h
expires 86400s;
add_header Pragma public;
add_header Cache-Control "max-age=86400, public, must-revalidate, proxy-revalidate";

#подключения обработки Perl 
#Все скрипты заканчивающиеся на pl и cgi
# location ~ \.(pl|cgi)$
# {
# #Не сжимаем скрипты
# gzip off;
# try_files $uri =404;
# #Передаем скрипты на обработку fcgiwrap
# fastcgi_pass unix:/var/run/fcgiwrap.socket;
# # Используем стандартные параметры
# include /etc/nginx/fastcgi_params;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_ignore_client_abort off;
# }
##Замена апачевской ScriptAlias
# location /cgi-bin/ {
# gzip off;
# try_files $uri =404;
# root /var/www/;
# #fastcgi_pass 127.0.0.1:9000;
# fastcgi_pass unix:/var/run/fcgiwrap.socket;
# include /etc/nginx/fastcgi_params;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_ignore_client_abort off;
# }

#-------
# Rewrite for versioned CSS+JS via filemtime
location ~* ^.+\.(css|js)$ {
rewrite ^(.+)\.(\d+)\.(css|js)$ $1.$3 last;
expires 31536000s;
access_log off;
log_not_found off;
add_header Pragma public;
add_header Cache-Control "max-age=31536000, public";
}

# Aggressive caching for static files
location ~* \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|otf|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|t?gz|tif|tiff|ttf|wav|webm|wma|woff|wri|xla|xls|xlsx|xlt|xlw|zip)$ {
expires 31536000s;
access_log off;
log_not_found off;
add_header Pragma public;
add_header Cache-Control "max-age=31536000, public";
}
#----------------------------------------------------------
#/wordpress-w3-total-cache.conf
gzip on;
#gzip_types text/css application/x-javascript text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;
gzip_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;
#include conf.d/gzip.conf;
location ~ \.(css|js)$ {
expires max;
break;
}
location ~ \.(rtf|rtx|svg|svgz|txt|xsd|xsl|xml)$ {
expires 3600;
break;
}
location ~ \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|swf|tar|tif|tiff|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip)$ {
expires max;
break;
}
add_header "X-UA-Compatible" "IE=Edge,chrome=1";
#---------------------------------------------------------- }

if ($request_method !~ ^(GET|POST|HEAD)$ ) {
return 444;
}

location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\.ht {
deny all;
access_log off;
log_not_found off;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
#access_log off;
#log_not_found off;
}
# deny access to WP config file and license.txt and readme.html files
location ~ /(\.|wp-config.php|readme.html|license.txt) {
deny all;
}
# deny access to .conf files
location ~* \.(conf)$ {
deny all;
}

# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;

# Uncomment one of the lines below for the appropriate caching plugin (if used).
include global/w3-total-cache.conf;

}
server {
listen 443;
server_name https://linux-notes.org https://www.linux-notes.org;
ssl on;
ssl_certificate /etc/nginx/ssl/linux-notes.org.crt;
ssl_certificate_key /etc/nginx/ssl/linux-notes.org.key;

ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

#location / {
# #root html;
# root /home/www/linux-notes/public_html;
# index index.php index.html index.htm;
# }
#
#location ~ \.php$ {
# #root /usr/share/nginx/html;
# root /home/www/linux-notes/public_html;
# fastcgi_split_path_info ^(.+\.php)(.*)$;
# #fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
# include fastcgi_params;
# }
#}
access_log /var/log/nginx/access-linux-notes-SSL.org.log main;
error_log /var/log/nginx/error-linux-notes-SSL.org.log;
include conf.d/gzip.conf;
root /home/www/linux-notes/public_html;
index index.php index.html index.htm;

location / {
try_files $uri $uri/ /index.php?$args;
}

# PHP-FPM
# PHP scripts -> PHP-FPM server listening on 127.0.0.1:9000
location ~ \.php$ {
# The following line prevents malicious php code to be executed through some uploaded file (without php extension, like image)
# This fix shoudn't work though, if nginx and php are not on the same server, other options exist (like unauthorizing php execution within up load folder)
# More on this serious security concern in the "Pass Non-PHP Requests to PHP" section, there http://wiki.nginx.org/Pitfalls
try_files $uri =404; 
# PHP 
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffers 4 256k;
fastcgi_buffer_size 128k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k; 
}
#----------------------------------------------------------
# Define default caching of 24h
expires 86400s;
add_header Pragma public;
add_header Cache-Control "max-age=86400, public, must-revalidate, proxy-revalidate"; 
# Rewrite for versioned CSS+JS via filemtime
location ~* ^.+\.(css|js)$ {
rewrite ^(.+)\.(\d+)\.(css|js)$ $1.$3 last;
expires 31536000s;
access_log off;
log_not_found off;
add_header Pragma public;
add_header Cache-Control "max-age=31536000, public";
}

