FreeNAS 11.3 Jail + WordPress & Nginx

I’ve recently upgraded my FreeNAS server to version 11.3 and I setup my personal WordPress site in a FreeNAS Iocage Jail using PHP-FPM and Nginx web server. There are precious few write ups of this process so I decided to write one (and document my challenges). I hope you enjoy. Before you get started this is of moderate difficulty and there are much easier hosted solutions at This is mostly an exercise of “is this possible” and the answer is yes!

BTW, many thanks to which is the post which I originally used to get myself configured. I’ve added to it and changed a few things. Please note my Iocage Jail section is much different and I’ve added the WordPress configuration steps.

Step 1) Create the Iocage Jail

There are numerous tutorials for doing this. I will be brief here. In the FreeNAS 11.3 web GUI interface, navigate to Jails and select Add. I named mine WordPress, you can choose whichever name suits your fancy; www is another good option. I selected default Jail type and release 11.3-Release (more about this later).

I selected DHCP auto configure for IPv4 which means FreeNAS will request an IP address from your router via DHCP (Dyn Host Config Protocol). Only select NAT if you want to put it on the same IP as your FreeNAS server but that takes some work since FreeNAS also sits on port 80, so save yourself the trouble and select DHCP. I unchecked autoconfigure of IPv6. In general I keep IPv6 off for security reasons. Hit next and then create.

Start your Jail using the FreeNAS web GUI. Note down the IP address of your jail for later. SSH (Secure Shell) into your Freenas (there are many tutorials on how to do that, I’ll leave to the reader) and type jls to view the Jails that have been configured and are running (note the JID or jail identifier). You can see in the screenshot below that my WordPress jail is running on jid 9. Execute the command “sudo exec 9 /bin/tcsh” to ssh into WordPress jail. BTW, there are like a half dozen ways to ssh into a jail, this is just the way I’m most comfortable with.

Step 2) Install packages

Now that you are ssh’ed into your FreeNAS 11.3 jail, we will install a number of software packages. This may or may not get out of date. I will attempt to keep it more or less current. Please note that we’ll install mysql 5.7 packages as the mysql 8.0 package fails when WordPress attempts to connect. Your mileage may vary and of course other RDBMS (Relational Database Management Systems) will also work. I’m a former Sybase DBA and I absolutely love Sybase for what it’s good at… I digress.. Ok, on to the packages…

First, run “pkg update” to fetch the latest package list for your Jail. Next, run “pkg upgrade” to upgrade any deployed package and the Jail software itself (Note, this may take a while if you run on an old Jail). There is another command needed to upgrade to another release (i.e. 11.2 to 11.3 release of FreeNAS) which I’ll leave to the reader.

Execute the following command to download the packages

pkg install nginx php73 mysql57-server mysql57-client php73-xml php73-dom php73-curl php73-ctype php73-json php73-ftp php73-hash php73-session php73-pecl-imagick php73-pecl-memcached php73-tokenizer php73-mbstring php73-fileinfo php73-exif php73-openssl php73-filter php73-zip php73-zlib php73-mysqli php73-iconv php73-gd

It’ll pull in many other dependencies; it became 98 packages on my test machine, 669 MiB. Select “Y” to download and install. PHP packaging is *very* modular in general. If you forget a required package like let’s say php73-ctype and then continue, you’ll eventually get Jetpack connection errors that will have you pulling your hair out for a day until you realize (this happened to me!).

3) Create and Mount Your Datasets

Personally, I like to put software in the Jails and keep data on datasets outside of the Jails. This way I can create or upgrade software components away from the data for no-tears upgrades. I created 2 datasets on my FreeNAS pool named ssl and var. SSL like the description says is all things SSL certs and intermediate certs and CSR’s etc. I keep it separate from the Jails and separate from other datasets as I’ll want to use this with other services (Minecraft minos for instance). Var is for all things Variable that includes logs, WWW root and database backups.

Back at the command line to my WordPress Jail, I changed directory back to the /mnt directory and added two directories for the ssl dataset and the var dataset

Stop the WordPress Jail in the FreeNAS web GUI (in the Jails section). When it is stopped, select Mountpoints to add the mount points you just created.

Next, add the two mount points to the Jail you named WordPress. You will need to do this one at a time and select the source at the top to be the dataset you just created and the destination in the bottom pane which is the directory you created in your Jail. You can use different directory names; just remember what you used.

After you add the 2 mounts, you can go back to the Jails interface in FreeNAS and restart your WordPress jail.

4) Configure your Services to Autostart

Use that jls and jexec process (from end of Step 1) to ssh back into your WordPress Jail. You should notice that the JID number has incremented by 1 (this is expected). Check to make sure the /mnt/ssl and /mnt/var filesystems are mounted and writeable. You can touch a file in each directory and see if it’s written to the appropriate place.

