9

If using nginx + php-fpm, does nginx need to have access to the php files?

Context: building a kuberentes pod, with two containers: nginx and php-fpm, we can built the php code into php-fpm container. It's possible to share the php files with volumes, but is it really needed?

Please correct my understanding: nginx will just forward a pre-processed request to php-fpm (using fast-cgi protocol) which will execute the script. So php-fpm needs to read php files. However I don't see the reason why would nginx need to, apart from checking if script is found or not. It could send the script name to php-fpm without accessing the php file.

Thanks

user455729
  • 91
  • 1
  • 2

2 Answers2

5

No, it doesn't need access to the files unless you use try_files. You can safely use a remote socket as upstream without needing to populate the files on the nginx container. php-fpm uses the fcgi protocol which passes the path of the file to process as the SCRIPT_NAME and SCRIPT_FILENAME fcgi parameters.

Andrew Domaszek
  • 5,163
  • 1
  • 15
  • 27
4

In the standard nginx and php-fpm design try_files checks for the existence of a file and then sends the file path to php-fpm over a TCP/IP or unix socket for execution so nginx needs to be able to see the file - nginx is the file server whether the file is a static html file or a script, and php-fpm is the processor in this case.

Simon Greenwood
  • 1,363
  • 9
  • 12
  • So nginx needs access to find the file, but it doesn't need to be able to read it. – wurtel Feb 08 '18 at 10:38
  • The nginx user would need the read right to be able to pass the file if that's what you mean. – Simon Greenwood Feb 08 '18 at 11:04
  • 1
    nginx does not send the file (as in contents) over a socket to PHP-FPM. It merely sends the path+filename. – Tero Kilkanen Feb 08 '18 at 22:12
  • 1
    Corrected, but doesn't that mean you can't have nginx and PHP-FPM in separate pods as the questioner is conceiving without having the PHP files mounted in the same location? – Simon Greenwood Feb 08 '18 at 23:15
  • 1
    @SimonGreenwood no. It only needs to KNOW the path that is valid for fpm. You can absolutely do `fastcgi_param SCRIPT_FILENAME /var/www/index.php;`, even if that path does not exist in nginx's pod. – istepaniuk Jun 16 '23 at 23:26