Ubuntu 12.04 LTS + nginx + php-fpm - chrooting users

Discussion in 'Installation/Configuration' started by gridorian, Mar 21, 2014.

  1. gridorian

    gridorian New Member

    Hello guys,

    I have the following configs.
    I need your help in doing chroot for each php-fpm config (for each user).
    Practically I want to embed each user in his own environment and isolate him from the host linux env as much as possible.

    P.S. Can I do this from nxing in stead of php-fpm? I'm thinking of extending hosting for other languages, not only for php.

    /etc/nginx/nginx.conf
    Code:
    user www-data;
     
    # As a thumb rule: One per CPU. If you are serving a large amount
    # of static files, which requires blocking disk reads, you may want
    # to increase this from the number of cpu_cores available on your
    # system.
    #
    # The maximum number of connections for Nginx is calculated by:
    # max_clients = worker_processes * worker_connections
    worker_processes 8;
     
    # Maximum file descriptors that can be opened per process
    # This should be > worker_connections
    worker_rlimit_nofile 8192;
     
    events {
        # When you need > 8000 * cpu_cores connections, you start optimizing
        # your OS, and this is probably the point at where you hire people
        # who are smarter than you, this is *a lot* of requests.
        worker_connections 8000;
    }
     
    error_log /var/log/nginx/error.log;
     
    pid /var/run/nginx.pid;
     
    http {
        charset utf-8;
     
        # Set the mime-types via the mime.types external file
        include mime.types;
     
        # And the fallback mime-type
        default_type application/octet-stream;
     
        # Click tracking!
        access_log /var/log/nginx/access.log;
     
        # Hide nginx version
        server_tokens off;
     
        # ~2 seconds is often enough for HTML/CSS, but connections in
        # Nginx are cheap, so generally it's safe to increase it
        keepalive_timeout 20;
     
        # You usually want to serve static files with Nginx
        sendfile on;
     
        tcp_nopush on; # off may be better for Comet/long-poll stuff
        tcp_nodelay on; # on may be better for Comet/long-poll stuff
     
        server_name_in_redirect off;
        types_hash_max_size 2048;
     
        gzip on;
        gzip_http_version 1.0;
        gzip_comp_level 5;
        gzip_min_length 512;
        gzip_buffers 4 8k;
        gzip_proxied any;
        gzip_types
            # text/html is always compressed by HttpGzipModule
            text/css
            text/plain
            text/x-component
            application/javascript
            application/json
            application/xml
            application/xhtml+xml
            application/x-font-ttf
            application/x-font-opentype
            application/vnd.ms-fontobject
            image/svg+xml
            image/x-icon;
     
        # This should be turned on if you are going to have pre-compressed copies (.gz) of
        # static files available. If not it should be left off as it will cause extra I/O
        # for the check. It would be better to enable this in a location {} block for
        # a specific directory:
        # gzip_static on;
     
        gzip_disable "msie6";
        gzip_vary on;
         
        # other config files
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
        
    }
    This is a config each user will have particularized for himself.
    /home/$USER/etc/nginx/php
    Code:
        # pass the PHP scripts to FPM socket
        location ~ \.php$ {
            try_files $uri =404;
         
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
            
            #fastcgi_pass 127.0.0.1:22000; 
            fastcgi_pass unix:/home/$USER/var/run/php5-fpm.sock;
         
            fastcgi_index index.php;
         
            fastcgi_param SCRIPT_FILENAME /usr/share/nginx/www$fastcgi_script_name;
            fastcgi_param DOCUMENT_ROOT /usr/share/nginx/www;
         
            fastcgi_intercept_errors on;
         
            include fastcgi_params;
        }
    This is particularized for each user.
    /etc/php5/fpm/pool.d/$USER.conf
    Code:
    [USER]
    user = $pool
    group = $pool
    listen = /home/$pool/var/run/php-$pool-fpm.sock
    listen.owner = $pool
    listen.group = www-data
    listen.mode = 660
    pm = ondemand
    pm.max_children = 20
    pm.process_idle_timeout = 60
    pm.max_requests = 500
    request_terminate_timeout = 35
    php_admin_value[max_execution_time] = 60
    php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f [email protected]$pool
    #php_admin_value[open_basedir] = /home/$pool
    #php_admin_value[realpath_cache_basedir] = /home/$pool
    php_admin_value[mail.log] = /home/$pool/log/php-mail.log
    security.limit_extensions = .php .php52 .php53 .php54 .php55 .php60 .php54 .php0
    php_admin_value[safe_mode] = off
    php_admin_value[realpath_cache_size] = 128M
     

Share This Page