Then type “grep rcvar /usr/local/etc/rc.d/*” to see what the enable configs are for all your services. In this example they are php_fpm_enable, nginx_enable and mysql_enable. Then vi the /etc/rc.conf file to add those configurations and enable them.

You of course can use whichever editor you like. I’m a vi person, emacs looks cool but vi works everywhere. Add those 3 entries at the bottom and save the file. Don’t start any services yet.

5) Configure php-fpm (Note: I have no idea what fpm means, I will speculate freebsd package mgmt)

Back in the ssh command line for your WordPress instance. Run the following command to copy the distributed php.ini (config) file to your instance.

root@wordpress:~ # cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

Next, edit the php-fpm.conf file

root@wordpress:~ # vi /usr/local/etc/php-fpm.conf
; FPM Configuration ;

; All relative paths in this configuration file are relative to PHP's install
; prefix (/usr/local). This prefix can be dynamically changed by using the
; '-p' argument from the command line.

; Global Options ;

; Pid file
; Note: the default prefix is /var
; Default Value: none
pid = run/

; Error log file
; If it's set to "syslog", log is sent to syslogd instead of being written
; into a local file.
; Note: the default prefix is /var
; Default Value: log/php-fpm.log
;error_log = log/php-fpm.log

; syslog_facility is used to specify what type of program is logging the
; message. This lets syslogd specify that messages from different facilities
; will be handled differently.
; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
; Default Value: daemon
;syslog.facility = daemon

; syslog_ident is prepended to every message. If you have multiple FPM
; instances running on the same server, you can change the default value
; which must suit common needs.
; Default Value: php-fpm
;syslog.ident = php-fpm

; Log level
; Possible Values: alert, error, warning, notice, debug
; Default Value: notice
;log_level = notice

; If this number of child processes exit with SIGSEGV or SIGBUS within the time
; interval set by emergency_restart_interval then FPM will restart. A value
; of '0' means 'Off'.
; Default Value: 0
;emergency_restart_threshold = 0

; Interval of time used by emergency_restart_interval to determine when
; a graceful restart will be initiated.  This can be useful to work around
; accidental corruptions in an accelerator's shared memory.
; Available Units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
;emergency_restart_interval = 0

; Time limit for child processes to wait for a reaction on signals from master.
; Available units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
;process_control_timeout = 0

; The maximum number of processes FPM will fork. This has been designed to control
; the global number of processes when using dynamic PM within a lot of pools.
; Use it with caution.
; Note: A value of 0 indicates no limit
; Default Value: 0
; process.max = 128

; Specify the nice(2) priority to apply to the master process (only if set)
; The value can vary from -19 (highest priority) to 20 (lowest priority)
; Note: - It will only work if the FPM master process is launched as root
;       - The pool process will inherit the master process priority
;         unless specified otherwise
; Default Value: no set
; process.priority = -19

; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
; Default Value: yes
;daemonize = yes

; Set open file descriptor rlimit for the master process.
; Default Value: system defined value
;rlimit_files = 1024

; Set max core size rlimit for the master process.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0

; Specify the event mechanism FPM will use. The following is available:
; - select     (any POSIX os)
; - poll       (any POSIX os)
; - epoll      (linux >= 2.5.44)
; - kqueue     (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0)
; - /dev/poll  (Solaris >= 7)
; - port       (Solaris >= 10)
; Default Value: not set (auto detection)
events.mechanism = kqueue

; When FPM is built with systemd integration, specify the interval,
; in seconds, between health report notification to systemd.
; Set to 0 to disable.
; Available Units: s(econds), m(inutes), h(ours)
; Default Unit: seconds
; Default value: 10
;systemd_interval = 10

; Pool Definitions ;

; Multiple pools of child processes may be started with different listening
; ports and different management options.  The name of the pool will be
; used in logs and stats. There is no limitation on the number of pools which
; FPM can handle. Your system will tell you anyway :)

; Include one or more files. If glob(3) exists, it is used to include a bunch of
; files from a glob(3) pattern. This directive can be used everywhere in the
; file.
; Relative path can also be used. They will be prefixed by:
;  - the global prefix if it's been set (-p argument)
;  - /usr/local otherwise

Edit the file /usr/local/etc/php-fpm.d/www.conf

root@www:~ # vi /usr/local/etc/php-fpm.d/www.conf
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)

; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr/local) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool

; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
;       will be used.
user = www
group = www

; The address on which to accept FastCGI requests.
; Valid syntaxes are:
;   ''    - to listen on a TCP socket to a specific IPv4 address on
;                            a specific port;
;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
;                            a specific port;
;   'port'                 - to listen on a TCP socket to all addresses
;                            (IPv6 and IPv4-mapped) on a specific port;
;   '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen =

; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
listen.backlog = -1

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
;                 mode is set to 0660
;listen.owner = www
; = www
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and are ignored
;listen.acl_users =
;listen.acl_groups =

; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
listen.allowed_clients =

; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
;       - The pool processes will inherit the master process priority
;         unless it specified otherwise
; Default Value: no set
; process.priority = -19

; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes

; Choose how the process manager will control the number of child processes.
; Possible Values:
;   static  - a fixed number (pm.max_children) of child processes;
;   dynamic - the number of child processes are set dynamically based on the
;             following directives. With this process management, there will be
;             always at least 1 children.
;             pm.max_children      - the maximum number of children that can
;                                    be alive at the same time.
;             pm.start_servers     - the number of children created on startup.
;             pm.min_spare_servers - the minimum number of children in 'idle'
;                                    state (waiting to process). If the number
;                                    of 'idle' processes is less than this
;                                    number then some children will be created.
;             pm.max_spare_servers - the maximum number of children in 'idle'
;                                    state (waiting to process). If the number
;                                    of 'idle' processes is greater than this
;                                    number then some children will be killed.
;  ondemand - no children are created at startup. Children will be forked when
;             new requests will connect. The following parameter are used:
;             pm.max_children           - the maximum number of children that
;                                         can be alive at the same time.
;             pm.process_idle_timeout   - The number of seconds after which
;                                         an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic

; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5

; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2

; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1

; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3

; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;

; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500

; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
;   pool                 - the name of the pool;
;   process manager      - static, dynamic or ondemand;
;   start time           - the date and time FPM has started;
;   start since          - number of seconds since FPM has started;
;   accepted conn        - the number of request accepted by the pool;
;   listen queue         - the number of request in the queue of pending
;                          connections (see backlog in listen(2));
;   max listen queue     - the maximum number of requests in the queue
;                          of pending connections since FPM has started;
;   listen queue len     - the size of the socket queue of pending connections;
;   idle processes       - the number of idle processes;
;   active processes     - the number of active processes;
;   total processes      - the number of idle + active processes;
;   max active processes - the maximum number of active processes since FPM
;                          has started;
;   max children reached - number of times, the process limit has been reached,
;                          when pm tries to start more children (works only for
;                          pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
;   pool:                 www
;   process manager:      static
;   start time:           01/Jul/2011:17:53:49 +0200
;   start since:          62636
;   accepted conn:        190460
;   listen queue:         0
;   max listen queue:     1
;   listen queue len:     42
;   idle processes:       4
;   active processes:     11
;   total processes:      15
;   max active processes: 12
;   max children reached: 0
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; The Full status returns for each process:
;   pid                  - the PID of the process;
;   state                - the state of the process (Idle, Running, ...);
;   start time           - the date and time the process has started;
;   start since          - the number of seconds since the process has started;
;   requests             - the number of requests the process has served;
;   request duration     - the duration in µs of the requests;
;   request method       - the request method (GET, POST, ...);
;   request URI          - the request URI with the query string;
;   content length       - the content length of the request (only with POST);
;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
;   script               - the main script called (or '-' if not set);
;   last request cpu     - the %cpu the last request consumed
;                          it's always 0 if the process is not in Idle state
;                          because CPU calculation is done when the request
;                          processing has terminated;
;   last request memory  - the max amount of memory the last request consumed
;                          it's always 0 if the process is not in Idle state
;                          because memory calculation is done when the request
;                          processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
;   ************************
;   pid:                  31330
;   state:                Running
;   start time:           01/Jul/2011:17:53:49 +0200
;   start since:          63087
;   requests:             12808
;   request duration:     1250261
;   request method:       GET
;   request URI:          /test_mem.php?N=10000
;   content length:       0
;   user:                 -
;   script:               /home/fat/web/docs/php/test_mem.php
;   last request cpu:     0.00
;   last request memory:  0
; Note: There is a real-time FPM status monitoring sample web page available
;       It's available in: /usr/local/share/php/fpm/status.html
; Note: The value must start with a leading slash (/). The value can be
;       anything, but it may not be a good idea to use the .php extension or it
;       may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status

; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
;       anything, but it may not be a good idea to use the .php extension or it
;       may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping

; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong

; The access log file
; Default: not set
;access.log = log/$pool.access.log

; The access log format.
; The following syntax is allowed
;  %%: the '%' character
;  %C: %CPU used by the request
;      it can accept the following format:
;      - %{user}C for user CPU only
;      - %{system}C for system CPU only
;      - %{total}C  for user + system CPU (default)
;  %d: time taken to serve the request
;      it can accept the following format:
;      - %{seconds}d (default)
;      - %{miliseconds}d
;      - %{mili}d
;      - %{microseconds}d
;      - %{micro}d
;  %e: an environment variable (same as $_ENV or $_SERVER)
;      it must be associated with embraces to specify the name of the env
;      variable. Some exemples:
;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
;  %f: script filename
;  %l: content-length of the request (for POST request only)
;  %m: request method
;  %M: peak of memory allocated by PHP
;      it can accept the following format:
;      - %{bytes}M (default)
;      - %{kilobytes}M
;      - %{kilo}M
;      - %{megabytes}M
;      - %{mega}M
;  %n: pool name
;  %o: output header
;      it must be associated with embraces to specify the name of the header:
;      - %{Content-Type}o
;      - %{X-Powered-By}o
;      - %{Transfert-Encoding}o
;      - ....
;  %p: PID of the child that serviced the request
;  %P: PID of the parent of the child that serviced the request
;  %q: the query string
;  %Q: the '?' character if query string exists
;  %r: the request URI (without the query string, see %q and %Q)
;  %R: remote IP address
;  %s: status (response code)
;  %t: server time the request was received
;      it can accept a strftime(3) format:
;      %d/%b/%Y:%H:%M:%S %z (default)
;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
;  %T: time the log has been written (the request has finished)
;      it can accept a strftime(3) format:
;      %d/%b/%Y:%H:%M:%S %z (default)
;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
;  %u: remote user
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"

; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow

; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0

; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20

; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0

; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024

; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0

; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
;       possible. However, all PHP paths will be relative to the chroot
;       (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =

; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www

; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes

; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no

; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7

; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
;   php_value/php_flag             - you can set classic ini defines which can
;                                    be overwritten from PHP call 'ini_set'.
;   php_admin_value/php_admin_flag - these directives won't be overwritten by
;                                     PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.

; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.

; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr/local)

; Default Value: nothing is defined by default except the values in php.ini and
;                specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

php_admin_value[memory_limit] = 512M
php_admin_value[cgi.fix_pathinfo] = 0
php_admin_value[post_max_size] = 13M
php_admin_value[upload_max_filesize] = 13M
php_admin_value[date.timezone] = "America/Chicago"

6) Configure Nginx Web Server

We are getting close; please hang in there! For this section we will create a series of config files for Nginx web server. We will default it to use SSL encryption (you will need to supply your own SSL certs). I can give you the steps to create a self signed SSL cert to test, but you’ll want to get a proper SSL cert (which costs $$$) from your domain registrar or another location.

Create and edit the following configuration files:

  • /usr/local/etc/nginx/php_handlers.conf: This config file directs where all the php scripts will be handled.
  • /usr/local/etc/nginx/conf.d/redirect.conf: This config file that redirects all the HTTP requests to HTTPS. 
  • /usr/local/etc/nginx/ssl.conf: This config file has all the settings defined to enable SSL on the web sever.
  • /usr/local/etc/nginx/conf.d/www.conf: This is the default wordpress server config file 
  • /usr/local/etc/nginx/nginx.conf: This is the main config file for the nginx webserver.

Create the server hosts configuration directory /usr/local/etc/nginx/conf.d

root@wordpress:~ # mkdir -p /usr/local/etc/nginx/conf.d

Create the /usr/local/etc/nginx/php_handlers.conf configuration file.

root@wordpress:~ # vi /usr/local/etc/nginx/php_handlers.conf
# PHP Handlers

# WordPress
upstream php_wp {
        # This should match value of the "listen" directive in php-fpm pool for www
        # localhost and port 9000

Create and edit the /usr/local/etc/nginx/conf.d/redirect.conf file

root@wordpress:~ # vi /usr/local/etc/nginx/conf.d/redirect.conf
server {
    listen 80 default_server;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;

Create and edit the /usr/local/etc/nginx/conf.d/www.conf

root@wordpress:~ # vi /usr/local/etc/nginx/conf.d/www.conf
# www - public server
server {
   listen       443 ssl http2;

   root    /mnt/var/www/wordpress;
   index  index.php;

   # php max upload limit cannot be larger than this size
   client_max_body_size 13m;

   # SSL Configuration
   include /usr/local/etc/nginx/ssl.conf;

   location / {
       try_files $uri $uri/ /index.php?$args;

   location ~ \.php$ {
        include        fastcgi_params;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $request_filename;
        fastcgi_pass   php_wp;  # php handler for www
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;

   location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        access_log off;
        log_not_found off;

} # End of www server block

Edit the file /usr/local/etc/nginx/nginx.conf

root@wordpress:~ # ee /usr/local/etc/nginx/nginx.conf
# Load Modules
load_module /usr/local/libexec/nginx/;
load_module /usr/local/libexec/nginx/;

user www;
worker_processes auto;

error_log  /var/run/error.log;
# service start script is looking here for the pid. don't move it.
pid        /var/run/;

events {
  worker_connections 1024;

http {

  # Basic settings
  # ----------

  sendfile on;
  tcp_nopush on;
  keepalive_timeout 65;
  #server_tokens off;

  # Common limits
  # ----------

  include mime.types;
  default_type application/octet-stream;

