Phusion white papers Phusion overview

Phusion Blog

Phusion Passenger 4.0.40 released, Nginx 1.4.7 with buffer overflow fix

By Hongli Lai on March 19th, 2014

Phusion Passenger 4.0.40 has been released. The only change in this version is that the preferred Nginx version has been bumped to 1.4.7, because of a buffer overflow exploit in Nginx (CVE-2014-0133). Nginx users are strongly encouraged to upgrade.

Ruby Rogues 143: Phusion Passenger Enterprise with Hongli Lai and Tinco Andringa

By Hongli Lai on February 12th, 2014

We’ve been invited by Ruby Rogues to participate in a podcast about Phusion Passenger Enterprise. This podcast covers the following topics:

  • Hongli Lai and Tinco Andringa Introductions
  • Phusion Passenger introduction
  • Rack
  • Node.js, MeteorJS, Python Support
  • Processes and Threads
    • Ruby Rogues Episode #58 – Book Club: Working with Unix Processes with Jesse Storimer
    • Ruby Enterprise Edition
    • Smart Spawning
  • Advantages of Phusion Passenger Enterprise
    • Rolling Restarts
    • Mass Deployment
  • Passenger vs Unicorn
  • Error Resistant Deploys
  • Hosting
    • DreamHost
  • Apache, Nginx support
  • Stability Issues
  • Documentation and Support

Listen to the podcast at the Ruby Rogues website

Thanks Ruby Rogues for hosting us!

Use Nginx + SPDY, without compiling Nginx and without a recent OpenSSL

By Hongli Lai on August 21st, 2013


We use the SPDY network protocol extensively to improve the performance of our websites. SPDY — pronounced “speedy” — is a new-ish protocol from Google with the goal of reducing latency, improving throughput and improving pipelining. Many articles have been written about the advantages of SPDY. We have observed 20%-30% better loading time on by switching from plain HTTP to SPDY, mostly because of the better pipelining that SPDY offers over plain HTTP.

SPDY is built on top of TLS. Nginx has supported SPDY through external patches for a while. Since version 1.4.0, Nginx has SPDY support builtin, with two caveats:

  1. SPDY support must be enabled by compiling Nginx with --with-http_spdy_module.
  2. It requires OpenSSL 1.0.1+, because SPDY requires the Next Protocol Negotiation TLS extension.

Many users prefer to use the Nginx binary provided by their distribution. But not all of the currently widely used distributions provide OpenSSL 1.0.1, and of those that do, very few of them have Nginx with SPDY enabled.

We started providing prebuilt Nginx binaries since Phusion Passenger 4.0.13 (learn more at “No more compiling Phusion Passenger”). These Nginx binaries not only have Phusion Passenger support enabled, but also SPDY support! Furthermore, we’ve spent great effort on ensuring that these binaries are compatible with a wide range of Linux distributions, whether they’re running on x86 or x86_64. Best of all: you can use these Nginx binaries without Phusion Passenger, and as a drop-in replacement for your distribution’s Nginx binary! This means:

  • You install Nginx using your distribution’s preferred method (e.g. apt-get install nginx).
  • You overwrite the Nginx binary with the one that we provide.
  • You get to keep all the nice things that your distribution package offers, such as init scripts, conf.d directories, etc.
  • No compilation is necessary.

Getting started on Debian or Ubuntu

This guide is taylored for Debian and Ubuntu. The instructions may also work on other distributions, but the paths may be different, and the init script format may also be different. You can use this guide as a starting point for figuring out how to achieve the same for your specific distribution.

Install Nginx using apt:

sudo apt-get install nginx

Next, download our Nginx binary. There are multiple versions of Nginx and of Phusion Passenger. You can find all available versions at the Phusion download server, indexed by Phusion Passenger version. At the time of writing, Nginx 1.4.2 and Phusion Passenger 4.0.13 are the most recent versions:

# 32-bit systems
curl -O
# 64-bit systems
curl -O

Extract the downloaded tarball:

tar xzvf nginx-*.tar.gz

Update April 9 2014: the tarball and the binary have been renamed. It’s called “webhelper” now. So if you want Nginx 1.4.7 from Phusion Passenger 4.0.41, run:

# 32-bit systems
curl -O
# 64-bit systems
curl -O

# Then rename the tarball and the binary:
tar xzvf webhelper-*.tar.gz
mv PassengerWebHelper nginx

The next steps are a little more complicated, although not difficult. The Nginx binary that we provide is compiled with the prefix /tmp. This is because Nginx requires several data directories (e.g. client_body_temp_path) to properly operate. Since our Nginx binary is designed to be portable, we can’t assume any specific directory structure, which is why we use the /tmp prefix.

Luckily, there is a way to tell the Nginx binary during runtime to a different directory structure, and that’s exactly what we’re going to do.

