Here is How To Enable Nginx PHP-FPM Status Page on Ubuntu Server Instance Running on HP Cloud. Enabling Ping Has Difference With Enabling Status. We have discussed in details about how to enable ping on Nginx with PHP-FPM running on Ubuntu server instance on HP Cloud. That Guide is Mandatory to Read Before Reading This Guide on How To Enable Nginx PHP-FPM Status Page.
Enable Nginx PHP-FPM Status Page (Ubuntu, HP Cloud) : Security Matters
Unless you have good grasp on Router, Subnet and Firewall in general, you possibly should not approach to enable Nginx PHP-FPM status page.
We basically do not need the status to be opened to the whole World. So, Ping should be configured separately from the Status Page, so that the others can not access this webpage. Most of the guide websites will misdirect and mess up the things to one single guide. That is what is not exactly the right idea.
---
Steps To Enable Nginx PHP-FPM Status Page (Ubuntu, HP Cloud)
Again, you must read the guide on how to enable ping on Nginx with PHP-FPM running on Ubuntu server instance on HP Cloud. We are taking that, you have enabled Ping from the previous guide.
For a standard PHP5 FPM-Ngnix setup, we need to configure two files for a right Ping response. You need to uncomment ( remove ;) from the /etc/php5/fpm/pool.d/www.conf file :
1 | pm.status_path = /status |
The documention written on that file is like this :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 | ; By default the status page output is formatted as text/plain. Passing either ; 'html', 'xml' or 'json' in the query string will return the corresponding ; output syntax. Example: ; http://www.foo.bar/status ; http://www.foo.bar/status?json ; http://www.foo.bar/status?html ; http://www.foo.bar/status?xml ; ; By default the status page only outputs short status. Passing 'full' in the ; query string will also return status for each pool process. ; Example: ; http://www.foo.bar/status?full ; http://www.foo.bar/status?json&full ; http://www.foo.bar/status?html&full ; http://www.foo.bar/status?xml&full ; The Full status returns for each process: ; pid - the PID of the process; ; state - the state of the process (Idle, Running, ...); ; start time - the date and time the process has started; ; start since - the number of seconds since the process has started; ; requests - the number of requests the process has served; ; request duration - the duration in µs of the requests; ; request method - the request method (GET, POST, ...); ; request URI - the request URI with the query string; ; content length - the content length of the request (only with POST); ; user - the user (PHP_AUTH_USER) (or '-' if not set); ; script - the main script called (or '-' if not set); ; last request cpu - the %cpu the last request consumed ; it's always 0 if the process is not in Idle state ; because CPU calculation is done when the request ; processing has terminated; ; last request memory - the max amount of memory the last request consumed ; it's always 0 if the process is not in Idle state ; because memory calculation is done when the request ; processing has terminated; ; If the process is in Idle state, then informations are related to the ; last request the process has served. Otherwise informations are related to ; the current request being served. ; Example output: ; ************************ ; pid: 31330 ; state: Running ; start time: 01/Jul/2011:17:53:49 +0200 ; start since: 63087 ; requests: 12808 ; request duration: 1250261 ; request method: GET ; request URI: /test_mem.php?N=10000 ; content length: 0 ; user: - ; script: /home/fat/web/docs/php/test_mem.php ; last request cpu: 0.00 ; last request memory: 0 ; ; Note: There is a real-time FPM status monitoring sample web page available ; It's available in: ${prefix}/share/fpm/status.html ; ; Note: The value must start with a leading slash (/). The value can be ; anything, but it may not be a good idea to use the .php extension or it ; may conflict with a real PHP file. ; Default Value: not set ;pm.status_path = /status |
Others should never able to view the output. Ping, on the other hand is a Open Matter. So, we need to enable status separately from that of Ping. Opening status widely will invite more trouble. In the Nginx Site specific file (/etc/nginx/sites-available/default) :