  # Logs format
  # ----------

  log_format main '$remote_addr - $host [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"'
                  'rt=$request_time ut=$upstream_response_time '

  log_format cache '$remote_addr - $host [$time_local] "$request" $status '
                   '$body_bytes_sent "$http_referer" '
                   'rt=$request_time ut=$upstream_response_time '

  access_log /var/log/nginx/access.log main;
  error_log /var/log/nginx/error.log warn;

  # GZip config
  # ----------

  gzip on;

  # Cache config
  # ----------

  # PHP Handlers
  # ----------
  include /usr/local/etc/nginx/php_handlers.conf;

  # Virtual host config
  # ----------
  # Only virtual host with the *.conf will be included.
  include /usr/local/etc/nginx/conf.d/*.conf; 

}  # End of http block

7) Configure SSL for Nginx

Create a self-signed SSL certificate using openssl.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /mnt/ssl/private/selfsigned.key -out /mnt/ssl/certs/selfsigned.crt

This will only be useful for your testing purposes. All guests to your web server will be prompted with a fun little message that this site cannot be trusted. It’s fine for this tutorial though, you will need to procure your own SSL certificate from your domain registrar or another reputable source. Note that I saved that keyfile and the cert into our mount point for the SSL dataset we created in a previous step.

Create and edit the /usr/local/etc/nginx/ssl.conf file

# Certs sent to the client in SERVER HELLO are concatenated in ssl_certificate

ssl_certificate           /mnt/ssl/certs/selfsigned.crt; # self signed cert
ssl_certificate_key       /mnt/ssl/private/selfsigned.key; # self signed Key

#ssl_verify_client on;

# more secure ssl settings
ssl_protocols             TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers  on;

## verify chain of trust (if needed)
#ssl_trusted_certificate    /mnt/ssl/certs/cacert.pem;

8) Configure mysql database

WordPress leverages a database for much of the dynamic content (posts, users, pages, comments, etc). You’ll need to do a very small amount of configuration prior to first usage of WordPress. First and foremost you’ll need to start up the mysql server.

service mysql-server start

If you receive no errors then your mysql server should be running. you can check by running “netstat -an | grep 3306” and you should see a row starting with tcp4 and ending with LISTEN. If nothing is returned from the above command your mysql server is not running and you’ll need to troubleshoot that.

Next, you will need to run a script to secure the mysql installation. The first step is to login to mysql as root. The root password is either blank (i.e. nothing) or a special file called .mysql_secret in the root home directory that contains the password


Set the new root password, disable anonymous logins and root logins from external and remove the temp database. You can set password requirements, but if you do then it’ll only allow high strength passwords in WordPress. When the script is done login as root and create the WordPress database.

mysql –u root –p
create database wordpress;
grant all privileges on wordpress.* to 'wpuser'@'localhost' identified by 'wppassword';
flush privileges;

If you made it this far you really deserve a break; maybe a nice cup of camomile tea? Literally this took me like 2 nights to get this far…

9) Download WordPress Installation

WordPress is essentially a bunch of php files, some css and some other files. You can download the latest tarball (i.e a tar.gz archive) from (don’t mistakenly go to the .com version!). Hit the “Get WordPress” bottom and click the download .tar.gz link. You should scp the tar.gz file from your pc to the FreeNAS server. You should save it in your /var dataset which you mounted in a previous step. Mine is located in /mnt/PavPool/var, so the command from my pc would be:

rich@somecomputer# scp rich@kidney:/mnt/PavPool/var ~/Downloads/Wordpress-5.3.2.tar .

Create a directory called www and extract the WordPress archive there. Make sure the directory structure matches the path you set in www.conf in Step 6. If your jail is expecting /mnt/var/wordpress then the workpress software must be extracted into a folder called wordpress. Make sure the files are directory structure are readable and writeable by your nginx server process.

10) Now Restart everything and Try to Connect

You need to reload and restart all your components to load the configurations files. You will get an error if the configuration files are

root@wordpress:/ # service php-fpm reload

Performing sanity check on php-fpm configuration:
[19-Apr-2020 15:06:35] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

Make sure your php-fpm.conf file passes the validation check. Now restart PHP

root@wordpress:/ # service php-fpm restart

Performing sanity check on php-fpm configuration:
[19-Apr-2020 15:10:18] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

Stopping php_fpm.
Waiting for PIDS: 57658.
Performing sanity check on php-fpm configuration:
[19-Apr-2020 15:10:18] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

Now reload nginx webe server and restart it. Again, make sure the reload validation step passes (it doesn’t mean that it will functionally work but at least you don’t have typos in your config files.).

root@wordpress:/ # service nginx reload

Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful

root@wordpress:/ # service nginx restart

Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Stopping nginx.
Waiting for PIDS: 7244.
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx.

