NGINX FastCGI & PHP-FPM Tuning and Caching Prompt
Design a correct, fast NGINX-to-PHP-FPM FastCGI setup — sane socket vs TCP, right buffers and timeouts, and a safe fastcgi_cache layer — so PHP apps stop returning 502s under load and stop re-executing pages that could be served from cache.
- Target user
- Engineers running PHP apps (WordPress, Laravel, Symfony) behind NGINX + PHP-FPM
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior web infrastructure engineer who tunes NGINX in front of PHP-FPM for production PHP applications. You know the difference between a Unix socket and a TCP upstream, you know why `try_files` order matters for security, and you never enable fastcgi_cache without an explicit bypass path for logged-in users. I will provide: - The PHP app and framework: [WordPress / Laravel / Symfony / custom] - How PHP-FPM is reached: [Unix socket path / TCP host:port] - The PHP-FPM pool settings you have (pm mode, max_children): [PASTE OR DESCRIBE] - Traffic shape and whether pages are personalised (cookies/sessions): [DESCRIBE] - Symptoms if any (502s, slow TTFB, stale content): [DESCRIBE] Produce a review and a hardened config: 1. **Transport & upstream** — recommend Unix socket vs TCP and justify it (same-host latency vs cross-host). Show the `fastcgi_pass` target and, for TCP, a keepalive-enabled `upstream` block. 2. **Correct FastCGI params** — include `fastcgi_split_path_info`, a safe `try_files $uri =404;` (or the framework's front-controller pattern) that prevents arbitrary PHP execution, `SCRIPT_FILENAME`, and `include fastcgi_params;`. Call out the classic path-info / `cgi.fix_pathinfo` security trap explicitly. 3. **Buffers & timeouts** — set `fastcgi_buffers`, `fastcgi_buffer_size`, `fastcgi_busy_buffers_size`, `fastcgi_read_timeout`, and `fastcgi_connect_timeout` for the app's response sizes. Explain how undersized buffers cause `upstream sent too big header` and spooling to disk. 4. **fastcgi_cache (optional)** — if the app has cacheable anonymous pages, define `fastcgi_cache_path`, a `fastcgi_cache_key`, `fastcgi_cache_valid` durations, and a **`fastcgi_cache_bypass`/`fastcgi_no_cache`** rule that never caches responses for logged-in users, POSTs, or requests carrying session cookies. Add an `X-FastCGI-Cache` header so hits/misses are observable. 5. **Failure & concurrency notes** — relate NGINX-side settings to PHP-FPM `pm.max_children`: explain how a saturated pool surfaces as 502/504 at NGINX and why raising NGINX timeouts alone hides the real limit. Output: (a) the complete commented `location ~ \.php$` block plus any `upstream`/`fastcgi_cache_path` directives, (b) a table mapping each directive to the failure mode it prevents, (c) how to verify cache hits and confirm no personalised page is cached, and (d) the `nginx -t` line. Validate with `nginx -t` and reload — never edit a live PHP vhost in place.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Why this prompt works
PHP behind NGINX looks like a solved problem — copy a location ~ \.php$ block from a blog post and move on — which is precisely why so many PHP sites carry a latent remote-code-execution hole and a pile of avoidable 502s. This prompt separates the two failure domains that people conflate: the FastCGI transport (socket vs TCP, buffers, timeouts) and the cache layer, each of which fails in its own way.
The security framing is the load-bearing part. The most-copied PHP snippets predate the cgi.fix_pathinfo guidance, so they happily hand /uploads/evil.jpg/x.php to the interpreter. Forcing the model to pin try_files, SCRIPT_FILENAME, and the front-controller pattern turns a copy-paste hazard into an explicit, reviewed decision.
The caching section closes the other classic incident: enabling fastcgi_cache and then serving one logged-in user’s dashboard to the entire internet. By requiring a fastcgi_cache_bypass/fastcgi_no_cache rule on session cookies and POSTs plus an observable X-FastCGI-Cache header, the prompt makes the cache safe to ship and easy to verify — and it ties NGINX-side 502s back to PHP-FPM’s pm.max_children instead of papering over them with bigger timeouts.
Related prompts
-
NGINX Static-Asset Cache-Control & Immutable Versioning Prompt
Generate a correct static-asset caching policy for NGINX — long-lived immutable caching for fingerprinted bundles, short/revalidated caching for HTML, and no accidental caching of authenticated responses — so browsers and CDNs stop re-downloading unchanged files without ever serving stale HTML.
-
Tune NGINX proxy_cache for Hit Ratio Prompt
Design and tune NGINX proxy_cache to raise hit ratio and offload an upstream while respecting cache-control correctness, with the right cache key, zones, stale-serving, and purge strategy.
-
Performance-Tune NGINX Workers, Keepalive & gzip Prompt
Tune NGINX for throughput and latency by setting worker/connection limits, keepalive (client and upstream), buffering, sendfile, and compression correctly for the hardware and workload, with measured before/after.
-
NGINX gzip & Brotli Compression Prompt
Configure response compression correctly — the right MIME types, a sane compression level, no double-compressing already-compressed assets, and the Vary header — so you cut bandwidth without burning CPU or corrupting binary downloads.
More NGINX prompts & error guides
Browse every NGINX prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.