If we want to secure our own LAMP server or provide web space for friends or customers we would usually use php-cgi and suexec to let the scripts execute with different users. With NginX the setup somewhat differs but with php-fpm pools we can achieve the same sort of additional security.
The following example is based on Ubuntu 14.04 LTS. It also works for other distributions with slight modifications.
Installation
apt-get install php5-fpm nginx
Configuration
Php-fpm
Our php-fpm processes are launched by the pool manager. And each NginX domains is configured to access a different php-fpm pool. After installation we already have a www pool we can use for a general website to be shown for our server domain ( e.g. hostxyz.myservers.biz) for example.
We’ll be configuring a php-fpm pool for each customer. It is also possible to do this for each domain.
First we’ll create a file web1000.conf in folder /etc/php5/fpm/pool.d.
[web1000] user = web1000 # System Username group = web1000 # System Groupname listen = /var/run/php5-fpm-web1000.sock # Uniqe Socket per Pool listen.owner = www-data listen.group = www-data pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/bin:/usr/bin:/bin env[TMP] = /tmp env[TMPDIR] = /tmp env[TEMP] = /tmp
We also have to create the new user.
adduser –disabled-password web1000
And restart our php-fpm pool manager afterwards.
service php5-fpm restart
We should find our new socket in the /var/run/ folder.
NginX
Next we have to tell NginX to use the new pool. In this example we’ll use /home/www/kunde/projekt as the document root. You might as well use something below /var .
For that we got to /etc/nginx/sites-available and create a new file web1000.conf .
server { listen 80; root /home/www/web1000/testdomain/docs; index index.php index.html index.htm; server_name test.canya.rzpool.de; error_log /home/www/web1000/testdomain/logs/error.log; access_log /home/www/web1000/testdomain/logs/access.log; location / { try_files $uri $uri/ /index.html =404; } error_page 404 /404.html; error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/www; } location ~ \.php$ { try_files $uri =404; fastcgi_pass unix:/var/run/php5-fpm-web1000.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }
The configuration for other customers is similar but with different sockets and user and group names.
Additional konfiguration
This usually would be accompanied by a chroot sftp server and PHP basedir restrictions.