Multisites mit nginx und php-fpm

Mehrere Seiten mit php-fpm absichern

von Thorsten Eisinger am 5th Apr 2019

Schritt 1 - php-fpm

$ groupadd site1
$ useradd -g site1 site1

/etc/php/7.x/fpm/pool.d/site1.conf

[site1]
user = site1
group = site1
listen = /var/run/php7.0-fpm-site1.sock
listen.owner = www-data
listen.group = www-data
php_admin_value[disable_functions] = exec,passthru,shell_exec,system
php_admin_flag[allow_url_fopen] = off
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chdir = /

In the above configuration note these specific options:

  • [site1] is the name of the pool. For each pool you have to specify a unique name.
  • user and group stand for the Linux user and the group under which the new pool will be running.
  • listen should point to a unique location for each pool.
  • listen.owner and listen.group define the ownership of the listener, i.e. the socket of the new php-fpm pool. Nginx must be able to read this socket. That's why the socket is created with the user and group under which nginx runs - www-data.
  • php_admin_value allows you to set custom php configuration values. We have used it to disable functions which can run Linux commands - exec,passthru,shell_exec,system.
  • php_admin_flag is similar to php_admin_value, but it is just a switch for boolean values, i.e. on and off. We'll disable the PHP function allow_url_fopen which allows a PHP script to open remote files and could be used by attacker.

Schritt 2 - nginx

location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php5-fpm-site1.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
}

https://www.digitalocean.com/community/tutorials/how-to-host-multiple-websites-securely-with-nginx-and-php-fpm-on-ubuntu-14-04