How to set up nginx + php_fastcgi with Apache_mpm_itk + mod

W

wartur2012-11-19 21:21:05

PHP

wartur, 2012-11-19 21:21:05

How to set up nginx + php_fastcgi with Apache_mpm_itk + mod_php functionality?

Hello. I recently wrote an article habrahabr.ru/post/159203/
In the comments to it, it was repeatedly indicated that it is best to remove the Apache server from the bundle. I wanted to dig deeper into this topic.
During the excavations, I had a question indicated in the subject.
The meaning of the question is that there are N sites on the hosting. Each site must run as a specific non-privileged user who can only modify files in their own directory.
When linking Apache_mpm_itk + mod_php (+ nginx proxy), this is easy to do. There it is possible for each virtual host to specify a user who will perform operations.
How to achieve this with nginx + php_fastcgi? Please indicate where I should dig, perhaps articles, perhaps explanations. Personally, I don’t even know what query to set for the search engine - “php fastcgi multiuser”? Everywhere articles are only for a single-user server, which is completely unacceptable.
Thank you for your attention.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

C

cyberorg, 2012-11-19
@wartur

php-fpm allows you to create different pools on different ports.
Each pool has a user and a group with which all processes of this pool are launched.
And from the nginx side, the required upstream is simply written.
Like this:
location ~ \.php$ {
include /usr/local/etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:8003; - where 8003 is the port where php-fpm hangs.
}

R

Roman Kutenko, 2012-11-20
@Sky4eg

I did it a little differently. Here is an example on ubuntu
site config fragment
/etc/nginx/sites-available/site.ru

 location ~ \.php$ {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

                # With php5-cgi alone:
                #fastcgi_pass 127.0.0.1:9000;
                # With php5-fpm:
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }

further fragment
/etc/php5/fpm/pool.d/site.ru.conf

; Start a new pool named 'www'.
; the variable $pool can we used in any directive and will be replaced by the
; pool name ('www' here)
[site.ru]

...

; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
;       will be used.
user = sky
group = sky

...

; The address on which to accept FastCGI requests.
; Valid syntaxes are:
;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific address on
;                            a specific port;
;   'port'                 - to listen on a TCP socket to all addresses on a
;                            specific port;
;   '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
;listen = 127.0.0.1:9000
listen = /var/run/php5-fpm.sock

...

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
;                 mode is set to 0666
listen.owner = sky
listen.group = sky
listen.mode = 0666

...

After this, the site works on behalf of the user, in this case sky

B

Boris Syomov, 2012-11-20
@kotomyava

More to the above:
For greater isolation, you can drive each user (each pull) into a chroot, php-fpm can also do this.
The main inconvenience is that you need to create a minimal environment for each user and keep it up to date, but there are many ready-made scripts for this.