PHP-FPM/Nginx Security In Shared Hosting Environments (Debian/Ubuntu)

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Thu, 2011-09-22 17:05. :: Debian | Ubuntu | Web Server | nginx | PHP

PHP-FPM/Nginx Security In Shared Hosting Environments (Debian/Ubuntu)

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Follow me on Twitter
Last edited 09/21/2011

If you want to use nginx and PHP-FPM for shared hosting environments, you should make up your mind about security. In Apache/PHP environments, you can use suExec and/or suPHP to make PHP execute under individual user accounts instead of a system user like www-data. There's no such thing for PHP-FPM, but fortunately PHP-FPM allows us to set up a "pool" for each web site that makes PHP scripts execute as the user/group defined in that pool. This gives you all the benefits of suPHP, and in addition to that you don't have any FTP or SCP transfer problems because PHP scripts don't need to be owned by a specific user/group to be executed as the user/group defined in the pool.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I use a vhost called www.example.com/example.com here with the document root /var/www/www.example.com/web.

You should have a working LEMP installation, as shown in these tutorials:

A note for Ubuntu users:

Because we must run all the steps from this tutorial with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing

sudo su

 

2 What We Have So Far

On Debian/Ubuntu, PHP-FPM's pool directory is /etc/php5/fpm/pool.d/ - this is where new pools will be created. The php.ini used by PHP-FPM is /etc/php5/fpm/php.ini. There's one pool already, www.conf - let's take a look at it:

vi /etc/php5/fpm/pool.d/www.conf

; Start a new pool named 'www'.
; the variable $pool can we used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific address on
;                            a specific port;
;   'port'                 - to listen on a TCP socket to all addresses on a
;                            specific port;
;   '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = 127.0.0.1:9000
; Set listen(2) backlog. A value of '-1' means unlimited.
; Default Value: 128 (-1 on FreeBSD and OpenBSD)
;listen.backlog = -1
; List of ipv4 addresses of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
;                 mode is set to 0666
;listen.owner = www-data
;listen.group = www-data
;listen.mode = 0666
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
;       will be used.
user = www-data
group = www-data
; Choose how the process manager will control the number of child processes.
; Possible Values:
;   static  - a fixed number (pm.max_children) of child processes;
;   dynamic - the number of child processes are set dynamically based on the
;             following directives:
;             pm.max_children      - the maximum number of children that can
;                                    be alive at the same time.
;             pm.start_servers     - the number of children created on startup.
;             pm.min_spare_servers - the minimum number of children in 'idle'
;                                    state (waiting to process). If the number
;                                    of 'idle' processes is less than this
;                                    number then some children will be created.
;             pm.max_spare_servers - the maximum number of children in 'idle'
;                                    state (waiting to process). If the number
;                                    of 'idle' processes is greater than this
;                                    number then some children will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes to be created when pm is set to 'dynamic'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI.
; Note: Used when pm is set to either 'static' or 'dynamic'
; Note: This value is mandatory.
pm.max_children = 50
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
;pm.start_servers = 20
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 5
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 35
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. By default, the status page shows the following
; information:
;   accepted conn        - the number of request accepted by the pool;
;   pool                 - the name of the pool;
;   process manager      - static or dynamic;
;   idle processes       - the number of idle processes;
;   active processes     - the number of active processes;
;   total processes      - the number of idle + active processes.
;   max children reached - number of times, the process limit has been reached,
;                          when pm tries to start more children (works only for
;                          pm 'dynamic')
; The values of 'idle processes', 'active processes' and 'total processes' are
; updated each second. The value of 'accepted conn' is updated in real time.
; Example output:
;   accepted conn:        12073
;   pool:                 www
;   process manager:      static
;   idle processes:       35
;   active processes:     65
;   total processes:      100
;   max children reached: 1
; By default the status page output is formatted as text/plain. Passing either
; 'html' or 'json' as a query string will return the corresponding output
; syntax. Example:
;   http://www.foo.bar/status
;   http://www.foo.bar/status?json
;   http://www.foo.bar/status?html
; Note: The value must start with a leading slash (/). The value can be
;       anything, but it may not be a good idea to use the .php extension or it
;       may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
;       anything, but it may not be a good idea to use the .php extension or it
;       may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
;       possible. However, all PHP paths will be relative to the chroot
;       (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
chdir = /
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
;   php_value/php_flag             - you can set classic ini defines which can
;                                    be overwritten from PHP call 'ini_set'.
;   php_admin_value/php_admin_flag - these directives won't be overwritten by
;                                     PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
;                specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

As you see, this pool is listening on port 9000 on localhost (127.0.0.1), and it is being run as the user and group www-data.

Let's take a look at the PHP configuration in your vhost:

vi /etc/nginx/sites-available/example.com.vhost

server {
[...]
        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            include /etc/nginx/fastcgi_params;
        }
[...]
}

The important part is the line fastcgi_pass 127.0.0.1:9000; - this makes nginx pass PHP requests to the PHP-FPM process listening on port 9000 on localhost (127.0.0.1) - as you remember, this is our pool defined in /etc/php5/fpm/pool.d/www.conf which means PHP scripts are executed as the user and group www-data.

 

3 Defining An Individual Pool For Each Website

My example.com website is owned by the user web1 and the group client0, so I want my PHP scripts to be executed as that user and group. Therefore I define a new pool /etc/php5/fpm/pool.d/example.com.conf:

vi /etc/php5/fpm/pool.d/example.com.conf

[example.com]
listen = 127.0.0.1:9001
listen.allowed_clients = 127.0.0.1
user = web1
group = client0
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
chdir = /

As you see, I make this pool listen on port 9001 instead of 9000, and I define the user as web1 and the group as client0. You can define as many pools as you like, but make sure you use an unused port for each pool (9002, 9003, etc.).