1 2 3 4 5 6 7 8 9 10 11 | location /status { access_log off; allow 127.0.0.1; # allow sub.net.ip; deny all; fastcgi_split_path_info ^(.+.php)(.*)$; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } |
Now restart the services :
1 2 | service php5-fpm restart service nginx -t && service nginx restart |
We are using UNIX socket. If you have not configured UNIX socket and using TCP/IP, you should pass :
1 | fastcgi_pass 127.0.0.1:9000; |
instead of
1 | fastcgi_pass unix:/var/run/php5-fpm.sock; |
Now, if we do SSH and do cURL or wget :
1 2 3 4 | # for HTTPS curl -k https://127.0.0.1/status # for non HTTPS curl -k http://127.0.0.1/status |
You should be able to view the response :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | pool: www process manager: dynamic start time: 22/Mar/2015:10:02:29 +0000 start since: 145 accepted conn: 42 listen queue: 0 max listen queue: 0 listen queue len: 0 idle processes: 2 active processes: 1 total processes: 3 max active processes: 2 max children reached: 0 slow requests: 0 |
Obviously, if you want to do the request from 10.0.0.30 subnet then :
1 2 3 4 5 6 7 8 9 10 11 | location /status { access_log off; allow 127.0.0.1; allow 10.0.0.30; deny all; fastcgi_split_path_info ^(.+.php)(.*)$; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } |
Because, with the JSON, we can create graph. You can do the same cURL with domain name or from your local computer, you’ll 403 Forbidden response :
1 2 3 4 5 6 7 | <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx</center> </body> </html> |
We exactly wanted this setup for security. I will not have this 403 Forbidden for Ping :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | ➜ Desktop curl -I https://thecustomizewindows.com/ping HTTP/1.1 200 OK Server: nginx Date: Sun, 22 Mar 2015 10:08:50 GMT Content-Type: text/plain Connection: keep-alive Vary: Accept-Encoding X-Powered-By: PHP/5.5.9-1ubuntu4.6 Expires: Sat, 16 Jan 2016 10:08:50 GMT Cache-Control: max-age=25920000 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Public-Key-Pins: pin-sha256="cTvjlwJ90gznKckrq+Le+9w5ncyKFwzLJOkgMBNoX2M="; max-age=5184000; includeSubDomains Cache-Control: Public Alternate-Protocol: 443:npn-spdy/3 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload |
You’ll understand the security flaws of making these settings usable on non-Enterprise grade webhost. If these were safer for ordinary hosts, both PHP-FPM and Nginx would add them by default. The guide followers will complain of errors as the main physical router will slowly block the IPs. That will never happen with HP Cloud.
If with ordinary host, you can check the status with domain name – know it clearly – your DNS servers are sub optimally configured or Ingress and Egress policies are widely opened and you can be a victim of MITMA. Status is more dangerous than Ping. We have that Router, that will help us to control some attacks by default. With Nginx, we added only a slight protection – it is not fully safe if the server is compromised.
Now, we can create a realtime graph in a physically existing location and access it via browser with credentials.
Tagged With <center><h1>403 Forbidden</h1></center> , <html> <head><title>403 Forbidden</title></head> <body bgcolor=white> <center><h1>403 Forbidden</h1></center> <hr><center>nginx</center> </body> </html> , https://yandex ru/clck/jsredir?from=yandex ru;search;web;;&text=&etext=1822 D8dQHoOdNT0VCK3rzBIoePJQefk5DNpSJbPCjIhfyNDKfmqqh2zeZDqvz8JWf433 f7ff05392fbbee0a83dea5eb7c58435835efb32e&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXme , https://yandex ru/clck/jsredir?from=yandex ru;search;web;;&text=&etext=1826 hz7J2a-OII1xGjXXKQsVk792LdoutzqkG3tB3VYeON80ZKuatBjGChE0ivFg8wrp b72794cdd71bd3cbd650015c94f677e1261028ef&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXme , https://yandex ru/clck/jsredir?from=yandex ru;search;web;;&text=&etext=1835 XCGmDqCfGp4Qj20uGtgTNa7Phe5dtHC-03KstyTVO3npSY5OlETbAYrvAYIq2MVv b2bc068566cea0ad9111a93420fc0fb85f4c3095&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXme , https://yandex ru/clck/jsredir?from=yandex ru;search;web;;&text=&etext=1888 M_9kQNMq0z_-zOUH7VP6PId3a2SoLRqDZnunBJOEoVkg3u5Nz2ofBy95IQArk7dv f8a7f8dc100a0762d8326528b6138d8f32716df6&uuid=&state=_BLhILn4SxNIvvL0W45KSic66uCIg23qh8iRG98qeIXme , php-fpm status , php-fpm status page , tarup fpm h1