Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 21st March 2014, 12:26
gridorian gridorian is offline
Junior Member
 
Join Date: Nov 2007
Posts: 17
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default Ubuntu 12.04 LTS + nginx + php-fpm - chrooting users

Hello guys,

I have the following configs.
I need your help in doing chroot for each php-fpm config (for each user).
Practically I want to embed each user in his own environment and isolate him from the host linux env as much as possible.

P.S. Can I do this from nxing in stead of php-fpm? I'm thinking of extending hosting for other languages, not only for php.

/etc/nginx/nginx.conf
Code:
user www-data;
 
# As a thumb rule: One per CPU. If you are serving a large amount
# of static files, which requires blocking disk reads, you may want
# to increase this from the number of cpu_cores available on your
# system.
#
# The maximum number of connections for Nginx is calculated by:
# max_clients = worker_processes * worker_connections
worker_processes 8;
 
# Maximum file descriptors that can be opened per process
# This should be > worker_connections
worker_rlimit_nofile 8192;
 
events {
    # When you need > 8000 * cpu_cores connections, you start optimizing
    # your OS, and this is probably the point at where you hire people
    # who are smarter than you, this is *a lot* of requests.
    worker_connections 8000;
}
 
error_log /var/log/nginx/error.log;
 
pid /var/run/nginx.pid;
 
http {
    charset utf-8;
 
    # Set the mime-types via the mime.types external file
    include mime.types;
 
    # And the fallback mime-type
    default_type application/octet-stream;
 
    # Click tracking!
    access_log /var/log/nginx/access.log;
 
    # Hide nginx version
    server_tokens off;
 
    # ~2 seconds is often enough for HTML/CSS, but connections in
    # Nginx are cheap, so generally it's safe to increase it
    keepalive_timeout 20;
 
    # You usually want to serve static files with Nginx
    sendfile on;
 
    tcp_nopush on; # off may be better for Comet/long-poll stuff
    tcp_nodelay on; # on may be better for Comet/long-poll stuff
 
    server_name_in_redirect off;
    types_hash_max_size 2048;
 
    gzip on;
    gzip_http_version 1.0;
    gzip_comp_level 5;
    gzip_min_length 512;
    gzip_buffers 4 8k;
    gzip_proxied any;
    gzip_types
        # text/html is always compressed by HttpGzipModule
        text/css
        text/plain
        text/x-component
        application/javascript
        application/json
        application/xml
        application/xhtml+xml
        application/x-font-ttf
        application/x-font-opentype
        application/vnd.ms-fontobject
        image/svg+xml
        image/x-icon;
 
    # This should be turned on if you are going to have pre-compressed copies (.gz) of
    # static files available. If not it should be left off as it will cause extra I/O
    # for the check. It would be better to enable this in a location {} block for
    # a specific directory:
    # gzip_static on;
 
    gzip_disable "msie6";
    gzip_vary on;
     
    # other config files
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
    
}
This is a config each user will have particularized for himself.
/home/$USER/etc/nginx/php
Code:
    # pass the PHP scripts to FPM socket
    location ~ \.php$ {
        try_files $uri =404;
     
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
        
        #fastcgi_pass 127.0.0.1:22000; 
        fastcgi_pass unix:/home/$USER/var/run/php5-fpm.sock;
     
        fastcgi_index index.php;
     
        fastcgi_param SCRIPT_FILENAME /usr/share/nginx/www$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT /usr/share/nginx/www;
     
        fastcgi_intercept_errors on;
     
        include fastcgi_params;
    }
This is particularized for each user.
/etc/php5/fpm/pool.d/$USER.conf
Code:
[USER]
user = $pool
group = $pool
listen = /home/$pool/var/run/php-$pool-fpm.sock
listen.owner = $pool
listen.group = www-data
listen.mode = 660
pm = ondemand
pm.max_children = 20
pm.process_idle_timeout = 60
pm.max_requests = 500
request_terminate_timeout = 35
php_admin_value[max_execution_time] = 60
php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f $pool@sendmail-$pool
#php_admin_value[open_basedir] = /home/$pool
#php_admin_value[realpath_cache_basedir] = /home/$pool
php_admin_value[mail.log] = /home/$pool/log/php-mail.log
security.limit_extensions = .php .php52 .php53 .php54 .php55 .php60 .php54 .php0
php_admin_value[safe_mode] = off
php_admin_value[realpath_cache_size] = 128M
__________________
yume wa yume de shikanai...
Reply With Quote
Sponsored Links
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ffmpeg Video support for ubuntu 7.10 [suphp-ispconfig] amaurib Installation/Configuration 13 16th February 2010 18:26
Unable to install ISPConfig bdonecker Installation/Configuration 21 26th May 2009 09:20
php eating cpu shajazzi Server Operation 15 15th August 2007 02:19
Junk mail and spamassassin... sthompson Installation/Configuration 4 27th December 2006 17:11


All times are GMT +2. The time now is 02:22.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.