Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


php-fpm uses too much cpu
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

php-fpm uses too much cpu

namhuynamhuy Member

I have been trying to reduce php-fpm's usage but no luck so far, I need help guys

pm = dynamic
pm.max_children = 20
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 10
pm.max_requests = 100

Comments

  • MunMun Member

    What are you running and have you checked your logs? Debian has them usually in /var/log/nginx/access.log or in a place you stated in your vhost file.

  • namhuynamhuy Member

    varnish/nginx/php-fpm/mysql/memcached I turned off nginx access log. let me turn it on and lets see whats in the log

  • namhuynamhuy Member

    portion of access log http://pastebin.com/yBjzYsbc

  • alexvolkalexvolk Member
    edited May 2014

    @namhuy said:
    portion of access log http://pastebin.com/yBjzYsbc

    somebody is scanning your site with acunetix security scanner.

  • namhuynamhuy Member

    lol is there anyway to stop it? btw I have plenty of ram but php-fpm only uses cpu :(

  • @namhuy said:
    lol is there anyway to stop it? btw I have plenty of ram but php-fpm only uses cpu :(

    IPTables, block the Acunetix range if you don't want it on your network.

  • namhuynamhuy Member

    uhmmm little of problem here, nginx log gives me 127.0.0.1 ip...

  • nunimnunim Member

    Using an opcode cache like APC or xCache is a great way to lower PHP cpu usage.

  • namhuynamhuy Member

    I do have zend opcache running since i use php 5.5

  • sleddogsleddog Member

    You can also set fastcgi_intercept_errors on and configure an nginx error_page 404 so that every one of those 404's isn't served by a fat Wordpress process.

  • MunMun Member

    As well as quick cache for word press.

  • namhuynamhuy Member
    edited May 2014

    Somehow the spike is stopped now, I guess somebody was scanning my website :( Is there anyway to block scanner with nginx? I tried to deny user_agent in nginx but it does not help

  • wojonswojons Member

    it Sounds like you have varnish that is the reason why your nginx logs are showing 127.0.0.1, because varnish is not giving the proxyed ip to nginx for what ever reason you may have to configure it if this was raw nginx you would see there ip and be able to block them.

  • RalliasRallias Member

    namhuy said: uhmmm little of problem here, nginx log gives me 127.0.0.1 ip...

    http://nginx.org/en/docs/http/ngx_http_realip_module.html

  • JyleeJylee Member, Host Rep

    change pm = dynamic to pm = static and it won't create so many progresses, but it does not help to stop scanning...

  • namhuynamhuy Member

    I set realip module for cloudflare, now I only see cloudflare ips, in cloudflare panel I see 7,458 threats yesterday but cloudflare didn't do anything to stop the scanning even though cloudflare sees scanning as threats. I start to don't like cloudflare already

  • CSharpCSharp Member

    @namhuy said:
    I set realip module for cloudflare, now I only see cloudflare ips, in cloudflare panel I see 7,458 threats yesterday but cloudflare didn't do anything to stop the scanning even though cloudflare sees scanning as threats. I start to don't like cloudflare already

    Try doing this: https://support.cloudflare.com/hc/en-us/articles/200170706-Does-CloudFlare-have-an-IP-module-for-Nginx-

  • namhuynamhuy Member

    this is nginx ngx_http_realip_module which i said i set it up which I see only cloudflare's ips instead of 127.0.0.1

  • CSharpCSharp Member

    @namhuy said:
    this is nginx ngx_http_realip_module which i said i set it up which I see only cloudflare's ips instead of 127.0.0.1

    Then probably nginx is not receiving the "CF-Connecting-IP" header from Varnish, I can't really help more as I never used Varnish.

  • Just to verify, the module is baked into your version of NGINX?

  • aoleeaolee Member
    edited May 2014

    you tried playing around with the config? like try changing

    pm = dynamic

    to

    pm = ondemand

  • What kind of traffic are we talking about OP? At high stress traffic Apache will outperform Nginx on PHP/dynamic content. What are the specs of your box?

  • namhuynamhuy Member
    edited May 2014

    not much traffic, cloudflare/varnish/nginx/mysql setup with ~ 2k wordpress traffic daily. 2gb ram with 4 vcpu openvz. i always have 1gb ram free, but when somebody do scanning my website php-fpm uses lots of cpu even though many free ram. I manged to make varnish show real incoming ip from cloudflare and blacklist that IP. but.. you know I can't always check stats to block scanner ip on time.

    I do have iptables but since I must full allow cloudflare ip ranges, I don't have much control http traffic from cloudflare

  • Sorry to revive this old thread, one of my servers have been hit recently too (lots of meaningless queries sent to Wordpress) and the CPU usage went to like 14 or 15.

    What I did was to block the IP at the Cloudflare level and CPU usage came down almost immediately:

    https://support.cloudflare.com/hc/en-us/articles/200171326-Where-can-I-find-the-IP-addresses-I-ve-blocked-

    Good luck.

  • @zhuanyi how did you check the queries sent?

  • In the access log, I have configured the format in Nginx to show the incoming page and it was directly pointing to search?query=some random garbage....

  • @zhuanyi said:

    Not very hard. Use fail2ban1.

  • msg7086 said: Not very hard. Use fail2ban1.

    I might be wrong but f2b consumes even more memory and CPU?

  • Try change 'pm = dynamic' to 'pm = ondemand' and then restart php-fpm.

  • Turning on 'Under attack' mode in Cloudflare will also help avoiding kiddies scanning/pingsbacks etc. It does require legit traffic to wait a couple of seconds in order to visit the website. Pretty sure most people are familiar with it since alot of sites have it on by default.

    Thanked by 1n0my
Sign In or Register to comment.