Php-cgi and suexec like configuration using NginX and php-fpm (LEMP Setup)

If we want to secure our own LAMP server or provide web space for friends or customers we would usually use php-cgi and suexec to let the scripts execute with different users. With NginX the setup somewhat differs but with php-fpm pools we can achieve the same sort of additional security.

The following example is based on Ubuntu 14.04 LTS. It also works for other distributions with slight modifications.

Installation

Configuration

Php-fpm

Our php-fpm processes are launched by the pool manager. And each NginX domains is configured to access a different php-fpm pool. After installation we already have a www pool we can use for a general website to be shown for our server domain ( e.g. hostxyz.myservers.biz) for example.

We’ll be configuring a php-fpm pool for each customer. It is also possible to do this for each domain.

First we’ll create a file web1000.conf in folder /etc/php5/fpm/pool.d.

We also have to create the new user.

And restart our php-fpm pool manager afterwards.

We should find our new socket in the /var/run/ folder.

NginX

Next we have to tell NginX to use the new pool. In this example we’ll use /home/www/kunde/projekt as the document root. You might as well use something below /var .

For that we got to /etc/nginx/sites-available and create a new file web1000.conf .

The configuration for other customers is similar but with different sockets and user and group names.

Additional konfiguration

This usually would be accompanied by a chroot sftp server and PHP basedir restrictions.

Leave a Reply