It’s 2017 and search engines penalize sites that are NOT ‘fast‘ (varnish) and ‘secure‘ (ssl)…

As such, I’ve decided to make this blog fast and secure, by employing the standard technologies (Varnish Cache and free SSL certificates).

Here’s the architecture I’ve chosen:

  • bottom layer: PHP-FPM running on unix sockets instead of touching the network stack (which is arguably slower and I don’t like having an extra open port exposed);
    • this is because the self-hosted WordPress, which is the publishing software I use to write this blog, is written in PHP
  • middle layer: NginX webserver and reverse-proxy. This is what serves the actual content, HTTP only (no SSL at this stage)
  • caching layer (internet facing): Varnish Cache
  • SSL layer: Nginx

Alright, let’s look at each and every one of these layers, in a from-zero-to-hero fashion. All this assumes a Debian Linux or derivative box (be it a virtual machine, a VPS/VDS, dedicated physical server in some datacenter, or your basement, your development machine, docker containers… whatever).

And another assumption is that you need root (sudo) access to said box, and are comfortable with the Linux command line lingo and basic commands.

1. PHP (feel free to skip this if your site doesn’t use this archaic programming language)

sudo apt-get install php7.0-fpm

You only need the php-fpm package, not all the fluff that you normally get when you generically install ‘php’.

After you install it, break out your favourite editor on that box (vim/nano/emacs/whatever-floats-your-boat), and go make the required modifications to php-fpm’s config file, (on my Ubuntu Xenial LTS [16.04.2] it’s at: /etc/php/7.0/fpm/pool.d/www.conf), and look for the ‘listen =’ stanza, change it if necessary to:

listen = /run/php/php7.0-fpm.sock

You’re free to choose a different path where to allow php to store its socket file, but the defaults are sane enough for me. On some older systems it prefers to create that file unde /var/run/…

Whatever, it doesn’t really matter where it is, as long as the user which runs php on your system has full read and write access to that file.

Write a Comment


  1. HTTP/1.1 403 Forbidden
    Server: nginx/1.10.3 (Ubuntu)
    Date: Sat, 29 Sep 2018 17:23:22 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    Expires: Wed, 11 Jan 1984 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate, max-age=0

    i get this response

    • would you mind posting both your NGINX configuration as well as your Varnish configuration? Also, please be specific as to your OS flavor and version.

  2. 1. Your tutorial works for me. But after I logged in with admin account, access any url with “/wp-admin/*”, results a 302 (see below). Any ideas? – – [13/Dec/2018:15:48:34 +0000] “GET /home/wp-admin/post-new.php HTTP/1.1” 302 0 “” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36”

    2. In some tutorial, they added the following configs. Do we need them?

    define( ‘WP_HOME’, ‘https://your-site’ );
    define( ‘WP_SITEURL’, ‘https://your-site’ );
    define(‘FORCE_SSL_ADMIN’, true);
    define(‘FORCE_SSL_LOGIN’, true);