Categories
Generally Sysadmin

Php-cgi and suexec like configuration using NginX and php-fpm (LEMP Setup)

If we want to secure our own LAMP server or provide web space for friends or customers we would usually use php-cgi and suexec to let the scripts execute with different users. With NginX the setup somewhat differs but with php-fpm pools we can achieve the same sort of additional security.

The following example is based on Ubuntu 14.04 LTS. It also works for other distributions with slight modifications.

Installation

apt-get install php5-fpm nginx

Configuration

Php-fpm

Our php-fpm processes are launched by the pool manager. And each NginX domains is configured to access a different php-fpm pool. After installation we already have a www pool we can use for a general website to be shown for our server domain ( e.g. hostxyz.myservers.biz) for example.

We’ll be configuring a php-fpm pool for each customer. It is also possible to do this for each domain.

First we’ll create a file web1000.conf in folder /etc/php5/fpm/pool.d.

[web1000]
user = web1000                            # System Username
group = web1000                           # System Groupname 
listen = /var/run/php5-fpm-web1000.sock   # Uniqe Socket per Pool

listen.owner = www-data
listen.group = www-data

pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp

We also have to create the new user.

adduser –disabled-password web1000

And restart our php-fpm pool manager afterwards.

service php5-fpm restart

We should find our new socket in the /var/run/ folder.

NginX

Next we have to tell NginX to use the new pool. In this example we’ll use /home/www/kunde/projekt as the document root. You might as well use something below /var .

For that we got to /etc/nginx/sites-available and create a new file web1000.conf .

server {
        listen   80;

        root /home/www/web1000/testdomain/docs;
        index index.php index.html index.htm;
        server_name test.canya.rzpool.de;

        error_log /home/www/web1000/testdomain/logs/error.log;
        access_log /home/www/web1000/testdomain/logs/access.log;

        location / {
                try_files $uri $uri/ /index.html =404;
        }

        error_page 404 /404.html;

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
                root /usr/share/nginx/www;
        }

        location ~ \.php$ {
                try_files $uri =404;
                fastcgi_pass unix:/var/run/php5-fpm-web1000.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        }
}

The configuration for other customers is similar but with different sockets and user and group names.

Additional konfiguration

This usually would be accompanied by a chroot sftp server and PHP basedir restrictions.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.