DevToolbox

Nginx PHP-FPM Proxy Configuration

Configure Nginx to process PHP files through PHP-FPM using the FastCGI protocol. Includes Unix socket vs TCP setup, security hardening, and caching.

Proxy

Detailed Explanation

Nginx does not process PHP natively. Instead, it forwards PHP requests to PHP-FPM (FastCGI Process Manager) using the FastCGI protocol. This architectural separation provides better performance and security compared to Apache's embedded mod_php approach.

Basic PHP-FPM Configuration

server {
    listen 80;
    server_name example.com;
    root /var/www/html;
    index index.php index.html;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

Socket vs TCP

PHP-FPM can listen on a Unix socket or a TCP port. Unix sockets are faster for same-machine communication because they bypass the entire TCP/IP networking stack. TCP connections are necessary when PHP-FPM runs on a different server or inside a separate Docker container.

# Unix socket (same machine, lower latency)
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;

# TCP (remote server or Docker container)
fastcgi_pass 127.0.0.1:9000;

Security: Preventing Arbitrary File Execution

A critical security measure is preventing Nginx from passing requests for non-existent PHP files to PHP-FPM, which could allow path traversal attacks:

location ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
}

The try_files $uri =404 line ensures Nginx only passes the request to PHP-FPM if the file actually exists on disk.

FastCGI Caching

Nginx can cache responses from PHP-FPM to dramatically reduce PHP processing load for frequently accessed pages:

fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=phpcache:10m max_size=1g;

location ~ \.php$ {
    fastcgi_cache phpcache;
    fastcgi_cache_valid 200 5m;
    fastcgi_cache_key "$scheme$request_method$host$request_uri";
}

Denying Direct Access to Sensitive Files

Block access to configuration files, dotfiles, and other sensitive resources that should never be served directly to clients:

location ~ /\. { deny all; }
location ~ /(wp-config|config)\.php$ { deny all; }

This prevents attackers from reading files that typically contain database credentials, API keys, or other application secrets.

Use Case

You are deploying a PHP application like WordPress, Laravel, or Drupal and need Nginx to forward PHP requests to PHP-FPM for processing.

Try It — Nginx Config Generator

Open full tool

Related Topics

Nginx Reverse Proxy Setup

Proxy

Nginx Static File Serving Configuration

Performance

Nginx Location Block Matching Rules

Routing

Nginx Security Headers (CSP, HSTS, X-Frame)

Security

Nginx in Docker Configuration

Setup