# Aggressive caching for static files
location ~* \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|otf|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|t?gz|tif|tiff|ttf|wav|webm|wma|woff|wri|xla|xls|xlsx|xlt|xlw|zip)$ {
expires 31536000s;
access_log off;
log_not_found off;
add_header Pragma public;
add_header Cache-Control "max-age=31536000, public";
}
#----------------------------------------------------------
#/wordpress-w3-total-cache.conf
gzip on;
gzip_types text/css application/x-javascript text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;
location ~ \.(css|js)$ {
expires max;
break;
}
location ~ \.(rtf|rtx|svg|svgz|txt|xsd|xsl|xml)$ {
expires 3600;
break;
}
location ~ \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|swf|tar|tif|tiff|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip)$ {
expires max;
break;
}
add_header "X-UA-Compatible" "IE=Edge,chrome=1";
#----------------------------------------------------------
location ~ /(\.|wp-config.php|readme.html|license.txt) {
return 404;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ /\.ht {
deny all;
access_log off;
log_not_found off;
}

}

Установим varnish на CentOS

Для того чтобы это сделать нужно добавить репозиторий и выполнить yum команду для установки, сделать это можно так:

Если вы находитесь на совместимый дистрибутив, используйте:

# yum install epel-release

Добавляем репозиторий:

# cd usr/local/src && rpm --nosignature -i https://repo.varnish-cache.org/redhat/varnish-4.1.el7.rpm

Для

# cd usr/local/src && rpm --nosignature -i https://repo.varnish-cache.org/redhat/varnish-4.1.el6.rpm

И собственно, выполняем установку:

# yum install varnish varnish-libs varnish-libs-devel

Нужно поправить файл конфигурации  ваниша и задать ему порт 80:

# vim /etc/sysconfig/varnish

Приводим к виду:

#VARNISH_LISTEN_PORT=80
#VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1
DAEMON_OPTS="-a 31.187.70.238:80 \
 -T localhost:6082 \
 -f /etc/varnish/default.vcl \
 -S /etc/varnish/secret \
 -p thread_pools=4 \
 -p thread_pool_max=1500 \
 -p listen_depth=2048 \
 -p lru_interval=1800 \
 -h classic,169313 \
 -p obj_workspace=4096 \
 -p connect_timeout=600 \
 -p max_restarts=6 \
 -s file,512M,/var/lib/varnish/varnish_storage.bin" 
 
#-s malloc,512m"

ПРИМЕЧАНИЕ: Значение Malloc является «Выделить блок памяти», по этому добавим данный блок памяти:

# vim /etc/varnish/varnish.params

И пропишем:

# Varnish environment configuration description. This was derived from
# the old style sysconfig/defaults settings

# Set this to 1 to make systemd reload try to switch VCL without restart.
RELOAD_VCL=1

# Main configuration file. You probably want to change it.
VARNISH_VCL_CONF=/etc/varnish/default.vcl

# Default address and port to bind to. Blank address means all IPv4
# and IPv6 interfaces, otherwise specify a host name, an IPv4 dotted
# quad, or an IPv6 address in brackets.
VARNISH_LISTEN_ADDRESS=31.187.70.238
VARNISH_LISTEN_PORT=80
 
# Admin interface listen address and port
VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1
VARNISH_ADMIN_LISTEN_PORT=6082

# Shared secret file for admin interface
VARNISH_SECRET_FILE=/etc/varnish/secret

# Backend storage specification, see Storage Types in the varnishd(5)
# man page for details.
VARNISH_STORAGE="malloc,512M"

VARNISH_TTL=120

# User and group for the varnishd worker processes
VARNISH_USER=varnish
VARNISH_GROUP=varnish

# Other options, see the man page varnishd(1)
#DAEMON_OPTS="-p thread_pool_min=5 -p thread_pool_max=500 -p thread_pool_timeout=300"
#

Отредактируем стандартный конфиг и добавим некоторые изменения:

# vim /etc/varnish/default.vcl

 

Меняем на:

#
# This is an example VCL file for Varnish.
#
# It does not do anything by default, delegating control to the
# builtin VCL. The builtin VCL is called when there is no explicit
# return statement.
#
# See the VCL chapters in the Users Guide at https://www.varnish-cache.org/docs/
# and https://www.varnish-cache.org/trac/wiki/VCLExamples for more examples.