Reload PHP-FPM:

/etc/init.d/php5-fpm reload

Now we change our vhost configuration to make use of the new pool. All you need to change is the port in the fastcgi_pass line:

vi /etc/nginx/sites-available/example.com.vhost

server {
[...]
        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_pass 127.0.0.1:9001;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            include /etc/nginx/fastcgi_params;
        }
[...]
}

Reload nginx afterwards:

/etc/init.d/nginx reload

That''s it! PHP scripts are now being executed as the user web1 and the group client0.

You can make PHP even more secure by changing PHP settings individually for each vhost. Take a look at the bottom of /etc/php5/fpm/pool.d/www.conf, it has some examples of how to achieve this.

For example, you could set open_basedir or disable_functions in the /etc/php5/fpm/pool.d/example.com.conf pool.

vi /etc/php5/fpm/pool.d/example.com.conf

[example.com]
listen = 127.0.0.1:9001
listen.allowed_clients = 127.0.0.1
user = web1
group = client0
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
chdir = /
php_admin_value[open_basedir] = /var/www/www.example.com:/usr/share/php5:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin
php_admin_value[disable_functions] = dl,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Reload PHP-FPM:

/etc/init.d/php5-fpm reload

 

3.1 Using Sockets Instead Of TCP Connections

Up to now, we have used TCP connections for our PHP-FPM pool (127.0.0.1:9000, 127.0.0.1:9001, etc.). This causes some overhead. Fortunately we can use Unix sockets instead of TCP connections for our pools and get rid of this overhead. Therefore, Unix sockets are more performant than TCP connections.

I want sockets to be created in the /var/run/php5-fpm directory, therefore we have to create that directory first:

mkdir /var/run/php5-fpm

To use a Unix socket, we simply change the listen line in our pool definition, comment out or remove the listen.allowed_clients line (makes sense only for TCP connections), and add the lines listen.owner (defines the owner of the socket), listen.group (defines the group of the socket), and listen.mode (defines the permissions of the socket):

vi /etc/php5/fpm/pool.d/example.com.conf

[example.com]
listen = /var/run/php5-fpm/example.com.sock
;listen.allowed_clients = 127.0.0.1
listen.owner = web1
listen.group = client0
listen.mode = 0660
user = web1
group = client0
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
chdir = /

Reload PHP-FPM afterwards:

/etc/init.d/php5-fpm reload

Take a look at the /var/run/php5-fpm directory:

ls -l /var/run/php5-fpm

You should find the socket example.com.sock there with the permissions 0660, owned by the user web1 and the group client0:

root@server1:~# ls -l /var/run/php5-fpm
total 0
srw-rw---- 1 web1 client0 0 2011-09-21 11:08 example.com.sock
root@server1:~#

Finally we must change the fastcgi_pass line in our nginx vhost to fastcgi_pass unix:/var/run/php5-fpm/example.com.sock;:

vi /etc/nginx/sites-available/example.com.vhost

server {
[...]
        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_pass unix:/var/run/php5-fpm/example.com.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_script_name;
            include /etc/nginx/fastcgi_params;
        }
[...]
}

Reload nginx afterwards:

/etc/init.d/nginx reload

That's it!

 

4 Links

 

About The Author

Falko Timme is the owner of Boost Your Site mit Timme Hosting - ultra-schnelles nginx-WebhostingTimme Hosting (ultra-fast nginx web hosting). He is the lead maintainer of HowtoForge (since 2005) and one of the core developers of ISPConfig (since 2000). He has also contributed to the O'Reilly book "Linux System Administration".


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Sat, 2014-05-24 06:07.

user = web1

group = client0

 these should be real system user or can be anything?

Submitted by Sam (not registered) on Thu, 2012-03-22 17:02.

Hi,

 I'm not sure about this but I think using TCP sockets is inherently insecure in this setup.

Let's assume you're running 2 pools:

Pool1 User: www-data Port: 9000

Pool2 User: bob Port: 9001 

While PHP scripts run as Bob and therefore have only the same rights as Bob, wouldn't it be possible to simply write a PHP script that connects to 127.0.0.1:9000 and pass some script that will be executed as www-data?

Submitted by AndDM (not registered) on Mon, 2011-12-12 18:00.
Hi, i've followed this usefull guide, but i've problem with socket's permission, in particular, i had write permission 0660 as you suggest, but i've this:
2011/12/12 14:50:44 [crit] 1904#0: *5 connect() to unix:/var/run/php5-fpm/test1.com.sock failed (13: Permission denied) while connecting to upstream, client: 192.168.57.1, server: test1.com, request: "GET /test.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm/test1.com.sock:", host: "test1.com"
It works only with permissions 0666.
Then, if i write a file and assign to it to another user, i can execute it too.

Could you tell me if you find these problems too?

Thanks for this guide.
Best regards.
Submitted by B.R. (not registered) on Thu, 2012-05-10 01:02.

Hi,

I just got the same problem and I solved it.

The owner group of the socket is useless, your socket needs to be owned by the user of the application which needs to have priviledges on it. The early information of that is when your current configuration only works if you let any user access to it ('other' permissions).

Thus, set permissions to 0600 and change the listen-user in your pool configuration file from PHP-FPM (/etc/nginx/fpm/pool.d/*.cong) to 'nginx'. The group is useless.

I don't know if this is a bug in the spawn of the PHP-FPM UNIX socket or if this is the genuine behavior of UNIX sockets, but I am a little lost on this. I don't get it either.

Enjoy!

Submitted by thegeneral (not registered) on Mon, 2013-03-18 11:50.

This maybe because the fastcgi pass is coming from ,nginx and not the pool user. Also there maybe an issue with the openbase_dir restriction set ?