Overwrite the original Nginx binary and create a bunch of symlinks:

sudo cp nginx /usr/sbin/
sudo ln -s /etc/nginx /var/lib/nginx/conf
sudo ln -s /var/log/nginx /var/lib/nginx/logs

Then edit /etc/default/nginx and add:

DAEMON_OPTS="$DAEMON_OPTS -p /var/lib/nginx"

Next, edit /etc/nginx/nginx.conf, and set the following options:

pid /var/run/;
lock_file /var/lock/nginx.lock;

Finally, restart Nginx using your distribution’s Nginx init script:

sudo /etc/init.d/nginx restart

Testing SPDY

To test SPDY, you need an SSL certificate for your domain name. There are many cheap SSL certificate providers our there, which you can easily find through Google. Once you have an SSL certificate, create a virtual host entry:

sudo tee /etc/nginx/conf.d/spdy_test.conf <<EOF
server {
    listen 443 ssl spdy;
    ssl on;
    ssl_certificate /path-to-your-cert.crt;
    ssl_certificate_key /path-to-your-key.key;
    root /tmp/spdy_test;

Then create a web directory with a test document:

mkdir /tmp/spdy_test
echo it works > /tmp/spdy_test/index.html

Restart Nginx:

sudo /etc/init.d/nginx restart

Finally, use SPDYCheck to check your website at

Distribution updates

Whenever the distribution has an update for Nginx, you must replace the Nginx binary after the distribution’s update tool has installed the update. For example, suppose that Ubuntu releases Nginx 1.4.3 tomorrow:

$ sudo apt-get upgrade
[some error messages will appear during restarting of Nginx]

apt-get upgrade will probably fail to restart Nginx, but this is normal! This is because you will probably have SPDY-specific configuration options, but the distribution’s Nginx doesn’t support that.

Ignore the error, and download the latest version of the Phusion Nginx binary from the Phusion download server:

curl -O<SOME VERSION>/nginx-1.4.3-<SOME ARCHITECTURE>-linux.tar.gz

Next, extract the Nginx binary and overwrite the distribution’s binary:

tar xzvf nginx-*.tar.gz
sudo cp nginx /usr/sbin/

Finally, finalize the apt-get upgrade and restart Nginx:

sudo apt-get upgrade
sudo /etc/init.d/nginx restart

What about security?

Downloading random binaries from the Internet is very dangerous. If an attacker intercepts and modifies the communication channel, anything goes. To combat this problem, we’ve employed two security measures:

  • All our binaries are hosted on HTTPS.
  • All our binaries are signed with PGP. The PGP key is Phusion Automated Software Signing (, fingerprint 1637 8A33 A6EF 1676 2922 526E 561F 9B9C AC40 B2F7.

Reinstalling Nginx if something goes wrong

If our binary doesn’t work for some reason, then reverting to the original Nginx binary is easy:

sudo apt-get remove nginx
sudo apt-get install nginx


Installing Nginx with SPDY support through our prebuilt binaries is quite easy and requires just a few config file changes. We’ve love to know whether it works well for you. Please leave feedback at the comment form below. Thank you for reading.

Fixing Nginx PCRE compilation issues on OS X

By Hongli Lai on October 26th, 2012

A lot of people running OS X (including us!) have recently been suffering from problems with compiling Nginx. Compilation would fail with the error message that the symbol pcre_free_study is not found, within the context of the function pcre_free_studies in ngx_regex.o:

src/core/ngx_regex.o: In function `ngx_pcre_free_studies':
    src/core/ngx_regex.c:307: undefined reference to `pcre_free_study'
collect2: ld returned 1 exit status
make[1]: *** [objs/nginx] Error 1

What is pcre_free_study? A Google search revealed that it is related to recently added support for JIT compilation in the PCRE library, a regular expressions library used by Nginx.

Upon further inspection, it turns out that a recent OS X update installed /usr/lib/libpcre.0.dylib and /usr/include/pcre.h. OS X did not ship PCRE in the past and users had to manually install it with MacPorts or HomeBrew. However, the library that OS X now ships seems to be of a different version than the header file!

$ strings /usr/lib/libpcre.0.dylib | grep -F 8.
8.02 2010-03-19
$ less /usr/include/pcre.h
/* The current PCRE version information. */

#define PCRE_MAJOR          8
#define PCRE_MINOR          31
#define PCRE_PRERELEASE     
#define PCRE_DATE           2012-07-06

The compilation problem is caused by the fact that OS X did not ship a proper header file for PCRE. You can solve this problem by downloading the header file for PCRE 8.02 and copying it to /usr/include.

Launching unofficial, automatically updated Github mirror for the Nginx SVN repository

By Hongli Lai on August 9th, 2011

I probably don’t need to tell you what a great web server Nginx is. It’s lightweight, it’s fast, it’s scalable, and many people like it for its configuration file syntax yet flexible features. It’s no surprise that Nginx is doing a great job serving as a core for Phusion Passenger Standalone (our Ruby/Rails web application server which supports Apache and Nginx).

Nginx’s development has traditionally been behind closed doors. Nginx is written for the most part by one brilliant man, Igor Sysoev, who accepts patches on the Nginx mailing list. But for a long time there was no source repository with which contributors and interested people can track the development process, and no official bug tracker. All of that have changed in 2011. Igor has established Nginx as a company. The Nginx SVN repository is now open to the public and a few days ago they even opened a Trac. In short: a lot of great news lately.

Announcing the Github Nginx mirror

These days a lot of people have switched from Subversion to Git. When you’ve worked with Git for a while, Subversion probably feels archaic and unproductive. The “killer app” for Git is Github, which provides an unbeatable collaboration experience. Indeed, many projects that have switched to Github reported a dramatic increase in contributions!

In order to stimulate Nginx development, we’ve launched a Github mirror of the Nginx SVN repository:

A few notes about this mirror:

  • It’s automatically updated twice a day.
  • It’s read-only. We don’t accept pull requests. Changes should be sent to the Nginx mailing list in the form of patches.
  • We intentionally don’t mirror all the branches and tags, only the most recent ones, because we don’t believe the old branches and tags are useful to anybody.
  • Please feel free to contact us if you have an issue with our mirror.

Happy developing!