pfSense web control panel and funky Nginx + php-fpm processes

I had considered making a bug report on pfSense’s website to address this, but decided against it – as it is more or less a nitpick issue rather a bug or suggestion.

As a pretense, pfSense ships with Nginx and php-fpm out of the box with some really funky settings. nginx does not utilize the auto feature for max_processes within the nginx.conf [global] directive. The same applies to the php-fpm process.max directive – hard coded and effectively overrides the pm (process manager) inputs. Things here and there are hard-coded at spurious values, and do not respect the max processes directive in the System / Advanced / Admin Access / Max Processes input. Granted, the changes below also further separate from the max processes directive on the web UI! 🙂

So prep your favorite SSH application, and log in to the pfSense console!

PHP-FPM Edits…

Input nano /etc/rc.php_ini_setup – this is where php-fpm and other PHP variables are set. We’ll edit this section first.

Go to line 281, it should be where process.max is declared. Set the value to 0 like so: process.max = 0 – there is absolutely no need to have this value capped (this is done at the pm level!).

Go to line 301, this is where things get a little jankier with what I’ve done. I do not want to revoke too many lines from the config, so things are predominantly edited in place.

Set the integer on line 301 from 350 to 64999. Set the integer on line 310 from 1000 to 65000. If you have a pfSense install with more than 64GB of RAM, color me surprised.

Now, change the content from lines 304 to 307 with the following details (we’re overriding the hardcoded stuff on lines 252 to 268.

pm = ondemand
pm.process_idle_timeout = 10s
pm.max_children = 128
pm.max_requests = 500

This now will force php-fpm to dynamically spawn a php-fpm process as needed when a client connects to the web configurator panel. Unused processes are then expired after 10 seconds – you can bump this to 60s if desired.

If desired, you can duplicate the ondemand stuff above into the elif [ $REALMEM -gt 65000 ]; then section, and then edit the pm.* options accordingly to have desired increased values.

NGINX Edits…

This part is a bit more tricky to deal with as it requires some poking and prodding with various .conf files. Within system.inc we can see on line 1194 that the web configurator invokes a full regeneration of the nginx config files from {$g['varetc_path']}/nginx-webConfigurator.conf.

However, editing that file is a no go as it is then generated via the function on line 1321 from system.inc. As the web GUI does not permit the auto option as a valid input right now, we are left doing the following… a hard-coded option (yuck!).

Go to line 1402, replace worker_processes {$max_procs}; with worker_processes auto;

Is this ugly? Oh yes – very ugly edit.

Wrap it all up…

Once both edits have been completed, save the files, exit out of the bash terminal, and get to the main login panel of the SSH.

Input option 11. Press enter.

Input options 16. Press enter.

You now have tamed the php-fpm processes and Nginx max processes. Memory footprint should be decreased at this point with php-fpm, and normalized memory consumption with nginx processes (Captive Portal, Web Configurator).

General Notes

  • Will these changes persist on a pfSense update/upgrade?
    95% of these changes will be wiped when an upgrade occurs. You will need to go thru and edit manually again.
  • Is there a performance hit?
    No. If anything, the web UI has gotten even faster on loading up.
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments