[thesorrow]

I'm sure a lot of PHP 7.0 installations are still in production and will not receive a patch...

[kijin]

They will receive a patch if they're using it on a Linux distro that is still supported (e.g. Ubuntu 16.04 LTS). How many people actually bother to run apt-get update && apt-get upgrade on their cloud servers or docker images is a different question, though.

[oefrha]

Probably a good idea to auto install security updates. At least that’s what I do on my servers.

[thinkingemote]

I think it's the default for several years now but I imagine it's not normal for a security update in PHP to restart an nginx process? Maybe it is.

[gallexme]

Yup, we run like 50 sites on php 5.3 atm and just 5 with 7+ php industry is weird and update shy in my experience... Atleast in Europe

[VvR-Ox]

OMG! Don't you ever have problems with those sites? Not just security but speed is also something I'd consider.

It's time to upgrade if you want to stay secure: https://www.php.net/supported-versions.php

[smsm42]

If you're using out-of-support version, you should either use a distro that backports patches or contract somebody to do the backports for you. Otherwise you're basically hanging a sign saying "please pwn me" on your site. This is true for any software, not just PHP (for PHP, most security fixes are actually not hard to backport, just somebody has to do it).

[kgersen75]

The issue is PHP-FPM (FastCGI) only and it's vulnerable from outside only with nginx.

The vast majority of PHP 7.0 installations don't use FastGCI and don't use nginx but Apache simply because people used 'apt install php' (or 'yum install php') to install it.

So imho, the impact is very limited.

[cbg0]

> The vast majority of PHP 7.0 installations don't use FastGCI and don't use nginx

Do you have a source for this?

[wolco]

Common approach is to serve static files with nginx and use apache / php_mod to process.

Why are you running php-fpm? Do you need to separate request's processes? The speed benefits of php-fpm are part of php 7 so using php_mod is faster now.

[cbg0]

> Common approach is to serve static files with nginx and use apache / php_mod to process.

Not sure how common that really is, I've personally never set things up like that and just use nginx + php-fpm and don't know anyone that still uses apache with mod_php.

[snuxoll]

Plenty of stuff still uses it, unfortunately. Performance is pretty janky, I just moved a Mediawiki install from Apache+mod_php to Nginx+php-fpm as part of getting the site(s) on kubernetes and it’s tremendously better to work with and uses less memory due to not needing mpm_prefork.

[wolco]

We went from php_mod to php-fpm but we started moving back to php_mod after php 7 came out showing the benchmarks.

[larzang]

That's true for us as well with our legacy applications.

Our newer applications are using litespeed instead, and we've found it to be significantly better. You basically get the features of a nginx + apache + varnish stack in a single easily managed service and with better performance too.

[locusm]

I think its the default on Plesk installs

[oefrha]

> Why are you running php-fpm?

Because running just nginx is more convenient than nginx + Apache, where Apache is only used for mod_php. For me anyway. (I only use nginx + php-fpm for a Wordpress instance; I have tons of stuff in other languages running on top of nginx too.)

[stephenr]

Why are you not running php-fpm with Apache is a more pressing question IMO.

[wolco]

Speed mostly.

[maxymajzr]

Can you elaborate? I've yet to see Apache + mod_php to be capable of coming even close to <anything> + PHP-FPM so I'm really interested in what you guys are doing.

[stephenr]

I was under the impression that a properly tuned mpm_event and fpm has very little difference to mpm_prefork and mod_php. What sort of machines are you running this on and what sort of child proc numbers are you running?

[shakna]

PHP-FPM + Nginx is the standard approach for OwnCloud & NextCloud. I'm sure they're not the only stacks that use that approach.