Answer the question
In order to leave comments, you need to log in
5
5
5exi2018-07-25 12:42:36
5exi, 2018-07-25 12:42:36
Question about configuring pool in Apache + php-fpm environment?
Hello.
I'm trying to separate sites into different pools so that hacking one site does not lead to automatic access to others through the webshell.
I'm currently training on 2 sites out of several.
My configs:
/etc/apache2/mods-enabled/fastcgi.conf
<IfModule mod_fastcgi.c>
AddHandler fastcgi-script .fcgi
FastCgiIpcDir /var/lib/apache2/fastcgi
AddHandler php-fcgi .php .php5
<FilesMatch \.php$>
SetHandler php5-fcgi
</FilesMatch>
<Location "/fastcgiphp">
Order Deny,Allow
Deny from All
# Prevent accessing this path directly
Allow from env=REDIRECT_STATUS
</Location>
Action php5-fcgi /fastcgiphp
Action php5-fastcgi /fastcgiphp
</IfModule>/etc/php5/fpm/pool.d/eva.conf
[eva]
user = eva-pool
group = eva-pool
listen = /var/run/eva-php5-fpm.sock
listen.owner = eva-pool
listen.group = www-data
listen.mode = 0660/etc/php5/fpm/pool.d/rec.conf
[rec]
user = rec-pool
group = rec-pool
listen = /var/run/rec-php5-fpm.sock
listen.owner = rec-pool
listen.group = www-data
listen.mode = 0660/etc/apache2/sites-enabled/000-default
<VirtualHost *:80>
ServerName test.ru
DocumentRoot /var/www/eva
<IfModule mod_fastcgi.c>
FastCgiExternalServer /usr/local/bin/eva-fpm -socket eva-php5-fpm.sock
Alias /fastcgiphp /usr/local/bin/eva-fpm
</IfModule>
</VirtualHost>
<VirtualHost *:80>
ServerName test2.ru
DocumentRoot /var/www/rec
<IfModule mod_fastcgi.c>
FastCgiExternalServer /usr/local/bin/rec-fpm -socket rec-php5-fpm.sock
Alias /fastcgiphp /usr/local/bin/rec-fpm
</IfModule>ls -la /var/run/*.sock
srw-rw---- 1 eva-pool www-data 0 Jul 25 11:23 /var/run/eva-php5-fpm.sock
srw-rw-rw- 1 www-data www-data 0 Jul 25 11:23 /var/run/php5-fpm.sock
srw-rw---- 1 rec-pool www-data 0 Jul 25 11:23 /var/run/rec-php5 -fpm.sock
/var/run/php5-fpm.sock is the standard www pool, which, as I understand it, is now used by all sites by default. I did not specifically register it in any configurations of virtual hosts.
As you can see, the pools were created under the right users.
I'm testing. I upload the shell to the site test2.ru and get access to all sites. It feels like test2.ru does not even try to use the pool that is specified in the config, or something with rights.
Can you tell me where I went wrong and which way to go? Is it possible to somehow make sure that the site works in the right pool? If I remove the check for ifModule mod_fastcgi.c from the Apache config, then everything works out, which indicates that the module is enabled and working.
Thank you.
1 answer(s)
@5exi
Deleted the construction with IfModule mod_fastcgi.c
On the folder /var/www/rec gave the rights 750 and changed the owner rec-pool:www-data
In my opinion, now everything works as it should.
Give recommendations?
5
5exi, 2018-07-25 @5exi
I commented out the entire /etc/apache2/mods-enabled/fastcgi.conf
I installed proxy_fcgi
In the corresponding virtual host I wrote:
<FilesMatch ".*\.php$">
SetHandler "proxy:unix:/var/run/rec-php5-fpm.sock|fcgi://localhost/"
</FilesMatch>Deleted the construction with IfModule mod_fastcgi.c
On the folder /var/www/rec gave the rights 750 and changed the owner rec-pool:www-data
In my opinion, now everything works as it should.
Give recommendations?
Similar questions
A
M
Y
A
P
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question