# Marker to tell the VCL compiler that this VCL has been adapted to the
# new 4.0 format.
vcl 4.0;

# Default backend definition. Set this to point to your content server.
backend default {
 .host = "127.0.0.1";
 #.host = "31.187.70.238";
 .port = "8080";
 .probe = {
 .url = "/";
 .interval = 5s;
 .timeout = 1s;
 .window = 5;
 .threshold = 3;
 } 
}

sub vcl_recv {
 # Happens before we check if we have this in cache already.
 #
 # Typically you clean up the request here, removing cookies you don't need,
 # rewriting the request, etc.
}

sub vcl_backend_response {
 # Happens after we have read the response headers from the backend.
 #
 # Here you clean the response headers, removing silly Set-Cookie headers
 # and other mistakes your backend does.
 set beresp.ttl = 10s;
 set beresp.grace = 1h;
 
 # For static content strip all backend cookies and push to static storage
 if (bereq.url ~ "\.(css|js|png|gif|jp(e?)g)|swf|ico") {
 unset beresp.http.cookie;
 set beresp.storage_hint = "static";
 set beresp.http.x-storage = "static";
 } else {
 set beresp.storage_hint = "default";
 set beresp.http.x-storage = "default";
 }
}

sub vcl_deliver {
 # Happens when we have all the pieces we need, and are about to send the
 # response to the client.
 #
 # You can do accounting or modifying the final object here.
}

Вот готовый конфиг, у меня выглядит следующим образом (скачайте его, при необходимости):

# wget linux-notes.org/wp-content/uploads/files/varnish/default.vcl

Или просмотреть его можно тут:
default.vcl

Если вы хотите внести изменения в конфигурацию лаком, проверить изменения конфигурации до перезагрузки лак с помощью следующей команды:

# varnishd -C -f /etc/varnish/default.vcl

И еще один тест:

# varnishd -F -f /etc/varnish/default.vcl

bind(): Address already in use
bind(): Address already in use
child (181964) Started
Child (181964) said Child starts

Проверим на корректную работу:

# varnishadm debug.health

и

# GET -HHost:31.187.70.238 http://linux-notes.org -ds

200 OK

Включим логирование для ваниша: Логи важны для любой службы, поэтому мы включим ведение журнала. На примере CentOS 7.

Перезапуск varnishncsa.

# systemctl restart varnishncsa

Перезапуск varnishlog.

# systemctl restart varnishlog

Вы должны увидеть два лог-файла:

#  ls -l /var/log/varnish/ 
total 0
-rw-r--r-- 1 root root 0 May 31 19:17 varnish.log
-rw-r--r-- 1 root root 0 May 31 19:17 varnishncsa.log

Добавим еще 1 лог файл:

# varnishncsa -a -w /var/log/varnish/access.log -D -P /var/run/varnishncsa.pid

Теперь вы готовы пойти, начать PHP-FPM, Nginx и ваниш.

Для CentOS/RHEL 6.x и так же Fedora от 15 до 20:

# service php-fpm restart
# service nginx restart
# service varnish restart

Добавим ваниш в автозагрузку системы следующей командой:

# chkconfig --level 345 varnish on

Для CentOS/RHEL 7.x и Fedora 21

# systemctl restart varnish
# systemctl status varnish

Добавим ваниш в автозагрузку системы следующей командой:

# system enable varnish

Добавим (пробросим) нужные порты в iptables:

# vim /etc/sysconfig/iptables

Добавляем

-A INPUT -m state --state NEW -m tcp -p tcp --dport YOUR_PORT -j ACCEPT
-A OUTPUT -m state --state NEW -m tcp -p tcp --dport YOUR_PORT -j ACCEPT

Сохраняем файл и перезапускаем iptables:

# service iptables restart

Настроим SELinux ( розрешим подключение на определенный порт):

# vim /etc/selinux/config

[...]
SELINUX=permissive
[...]

Если Вы хотите добавить сервисы nginx php-fpm в автозагрузку, то прочитайте мою статью. На этом установка Nginx с PHP-FPM и Varnish на CentOS завершена.