Remember the IP address for your wordpress jail that you wrote down from step 1? Well, type that IP address into a web browser. If you are greeted by a webpage by WordPress to initialize your site for the first time then Success.

root@wordpress:/ # netstat -an | grep -i "LISTEN"
tcp4       0      0 *.443                  *.*                    LISTEN
tcp4       0      0 *.80                   *.*                    LISTEN
tcp4       0      0         *.*                    LISTEN
tcp4       0      0         *.*                    LISTEN
root@wordpress:/ # 

Run a quick netstat check to see if you are listening on the ports you configured in the previous steps: 80 is http traffic (unencrypted) which will foward to 443 which is SSL encrypted by nginx, 9000 is php-fpm, and 3306 is mysql.

11) Configure port forwarding on your wifi router

You are in the home stretch now. Connect to wifi router and login as an admin account. Typically in the WAN section there is a series of options for port fowarding. If any external requests come into your External IP address for port 80 or port 443 you shoudl configure that to redirect or port forward those to the IP address for your wordpress Jail. Make sure your wifi router is configured with your dynamic DNS provider of choice; for example DynDNS. Ultimately traffic to will be redirected by your dynamic DNS service provider to your externally visiable IP address that is issued to your wifi router (usually thru DHCP) which will then port forward anything on port 80 or 443 to your jail internal NAT-ed (Network Address Translation) IP for WordPress which is where nginx is running. When you initialize your site USE YOUR external domain name in the wordpress config and not the internal IP address. If you mess this up and use your internal IP address then WordPress will look fine for you inside your network where your FreeNAS box is but the formatting will be missing or corrupted for everyone else outside your network that views your site. You can very easily drop your Mysql WordPress database if you chose any of the wrong options and re-create it to reinitilize your site. I hope this was useful to you; it’s a long read but utltimately I’m very happy with the setup!

By Rich

Lover of science, technology, ice hockey and the outdoors. Houston is home.

18 replies on “FreeNAS 11.3 Jail + WordPress & Nginx”


Thank you for the detailed information. Everything works for me until point 9.
But: I can’t start the wordpress-installation. I’ve tiered many things and I’ve used google. Without success…
I’ve checked your instructions twice.

So… I’ve a own (sub)-domain, which I forward to a dyndns-adress and forward to my router. In my router, I’ve make a port forwarding ( / 443).
My WordPress has a fixed ip-adress on my freenas. At the moment i use a nextcloud-installation with the same ports (80/443) and a another ip-adress.

Can you help me or do you have detailed information?

Thank you and best regards

Phil, I’ve updated the instructions past step 9 and cleaned up some of the explains. Please let me know if this solves your issue. I didn’t really get into how to setup Dynamic DNS as that outside the scope of this tutorial. I would first check that your nginx is listening and that you can access it internally in your local network. If you can then great and if you had issues with the Domain name then it would be upstream of the FreeNAS jail and your workpress install.

Rich, Great write up! Thanks for posting it. In step 11, ports 80 and 443 are forwarded to the IP to WordPress. What does “Make sure your wifi router is configured with your dynamic DNS provider of choice” mean? I can set port forwarding on my router but Internet Provider has removed the ability for me to change my DNS Server. I hope all that is needed is for me to have cloudflare point my FQDN to my router and the port forward will get the rest of the job done. I really hate dealing with network stuff was it never seems to work for me and I am so afraid of everything being exposed due to poor security.

Thanks Ken! So, your personal wifi router will connect into your internet service provider (ISP) and provision for you an IP address which you will NAT (network address translation) to your personal network. Let’s say they provision 123.456.789.012 (I just made this up) to you at runtime, but this address can change at anytime with your ISP. Dynamic DNS was invented for this reason which plugs into your wifi router with your DNS provider to that whenever your IP address changes it dynamically updates your DNS record. That way everyone still points to your DNS name (in my example it’s and not the actual IP address that can and will change. If your DNS record points to your wifi router, then you can port forward 443 to your FreeNAS jail IP that is running wordpress.

BTW, FreeNAS is not for beginners: some complex topics covered.

Network security is important for everything! Make sure to use SSL (encrypts in transit) for all processes exposed and a VPN.

Stick with it. Persistence! Good Luck.

I can’t run mysql –u root –p. It says:

root@Wordpress:/ # mysql –u root –p
mysql Ver 14.14 Distrib 5.7.31, for FreeBSD11.3 (amd64) using EditLine wrapper
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective

Usage: mysql [OPTIONS] [database]
-?, –help Display this help and exit.
-I, –help Synonym for -?
–auto-rehash Enable automatic rehashing. One doesn’t need to use
‘rehash’ to get table and field completion, but startup
and reconnecting may take a longer time. Disable with
(Defaults to on; use –skip-auto-rehash to disable.)
-A, –no-auto-rehash
No automatic rehashing. One has to use ‘rehash’ to get
table and field completion. This gives a quicker start of
mysql and disables rehashing on reconnect.
Automatically switch to vertical output mode if the
result is wider than the terminal width.
-B, –batch Don’t use history file. Disable interactive behavior.
(Enables –silent.)
–bind-address=name IP address to bind to.
–binary-as-hex Print binary data as hex
Directory for character set files.
–column-type-info Display column type information.
-c, –comments Preserve comments. Send comments to the server. The
default is –skip-comments (discard comments), enable
with –comments.
-C, –compress Use compression in server/client protocol.
-#, –debug[=#] This is a non-debug version. Catch this and exit.
–debug-check This is a non-debug version. Catch this and exit.
-T, –debug-info This is a non-debug version. Catch this and exit.
-D, –database=name Database to use.
Set the default character set.
–delimiter=name Delimiter to be used.
Enable/disable the clear text authentication plugin.
-e, –execute=name Execute command and quit. (Disables –force and history
-E, –vertical Print the output of a query (rows) vertically.
-f, –force Continue even if we get an SQL error.
–histignore=name A colon-separated list of patterns to keep statements
from getting logged into syslog and mysql history.
-G, –named-commands
Enable named commands. Named commands mean this program’s
internal commands; see mysql> help . When enabled, the
named commands can be used from any line of the query,
otherwise only from the first line, before an enter.
Disable with –disable-named-commands. This option is
disabled by default.
-i, –ignore-spaces Ignore space after function names.
–init-command=name SQL Command to execute when connecting to MySQL server.
Will automatically be re-executed when reconnecting.
–local-infile Enable/disable LOAD DATA LOCAL INFILE.
-b, –no-beep Turn off beep on error.
-h, –host=name Connect to host.
-H, –html Produce HTML output.
-X, –xml Produce XML output.
–line-numbers Write line numbers for errors.
(Defaults to on; use –skip-line-numbers to disable.)
-L, –skip-line-numbers
Don’t write line number for errors.
-n, –unbuffered Flush buffer after each query.
–column-names Write column names in results.
(Defaults to on; use –skip-column-names to disable.)
-N, –skip-column-names
Don’t write column names in results.
–sigint-ignore Ignore SIGINT (CTRL-C).
-o, –one-database Ignore statements except those that occur while the
default database is the one named at the command line.
–pager[=name] Pager to use to display results. If you don’t supply an
option, the default pager is taken from your ENV variable
PAGER. Valid pagers are less, more, cat [> filename],
etc. See interactive help (\h) also. This option does not
work in batch mode. Disable with –disable-pager. This
option is disabled by default.
-p, –password[=name]
Password to use when connecting to server. If password is
not given it’s asked from the tty.
-P, –port=# Port number to use for connection or 0 for default to, in
order of preference, my.cnf, $MYSQL_TCP_PORT,
/etc/services, built-in default (3306).
–prompt=name Set the mysql prompt to this value.
–protocol=name The protocol to use for connection (tcp, socket, pipe,
-q, –quick Don’t cache result, print it row by row. This may slow
down the server if the output is suspended. Doesn’t use
history file.
-r, –raw Write fields without conversion. Used with –batch.
–reconnect Reconnect if the connection is lost. Disable with
–disable-reconnect. This option is enabled by default.
(Defaults to on; use –skip-reconnect to disable.)
-s, –silent Be more silent. Print results with a tab as separator,
each row on new line.
-S, –socket=name The socket file to use for connection.
–ssl-mode=name SSL connection mode.
–ssl Deprecated. Use –ssl-mode instead.
(Defaults to on; use –skip-ssl to disable.)
Deprecated. Use –ssl-mode=VERIFY_IDENTITY instead.
–ssl-ca=name CA file in PEM format.
–ssl-capath=name CA directory.
–ssl-cert=name X509 cert in PEM format.
–ssl-cipher=name SSL cipher to use.
–ssl-key=name X509 key in PEM format.
–ssl-crl=name Certificate revocation list.
–ssl-crlpath=name Certificate revocation list path.
–tls-version=name TLS version to use, permitted values are: TLSv1, TLSv1.1,
File path to the server public RSA key in PEM format.
Get server public key
-t, –table Output in table format.
–tee=name Append everything into outfile. See interactive help (\h)
also. Does not work in batch mode. Disable with
–disable-tee. This option is disabled by default.
-u, –user=name User for login if not current user.
-U, –safe-updates Only allow UPDATE and DELETE that uses keys.
-U, –i-am-a-dummy Synonym for option –safe-updates, -U.
-v, –verbose Write more. (-v -v -v gives the table output format).
-V, –version Output version information and exit.
-w, –wait Wait and retry if connection is down.
–connect-timeout=# Number of seconds before connection timeout.
The maximum packet length to send to or receive from
The buffer size for TCP/IP and socket communication.
–select-limit=# Automatic limit for SELECT when using –safe-updates.
–max-join-size=# Automatic limit for rows in a join when using
–secure-auth Refuse client connecting to server if it uses old
(pre-4.1.1) protocol. Deprecated. Always TRUE
–server-arg=name Send embedded server this as a parameter.
–show-warnings Show warnings after every statement.
-j, –syslog Log filtered interactive commands to syslog. Filtering of
commands depends on the patterns supplied via histignore
option besides the default patterns.
–plugin-dir=name Directory for client-side plugins.
–default-auth=name Default authentication client-side plugin to use.
–binary-mode By default, ASCII ‘\0’ is disallowed and ‘\r\n’ is
translated to ‘\n’. This switch turns off both features,
and also turns off parsing of all clientcommands except
\C and DELIMITER, in non-interactive mode (for input
piped to mysql or loaded using the ‘source’ command).
This is necessary when processing output from mysqlbinlog
that may contain blobs.
Notify the server that this client is prepared to handle
expired password sandbox mode.

