Articles, notes and random thoughts on Software Development and Technology
When you concatenated your SSL .crt intermediate and root certs together, it’s likely you ended up with lines line this:
—–END CERTIFICATE———-BEGIN CERTIFICATE—–
To fix this, manually edit to insert a newline between the end and begin like this, and you should be all set:
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Attempting to upload some new photos between around 3 to 5MB, the majority of the uploads failed, and this error was occurring repeatedly in my nginx error.log:
2018/08/06 07:18:37 [error] 43#0: *5 client intended to send too large body: 3125530 bytes
Based on this tip from here, the solution was to increase the default POST body size config with this setting in my nginx.conf:
client_max_body_size 5M;
I’m in the middle of migrating this existing site to Docker containers and moving to a new VPS host. Part of my motivation for the move is to capture the customized configs for each of the servers, so I can easily move the whole deployment between a test environment and a production deploy. What’s prompting this is the realization that the majority of the performance tweaks I made during the first native install I have captured in various blog posts here, but to recreate these install steps I would need to go back to each of those articles and get the details in order to repeat them elsewhere. That’s not a particularly repeatable process.
I’m close to switch from my current non-Docker install (here, as of 2/27/18) to my test install now running on Docker. I’ll share more about how that is configured in future posts, but I just wanted to capture one nginx + php5-fpm specific config that had me stumped for a few days.
There’s many options for configuring the worker processes for nginx and php5-fpm. php5-fpm itself has a number of modes that control how it manages it’s worker processes. By default the process manager is ‘dynamic’ (pm = dynamic). This creates processes to handle incoming requests based on the other related config options (max_children, start servers, min_spare_servers, max_spare_servers etc).
On my current site based on recommendations I changed this to pm = ondemand in order to minimize memory usage on my 512MB VPS. One other param though had an interesting effect:
pm.process_idle_timeout = 10s;
This keeps a process alive for an additional 10s after it’s finished the current request. This seems to have an impact on the responsiveness of the WordPress site, as without this there seems to be a noticeable lag of 3-4 seconds before responses start to come back to the browser, presumably because new worker processes are needed to restart to handle the next request – by keeping them up after the last request there no lag to restart a new process.
I was almost at the point of making a no-go decision based on the laggy performance, but adding this one param has fixed the laggy behavior, and now I’m looking all set. Given that I’ve jumped from a 512MB VPS to a 4GB VPS, I’m less concerned about keeping memory usage to a minimum this time so I haven’t changed from dynamic to ondemand in the Docker config for my new nginx + php5-fpm config, but this one param is worth knowing about.
Purchasing an SSL certificate requires creating a Certificate Signing Request (CSR) which you can do on your host using:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
When you purchase your certificate from your vendor, you’ll provide the text content from your CSR file. Once you have the certificate files (normally a .crt and a .key file), transfer them to your server, and place them somewhere like /etc/ssl-certs/.
In your /etc/nginx/nginx.conf (or /etc/nginx/sites-enabled/default), add to the server { } block:
server { listen 443 ssl; ssl on; ssl_certificate /etc/ssl-certs/yourdomain_com.crt; ssl_certificate_key /etc/ssl-certs/yourdomain.com.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; # rest of server config }
Restart nginx with:
sudo service nginx restart
This is documented in the nginx docs here.