D
D
Dmitry2020-08-02 22:13:55
linux
Dmitry, 2020-08-02 22:13:55

Separate users for sites. Am I setting up nginx correctly?

Good afternoon!
Setting up my own web server for sites, no control panels, just a console.
Linux, Nginx, php-fpm, mysql

Most of the sites are simple, on html, some of the sites work on different cms. All of them are already working, everything is OK.
There is a need to transfer NEXTCLOUD to the same web server, but the question of security immediately arises ...
The owner of the site directories - www-data
Nginx runs on behalf of - www-data
Socket for sites - php7.3-fpm.sock

Is it correct I acted by doing the following:
1. Added the www-cloud user from the www-cloud group to the system, without the possibility of authorization (password is not set);
2. Assigned to the directory in which nextcloud is located, the owner www-cloud:www-cloud;
3. Created a new php-fpm pool -> /etc/php/7.3/fpm/pool.d/www -cloud .conf where:
user = www-cloud
group = www-cloud
listen = /run/php/php7. 3-fpm -cloud .sock
listen.owner = www-data
listen.group = www-data
4. specified a new socket in the host configuration file
fastcgi_pass unix: /var/run/php/php7.3-fpm -cloud .sock;

Sites work, of course, under different mysql
users. Is this enough to separate sites by users? I really don't want to "gift" files from nextcloud to someone in the event of a site hack!

I would be extremely grateful for advice!
Thank you!

Answer the question

In order to leave comments, you need to log in

2 answer(s)
V
Victor Taran, 2020-08-03
@dfsaraev

not enough. In this scenario, it turns out that if a virus infects one of the sites, then it will have enough rights to infect the rest.
I separate all sites of even one client into different owners and groups.
In this scenario, even the theoretical possibility of defeating 1 virus of two sites is excluded (in the sense through one access)
. Also, some sites require a different version of the environment, from the php version to the type of its presentation. And even the web server on which this happiness is chatting. that is why I recommend that you still use panels.
Because they remove the human factor from control well.
If you want to dig deeper and figure it out, then ispconfig3 is ideal for you (which is what I use) (installation by mana)
very convenient.
If you don’t want to take a steam bath, but for everything to work, then
Bitrix VM - suitable for any sites is installed from 1 script
vestacp - is installed from 1 script, during installation there is a choice of assembly option, also in 1 script.
braynicp - does a hell of a lot, really fucking inconvenient interface proprietary license (but free). But the sup is adequate.

V
Vitaly Karasik, 2020-08-03
@vitaly_il1

Additionally, it is worth configuring that the nextcloud directories are inaccessible to other website users.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question