Default options are read from the following files in the given order:
/usr/local/etc/my.cnf /usr/local/etc/mysql/my.cnf ~/.my.cnf
The following groups are read: mysql client
The following options may be given as the first argument:
–print-defaults Print the program argument list and exit.
–no-defaults Don’t read default options from any option file,
except for login file.
–defaults-file=# Only read default options from the given file #.
–defaults-extra-file=# Read this file after the global files are read.
Also read groups with concat(group, suffix)
–login-path=# Read this path from the login file.

Variables (–variable-name=value)
and boolean options {FALSE|TRUE} Value (after reading options)
——————————— —————————————-
auto-rehash FALSE
auto-vertical-output FALSE
bind-address (No default value)
binary-as-hex FALSE
character-sets-dir (No default value)
column-type-info FALSE
comments FALSE
compress FALSE
database (No default value)
default-character-set auto
delimiter ;
enable-cleartext-plugin FALSE
vertical FALSE
force FALSE
histignore (No default value)
named-commands FALSE
ignore-spaces FALSE
init-command (No default value)
local-infile FALSE
no-beep FALSE
host (No default value)
html FALSE
line-numbers TRUE
unbuffered FALSE
column-names TRUE
sigint-ignore FALSE
port 3306
prompt \u@\h [\d]>\_
quick FALSE
reconnect TRUE
socket /tmp/mysql.sock
ssl TRUE
ssl-verify-server-cert FALSE
ssl-ca (No default value)
ssl-capath (No default value)
ssl-cert (No default value)
ssl-cipher (No default value)
ssl-key (No default value)
ssl-crl (No default value)
ssl-crlpath (No default value)
tls-version (No default value)
server-public-key-path (No default value)
get-server-public-key FALSE
table FALSE
user (No default value)
safe-updates FALSE
i-am-a-dummy FALSE
connect-timeout 0
max-allowed-packet 16777216
net-buffer-length 16384
select-limit 1000
max-join-size 1000000
secure-auth TRUE
show-warnings FALSE
plugin-dir (No default value)
default-auth (No default value)
binary-mode FALSE
connect-expired-password FALSE

When I run it. Can you help?

When I run it; it works for me. Make sure you aren’t cutting and pasting the command in as that could lead to some unicode characters like the dreaded “long-dash” which the command line won’t know what do do with. We are only passing two variables to the mysql command, one is -u for user and one is -p for prompt for password. Please try typing the command into the command line with only “one dash” before the u and “one dash” before the p.

The HyperText Transfer Protocol (HTTP) 500 Internal Server Error server error response code indicates that the server encountered an unexpected condition that prevented it from fulfilling the request. This error response is a generic “catch-all” response. <<< check your error logs and access logs to see if Jetpack is making it to Nginx and php.

ssh to the wordpress jail instance in FreeNAS. I show in the early steps of the tutorial how to do that. jls and then sudo jexec /bin/tcsh

When you are on the command line for your FreeNAS jail you can move around to the directory that your logs are stored. In the example we used /var/run/error.log to store our error log file. go to that directory and type “less error.log” to view the file. The logs are typically fairly good at pointing you to the issue (i.e. cannot write a file or some other such issue). Always start small and prove bits work and then work backwards. For me I got nginx up and running with a static index.html file first. Then, I got php-fpm working and created a small index.php file to check that worked. Then I added SSL and checked. I worked up to installing wordpress, etc. Trial and error is usually a good way to learn this stuff and how it’s all stitched together. You need to be comfortable on the command line to follow my tutorial.

Hi I’m very comfortable with the Ubuntu command line but I’m new to FreeBSD. What I think I’m going to do is wait for my new RAM to arrive, run an Ubuntu VM and follow one of the many WordPress on Ubuntu tutorials. Thanks.

Wow, I didn’t realise my little unfinished write-up would some how be helpful to someone. Cool.

I was revisiting my old unfinished website recently to give it life again, when I read your comment.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.