Tag: php-fpm

A page cache that lives inside nginx: no Varnish, no Lua, no second daemon. How cache-turbo uses stale-while-revalidate, L1/L2 tiers and single-flight refresh to keep your backend asleep under load.

Half of all web traffic is bots, and a growing slice are vibe-coded AI scanners written by a chatbot prompt. Here is the five-layer defense in depth that stops them: rate limiting, WAF, TLS hardening, request validation, access control, PHP and Docker hardening, plus the patching that does the most work.

Our hardened Roundcube Docker image runs as nobody, can chown nothing, and treats every request as hostile. Here is the full unprivileged + WAF security model — and why default webmail containers are a liability.

Default Docker is barely a container at all — root, mutable, all caps, shared kernel. This is the ten-flag hardening checklist that turns it into something a real attacker has to work to break: rootless, read-only, cap-drop, no-new-privileges, distroless, secrets, segmentation, scanning. With a worked NGINX + PHP-FPM compose example.

The complete WordPress + NGINX + PHP-FPM setup for Debian and Ubuntu: server block config, pool tuning, FastCGI caching for anonymous traffic, Redis object cache, Brotli compression, and security hardening with ModSecurity and Snuffleupagus.

A friendly, jargon-free walkthrough: install Snuffleupagus from the myguard APT repo, pick the right rulebook for your stack (WordPress, Roundcube, generic PHP, internal agent), wire it into a PHP-FPM pool, and avoid the 5 traps that bite everyone the first time.