Ubuntu 12.04 LTS + nginx + php-fpm - chrooting users

Discussion in 'Installation/Configuration' started by gridorian, Mar 21, 2014.

  1. gridorian

    gridorian New Member

    Hello guys,

    I have the following configs.
    I need your help in doing chroot for each php-fpm config (for each user).
    Practically I want to embed each user in his own environment and isolate him from the host linux env as much as possible.

    P.S. Can I do this from nxing in stead of php-fpm? I'm thinking of extending hosting for other languages, not only for php.

    user www-data;
    # As a thumb rule: One per CPU. If you are serving a large amount
    # of static files, which requires blocking disk reads, you may want
    # to increase this from the number of cpu_cores available on your
    # system.
    # The maximum number of connections for Nginx is calculated by:
    # max_clients = worker_processes * worker_connections
    worker_processes 8;
    # Maximum file descriptors that can be opened per process
    # This should be > worker_connections
    worker_rlimit_nofile 8192;
    events {
        # When you need > 8000 * cpu_cores connections, you start optimizing
        # your OS, and this is probably the point at where you hire people
        # who are smarter than you, this is *a lot* of requests.
        worker_connections 8000;
    error_log /var/log/nginx/error.log;
    pid /var/run/nginx.pid;
    http {
        charset utf-8;
        # Set the mime-types via the mime.types external file
        include mime.types;
        # And the fallback mime-type
        default_type application/octet-stream;
        # Click tracking!
        access_log /var/log/nginx/access.log;
        # Hide nginx version
        server_tokens off;
        # ~2 seconds is often enough for HTML/CSS, but connections in
        # Nginx are cheap, so generally it's safe to increase it
        keepalive_timeout 20;
        # You usually want to serve static files with Nginx
        sendfile on;
        tcp_nopush on; # off may be better for Comet/long-poll stuff
        tcp_nodelay on; # on may be better for Comet/long-poll stuff
        server_name_in_redirect off;
        types_hash_max_size 2048;
        gzip on;
        gzip_http_version 1.0;
        gzip_comp_level 5;
        gzip_min_length 512;
        gzip_buffers 4 8k;
        gzip_proxied any;
            # text/html is always compressed by HttpGzipModule
        # This should be turned on if you are going to have pre-compressed copies (.gz) of
        # static files available. If not it should be left off as it will cause extra I/O
        # for the check. It would be better to enable this in a location {} block for
        # a specific directory:
        # gzip_static on;
        gzip_disable "msie6";
        gzip_vary on;
        # other config files
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
    This is a config each user will have particularized for himself.
        # pass the PHP scripts to FPM socket
        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
            fastcgi_pass unix:/home/$USER/var/run/php5-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME /usr/share/nginx/www$fastcgi_script_name;
            fastcgi_param DOCUMENT_ROOT /usr/share/nginx/www;
            fastcgi_intercept_errors on;
            include fastcgi_params;
    This is particularized for each user.
    user = $pool
    group = $pool
    listen = /home/$pool/var/run/php-$pool-fpm.sock
    listen.owner = $pool
    listen.group = www-data
    listen.mode = 660
    pm = ondemand
    pm.max_children = 20
    pm.process_idle_timeout = 60
    pm.max_requests = 500
    request_terminate_timeout = 35
    php_admin_value[max_execution_time] = 60
    php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f $pool@sendmail-$pool
    #php_admin_value[open_basedir] = /home/$pool
    #php_admin_value[realpath_cache_basedir] = /home/$pool
    php_admin_value[mail.log] = /home/$pool/log/php-mail.log
    security.limit_extensions = .php .php52 .php53 .php54 .php55 .php60 .php54 .php0
    php_admin_value[safe_mode] = off
    php_admin_value[realpath_cache_size] = 128M

Share This Page