PHP-FPM PHP crashing after switching to SSL/SPDY

I just finished moving my site over to SSL after following the Nginx/SSL/SPDY Centminmod guide.

Everything appears to be working great, but I've had PHP-FPM crash on me several times within a few minutes after the switch. It just hangs, while Nginx reports 502s. The first time, I wasn't sure what triggered it, the second time, I realized it crashed when I loaded the memcache stat page. Subsequent attempts to load the memcache stat page also crash PHP-FPM, requiring the service to be restarted.

I have checked /var/log/php-fpm/www-php.error.log, but there are no recent entries. How else can I troubleshoot this?

 

Thanks for the quick response! Here it is with my domain name replaced:

Code:

server
{
    listen        80;
    server_name    mydomain.net www.mydomain.net mydomain.com www.mydomain.com assets.mydomain.net;
    return         301 https://www.mydomain.net$request_uri;
}

server
{
        listen          443 ssl spdy;
        server_name     www.mydomain.net;
    access_log      /var/log/nginx/mydomain.access.log;
        error_log       /var/log/nginx/mydomain.error.log error;
        root            /home/mydomain/public;

    ssl_dhparam        /usr/local/nginx/conf/ssl/mydomain/dhparam.pem;
    ssl_certificate        /usr/local/nginx/conf/ssl/mydomain/ssl-unified.crt;
    ssl_certificate_key    /usr/local/nginx/conf/ssl/mydomain/www_mydomain_net.key;
    ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout    10m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA;
        ssl_prefer_server_ciphers    on;
        add_header    Alternate-Protocol    443:npn-spdy/3;
        add_header    Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    add_header    X-Content-Type-Options "nosniff";
    add_header    X-Frame-Options DENY;
    spdy_headers_comp    0;
    ssl_buffer_size        4k;
   
    resolver        8.8.8.8;
    ssl_stapling        on;
    ssl_stapling_verify    on;
    ssl_trusted_certificate    /usr/local/nginx/conf/ssl/mydomain/ssl-trusted.crt;

        location /
        {
                try_files       $uri $uri/ /index.php?$uri&$args;

                # block spiders
        if ($http_user_agent ~* (baidu|yandex|ahref|seomoz|exabot|majestic12|ezooms|boardreader|mail.ru))
                {
                        return 403;
                }

    }

        location /forums
        {
                rewrite ^ /forum/ permanent;
        }

        location /premium
        {
                rewrite ^ /forum/account/upgrades permanent;
        }

    location /guides
        {
                # specific old game pages
                rewrite ~*^/guides/index.php/games([0-9])(.*)$ /library/games-$1/ permanent;

                # catch all other requests to the guides directory
                rewrite ~*^/guides(.*)$ /library/ permanent;
        }

    #### XENFORO  ####
    location /forum
        {
                # friendly urls
                try_files $uri $uri/ /forum/index.php?$uri&$args;
        }
    location /forum/internal_data
    {
        internal;
    }
    location /forum/library
    {
        internal;
    }

    #############################
    #### PRIVATE DIRECTORIES ####
    ############################# # protects WordPress admin
    location ~* /wp-login.php
    {
        auth_basic        "Restricted";
        auth_basic_user_file    /home/mydomain/htpasswd-xf;

        include /usr/local/nginx/conf/php.conf;
    }

    # protect XenForo public login
    location ~* /forum/admin.php
    {
        auth_basic        "Restricted";
        auth_basic_user_file    /home/mydomain/htpasswd-xf;

        include    /usr/local/nginx/conf/php.conf;
    }

    # protects the book manager's php files
    location ^~ /misc/bookmanager
    {
        # authentication code
        auth_basic        "Restricted";
        auth_basic_user_file    /home/mydomain/htpasswd-bookmanager;

        include /usr/local/nginx/conf/php.conf;
    }


    #####################
    #### MAINTENANCE ####
    #####################
    error_page      503     /maintenance/503.htm;

    location = /maintenance/503.htm
    {
        internal;
    }

    location ^~ /blocktest/
    {
        error_page 403 =503 /maintenance/503.htm;
        allow 10.0.0.1;
        deny all;
   
        include /usr/local/nginx/conf/php.conf;
    }


    #####################
    #### DEVELOPMENT ####
    #####################

    #### PROTECTED DEV DIRECTORY ####
    location ^~ /misc/dev
    {
        # protected with primary password file
        auth_basic        "Restricted";
        auth_basic_user_file    /home/mydomain/htpasswd-xf;
       
        # required for PHP to work in protected directory
        include /usr/local/nginx/conf/php.conf;
    }

     
    #### ESSENTIAL INCLUDES ####
        include /usr/local/nginx/conf/staticfiles.conf;
        include /usr/local/nginx/conf/php.conf;
        include /usr/local/nginx/conf/drop.conf;
    include /usr/local/nginx/conf/phpstatus.conf;
}

 

Thanks for the tip, I will change spdy_header_comp now. I haven't enabled the status page but will also set that up and share the stats here.

It just crashed again twice on me, still no errors. One time, though, I noticed it was triggered when I "previewed" a new blog post in WordPress, so it might have something in common with memcache.php.

Is there any way I can get some more descriptive error logs?

 

Here's the phpstatus:

Code:

pool: www
process manager: static
start time: 26/Feb/2015:08:35:20 +0000
start since: 2002
accepted conn: 35357
listen queue: 0
max listen queue: 78
listen queue len: 128
idle processes: 6
active processes: 2
total processes: 8
max active processes: 8
max children reached: 0
slow requests: 0

 

Thanks for the tip, I changed it and restarted.

Oddly enough, now I am able to view memcache stats and preview WordPress posts without PHP-FPM crashing... Hmmm...

I'm happy, but afraid to go to bed! Let's hope it holds out through the night.

 

Well, the server was up and down like a yo-yo all night. Despite logging set to debug, there were still no useful errors recorded in the PHP-FPM error log.

However, thanks to NewRelic, I was able to find correlation between the crashes and long delays loading external resources through XenForo's image proxy. I've had problems with the XF image proxy before, and I've always noticed it has been having trouble, but it seems the SSL transition is causing serious problems.

My forum is very high traffic and very image heavy, so I'm still not quite sure if the XF image proxy is up to the task. Really not sure what to do now, I will try out the XF support forums.

 

Yep! I suspected I might need to add more PHP-FPM processes, and I think I was right. I doubled max_children, start_servers, min_spare_servers, and max_spare_servers to 16 and set the max_requests to 500 and the problem has not happened since...

My XenForo thread: XF 1.4 - Image Proxy crashing PHP-FPM after moving to SSL | XenForo Community

 

No, it's still static...I just didn't think about the fact the other settings would not apply and changed everything.

Current phpstatus:

Code:

pool: www
process manager: static
start time: 26/Feb/2015:21:02:05 +0000
start since: 33391
accepted conn: 527796
listen queue: 0
max listen queue: 129
listen queue len: 128
idle processes: 14
active processes: 2
total processes: 16
max active processes: 16
max children reached: 0
slow requests: 0